Backdoor.Win32.PcClient_bd589e4994

by malwarelabrobot on April 28th, 2014 in Malware Descriptions.

Virus.Win32.Cabres.a (Kaspersky), MemScan:Trojan.Generic.7421167 (B) (Emsisoft), MemScan:Trojan.Generic.7421167 (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, Virus, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bd589e4994c9de573fcc44529bc9929e
SHA1: e5dfbed6a99e691438da2d9ed7236657f47b5904
SHA256: a27dad20a29b127b8fa3fb87516b6f2649aed202e8ed4f09fa1cc6468d28376e
SSDeep: 24576:uOZTeV6ao 6X9wYLkxI69xxNsKJ3duGbUFTfb3uEQvtcsWPvQ5G:RZiEaN6tw7xI69xxNsKpkGbUFbbkVcsK
Size: 1158656 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2004-08-04 09:01:37
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1624
taskkill.exe:1092
statcvs.exe:1744
statcvs.exe:236
statcvs.exe:1200
statcvs.exe:532
NvTaskbarInh.exe:1644
NvTaskbarInh.exe:868
l1rezerv.exe:1688
wuauclt.exe:540
7252550.exe:652
rundll32.exe:1804
foxit.exe:204

The Backdoor injects its code into the following process(es):

IEXPLORE.EXE:1964
rundll32.exe:1976
Explorer.EXE:1912

File activity

The process %original file name%.exe:1624 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\NvTaskbarInh.exe (17261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\7252550.exe (4984 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\NvTaskbarInh.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\7252550.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (0 bytes)

The process statcvs.exe:236 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\statcvs.exe (2321 bytes)

The process NvTaskbarInh.exe:868 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\statcvs.exe (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\NvTaskbarInh.exe (7385 bytes)
%System%\foxit.exe (2392 bytes)

The Backdoor deletes the following file(s):

%System%\NvTaskbarInh.exe (0 bytes)

The process wuauclt.exe:540 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Backdoor deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process 7252550.exe:652 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\l1rezerv.exe (1281 bytes)

The process foxit.exe:204 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\morgr32.dll (79 bytes)

Registry activity

The process %original file name%.exe:1624 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 08 B1 28 2A 13 A4 6E 15 B1 C8 E4 29 FB 92 2E"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

The process taskkill.exe:1092 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 63 CD 12 96 D5 74 B4 FC 70 BD EE 41 D9 1C 90"

The process statcvs.exe:1744 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 20 CA EF 07 11 1C 67 27 FC 50 FF 2D FE BD 80"

The process statcvs.exe:236 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD BF B5 6E A1 60 61 CB 63 A5 AA D3 81 2A A2 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"statcvs.exe" = "statcvs"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process statcvs.exe:1200 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 5A 94 E7 02 D0 8A 97 EC CE 0B 90 FE 0B 26 6E"

The process statcvs.exe:532 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 7A 66 E8 5F DE 38 F6 0D 0D A3 20 30 70 E7 D9"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}]
"StubPath" = "%WinDir%\statcvs.exe"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"IDT PC Audio" = "%WinDir%\statcvs.exe"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"IDT PC Audio" = "%WinDir%\statcvs.exe"

The process IEXPLORE.EXE:1964 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 A2 A2 1A 34 07 1E FE B9 74 3B 8F 3B 8D E3 64"

The process NvTaskbarInh.exe:1644 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 9B CC 91 2E 14 1E 22 84 7C 44 85 DD B8 82 88"

The process NvTaskbarInh.exe:868 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
"nvidia05" = "04"
"nvidia06" = "26"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 9B EE 42 B2 D2 A7 47 4A DD 99 36 1C 6C D9 AB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Nvidia Control Center3" = "%System%\NvTaskbarInh.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\System32]
"NvTaskbarInh.exe" = "%System%\NvTaskbarInh.exe:*:Enabled:Explorer"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"

"AutoConfigURL"

The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"

"AVG8_TRAY"

"MskAgentexe"

"BDAgent"

"RavTask"

"avast!"

"sbamui"

"Windows Defender"

"K7TSStart"

"ISTray"

"CAVRID"

"SBAMTray"

"Spam Blocker for Outlook Express"

"SCANINICIO"

"AVP"

"F-PROT Antivirus Tray application"

"cctray"

"K7SystemTray"

"SpIDerMail"

"APVXDWIN"

"DrWebScheduler"

"egui"

"SpamBlocker"

"McENUI"

The process l1rezerv.exe:1688 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 47 F8 63 30 52 1A B7 7A 21 93 61 E4 DB D5 36"

The process 7252550.exe:652 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 8B 2D 16 B1 FD D1 4D E1 39 A3 1F 05 E0 AE AA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"l1rezerv.exe" = "l1rezerv"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"l1rezerv.exe" = "%WinDir%\l1rezerv.exe"

The process rundll32.exe:1976 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 4F E3 06 9D A4 4E 40 14 F1 CA E5 C8 03 F2 80"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "168"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\morgr32.dll,Startup"

The process rundll32.exe:1804 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 69 65 2F 40 52 20 17 A5 F3 19 C6 01 7E 35 A0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"

The process foxit.exe:204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 AD 00 37 3A 5F 77 2E 48 01 7B 4D 9D 44 88 80"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Ydapup" = "43 01 46 03 32 05 45 07 38 09 4F 0B 4D 0D 39 0F"

Dropped PE files

MD5 File path
5988f5eea2e0f6275a0f4232b4386bf9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\NvTaskbarInh.exe
08fc8ce6c01ca575a62ac3b7faf1e750 c:\WINDOWS\l1rezerv.exe
3cd79b8e7d198f5fcff729911a0c0b42 c:\WINDOWS\morgr32.dll
5988f5eea2e0f6275a0f4232b4386bf9 c:\WINDOWS\system32\NvTaskbarInh.exe
ff68d7e9435a7195144c09dc1d6c3fc0 c:\WINDOWS\system32\foxit.exe
eaf07a44a7dcab1d1614e82518d93b67 c:\WINDOWS\system32\statcvs.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.2180
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 39212 39424 4.55052 17a6fbe18a834b6f3462304415675d36
.data 45056 7140 1024 2.94449 99858e86526942a66950c7139f78a725
.rsrc 53248 1118208 1117184 5.53603 64fbdfd9e0074f2a5d4700adf97b1435

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.whatismyip.com/automation/n09230945.asp 141.101.120.15
hxxp://whatismyip.com/automation/n09230945.asp
ya.ru 213.180.204.3


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection

Traffic

GET /automation/n09230945.asp HTTP/1.1
Host: whatismyip.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Ubuntu/9.10 (karmic) Firefox/3.5.8


HTTP/1.1 404 Not Found
Server: cloudflare-nginx
Date: Fri, 25 Apr 2014 22:51:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d96283314d40791fbdc43b66473c9ed531398466308234; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 120e1b7a770201b0-FRA
300..<html>.<head><title>404 Not Found</title>
<script type="text/javascript">.//<![CDATA[.try{if (!window.C
loudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mir
age2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9v=0
2fcfa4f56/"},atok:"f54ba8708597c5e39b456fa57c5bf45b",petok:"bda2de89be
0d80a06648cad4dedd1441fdb18d66-1398466308-1800",zone:"whatismyip.com",
rocket:"0",apps:0}];!function(a,b){a=document.createElement("script"),
b=document.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax.
cloudflare.com/cdn-cgi/nexp/dok9v=b064e16429/cloudflare.min.js",b.pare
ntNode.insertBefore(a,b)}()}}catch(e){};.//]]>.</script>.<
/head>.<body bgcolor="white">.<center><h1>404 Not
 Found</h1></center>.<hr><center>nginx/1.4.7&l
t;/center>.</body>.</html>..1.....0..HTTP/1.1 404 Not F
ound..Server: cloudflare-nginx..Date: Fri, 25 Apr 2014 22:51:48 GMT..C
ontent-Type: text/html..Transfer-Encoding: chunked..Connection: keep-a
live..Set-Cookie: __cfduid=d96283314d40791fbdc43b66473c9ed531398466308
234; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip
.com; HttpOnly..Vary: Accept-Encoding..CF-RAY: 120e1b7a770201b0-FRA..3
00..<html>.<head><title>404 Not Found</title>&
lt;script type="text/javascript">.//<![CDATA[.try{if (!window.Cl
oudFlare) {var CloudFlare=[{verbose:0,p:0,byc:0,owlid:"cf",bag2:1,mira
ge2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok9
<<< skipped >>>
rundll32.exe_1976:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

rundll32.exe_1976_rwx_00A80000_00010000:

hcc.dholea

rundll32.exe_1976_rwx_10000000_00001000:

.text
`.data
.reloc

IEXPLORE.EXE_1964:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

IEXPLORE.EXE_1964_rwx_00150000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00290000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_002D0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00310000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00350000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00390000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00C50000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00C90000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00CD0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00D10000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00D50000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00D90000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00DD0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00E10000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00E50000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00E90000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00ED0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00F10000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00F50000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00F90000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_00FD0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01010000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01050000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01090000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_010D0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01110000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01150000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01190000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_011D0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01210000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01250000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01290000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_012D0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01310000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01350000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01390000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_013C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_014F0000_00001000:

GetKeyboardType

IEXPLORE.EXE_1964_rwx_01500000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_01540000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_01580000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_015B0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_016F0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01720000_00001000:

RegOpenKeyExA

IEXPLORE.EXE_1964_rwx_01730000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01760000_00001000:

RegCloseKey

IEXPLORE.EXE_1964_rwx_01770000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_017A0000_00001000:

oleaut32.dll

IEXPLORE.EXE_1964_rwx_018E0000_00001000:

oleaut32.dll

IEXPLORE.EXE_1964_rwx_01920000_00001000:

oleaut32.dll

IEXPLORE.EXE_1964_rwx_01960000_00001000:

oleaut32.dll

IEXPLORE.EXE_1964_rwx_01990000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01AD0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01B10000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01B50000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01B90000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01BD0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01C10000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_01C40000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01D80000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01DC0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01DF0000_00001000:

RegQueryInfoKeyA

IEXPLORE.EXE_1964_rwx_01E00000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01E30000_00001000:

RegOpenKeyExA

IEXPLORE.EXE_1964_rwx_01E40000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01E70000_00001000:

RegFlushKey

IEXPLORE.EXE_1964_rwx_01E80000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01EC0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01EF0000_00001000:

RegEnumKeyExA

IEXPLORE.EXE_1964_rwx_01F00000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01F40000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01F70000_00001000:

RegDeleteKeyA

IEXPLORE.EXE_1964_rwx_01F80000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01FB0000_00001000:

RegCreateKeyExA

IEXPLORE.EXE_1964_rwx_01FC0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_01FF0000_00001000:

RegCreateKeyA

IEXPLORE.EXE_1964_rwx_02000000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02030000_00001000:

RegCloseKey

IEXPLORE.EXE_1964_rwx_02040000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02080000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_020C0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02100000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02140000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02180000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_021C0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02200000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02240000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02280000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_022C0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02300000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_02330000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02470000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_024B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_024E0000_00001000:

WinExec

IEXPLORE.EXE_1964_rwx_024F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02530000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02570000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_025B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_025F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02630000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02670000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_026B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_026F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02730000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02770000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_027B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_027F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02830000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02870000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_028B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_028F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02930000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02970000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_029B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_029E0000_00001000:

PeekNamedPipe

IEXPLORE.EXE_1964_rwx_029F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02A30000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02A70000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02AB0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02AF0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02B30000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02B70000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02BB0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02BF0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02C30000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02C70000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02CB0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02CF0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02D30000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02D70000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02DA0000_00001000:

GetWindowsDirectoryA

IEXPLORE.EXE_1964_rwx_02DB0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02DF0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02E30000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02E70000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02EB0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02EF0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02F30000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02F70000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02FB0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_02FE0000_00001000:

GetProcessHeap

IEXPLORE.EXE_1964_rwx_02FF0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03030000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03070000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_030B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_030F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03130000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03170000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_031B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_031F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03230000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03270000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_032B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_032F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03330000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03370000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_033B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_033F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03430000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03470000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_034B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_034F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03530000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03570000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_035B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_035F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03630000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03670000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_036B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_036F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03730000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03770000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_037B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_037F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03830000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03870000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_038B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_038E0000_00001000:

CreatePipe

IEXPLORE.EXE_1964_rwx_038F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03930000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03970000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_039B0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_039F0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03A30000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_03A60000_00001000:

version.dll

IEXPLORE.EXE_1964_rwx_03BA0000_00001000:

version.dll

IEXPLORE.EXE_1964_rwx_03BE0000_00001000:

version.dll

IEXPLORE.EXE_1964_rwx_03C20000_00001000:

version.dll

IEXPLORE.EXE_1964_rwx_03C50000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03D90000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03DD0000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03E10000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03E50000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03E90000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03ED0000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03F10000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03F50000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03F90000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_03FD0000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04010000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04050000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04090000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_040D0000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04110000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04150000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04190000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_041D0000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04210000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04250000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04290000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_042D0000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04310000_00001000:

gdi32.dll

IEXPLORE.EXE_1964_rwx_04340000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04480000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_044C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04500000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04530000_00001000:

keybd_event

IEXPLORE.EXE_1964_rwx_04540000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04570000_00001000:

VkKeyScanA

IEXPLORE.EXE_1964_rwx_04580000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_045C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04600000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04640000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04680000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_046C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04700000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04740000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04780000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_047B0000_00001000:

SetKeyboardState

IEXPLORE.EXE_1964_rwx_047C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04800000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04840000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04880000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_048C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04900000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04940000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04980000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_049C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04A00000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04A40000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04A80000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04AB0000_00001000:

MsgWaitForMultipleObjects

IEXPLORE.EXE_1964_rwx_04AC0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04B00000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04B30000_00001000:

MapVirtualKeyA

IEXPLORE.EXE_1964_rwx_04B40000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04B80000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04BC0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04C00000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04C40000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04C80000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04CC0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04D00000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04D40000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04D80000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04DC0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04E00000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04E40000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04E80000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04EB0000_00001000:

GetKeyboardState

IEXPLORE.EXE_1964_rwx_04EC0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04EF0000_00001000:

GetKeyState

IEXPLORE.EXE_1964_rwx_04F00000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04F40000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04F80000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_04FC0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05000000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05040000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05080000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_050C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_050F0000_00001000:

ExitWindowsEx

IEXPLORE.EXE_1964_rwx_05100000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05130000_00001000:

EnumWindows

IEXPLORE.EXE_1964_rwx_05140000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05180000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_051C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_051F0000_00001000:

EnumChildWindows

IEXPLORE.EXE_1964_rwx_05200000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05240000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05280000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_052C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05300000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05340000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05380000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_053C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05400000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05440000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_05480000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_054C0000_00001000:

user32.dll

IEXPLORE.EXE_1964_rwx_054F0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05630000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05670000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_056B0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_056F0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05730000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05770000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_057B0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_057F0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05830000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05870000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_058B0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_058F0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05930000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05970000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_059B0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_059F0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05A30000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05A70000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05AB0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05AF0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05B30000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05B70000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05BB0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05BF0000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05C30000_00001000:

wsock32.dll

IEXPLORE.EXE_1964_rwx_05C60000_00001000:

shell32.dll

IEXPLORE.EXE_1964_rwx_05D90000_00001000:

ShellExecuteA

IEXPLORE.EXE_1964_rwx_05DA0000_00001000:

shell32.dll

IEXPLORE.EXE_1964_rwx_05DE0000_00001000:

shell32.dll

IEXPLORE.EXE_1964_rwx_05E10000_00001000:

SHFileOperationA

IEXPLORE.EXE_1964_rwx_05E20000_00001000:

shell32.dll

IEXPLORE.EXE_1964_rwx_05E60000_00001000:

shell32.dll

IEXPLORE.EXE_1964_rwx_05E90000_00001000:

ntdll.dll

IEXPLORE.EXE_1964_rwx_05EE0000_00001000:

ntdll.dll

IEXPLORE.EXE_1964_rwx_05F10000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_05F50000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_061A0000_00001000:

kernel32.dll

IEXPLORE.EXE_1964_rwx_061D0000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06310000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06350000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06380000_00001000:

InternetOpenUrlA

IEXPLORE.EXE_1964_rwx_06390000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_063D0000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06410000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06450000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06480000_00001000:

HttpQueryInfoA

IEXPLORE.EXE_1964_rwx_06490000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_064C0000_00001000:

FtpSetCurrentDirectoryA

IEXPLORE.EXE_1964_rwx_064D0000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06500000_00001000:

FtpPutFileA

IEXPLORE.EXE_1964_rwx_06510000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06540000_00001000:

FtpOpenFileA

IEXPLORE.EXE_1964_rwx_06550000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06580000_00001000:

FtpFindFirstFileA

IEXPLORE.EXE_1964_rwx_06590000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_065C0000_00001000:

FindCloseUrlCache

IEXPLORE.EXE_1964_rwx_065D0000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06600000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06630000_00001000:

FindNextUrlCacheEntryA

IEXPLORE.EXE_1964_rwx_06640000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_06670000_00001000:

FindFirstUrlCacheEntryA

IEXPLORE.EXE_1964_rwx_06680000_00001000:

wininet.dll

IEXPLORE.EXE_1964_rwx_066B0000_00001000:

crypt32.dll

IEXPLORE.EXE_1964_rwx_06900000_00001000:

crypt32.dll

IEXPLORE.EXE_1964_rwx_06930000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_06A70000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_06AB0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_06AF0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_06B30000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_06B70000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_06BB0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_06BF0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_06C20000_00001000:

URLMON.DLL

IEXPLORE.EXE_1964_rwx_06D50000_00001000:

URLDownloadToFileA

IEXPLORE.EXE_1964_rwx_06D60000_00001000:

URLMON.DLL

IEXPLORE.EXE_1964_rwx_06E40000_00001000:

AVICAP32.DLL

IEXPLORE.EXE_1964_rwx_06E80000_00001000:

AVICAP32.DLL

IEXPLORE.EXE_1964_rwx_06ED0000_00001000:

AVICAP32.DLL

IEXPLORE.EXE_1964_rwx_06F00000_00001000:

secur32.dll

IEXPLORE.EXE_1964_rwx_07250000_00001000:

secur32.dll

IEXPLORE.EXE_1964_rwx_07290000_00001000:

secur32.dll

IEXPLORE.EXE_1964_rwx_072D0000_00001000:

secur32.dll

IEXPLORE.EXE_1964_rwx_07300000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07440000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07470000_00001000:

netapi32.dll

IEXPLORE.EXE_1964_rwx_075B0000_00001000:

netapi32.dll

IEXPLORE.EXE_1964_rwx_075F0000_00001000:

netapi32.dll

IEXPLORE.EXE_1964_rwx_07620000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07760000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_077A0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_077E0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07820000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07860000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_078A0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_078E0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07920000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07960000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_079A0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_079E0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07A10000_00001000:

iphlpapi.dll

IEXPLORE.EXE_1964_rwx_07B50000_00001000:

iphlpapi.dll

IEXPLORE.EXE_1964_rwx_07B80000_00001000:

ntdll.dll

IEXPLORE.EXE_1964_rwx_07BC0000_00001000:

ntdll.dll

IEXPLORE.EXE_1964_rwx_07C00000_00001000:

ntdll.dll

IEXPLORE.EXE_1964_rwx_07C30000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07C70000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07EC0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07F00000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07F40000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07F70000_00001000:

RegEnumKeyExA

IEXPLORE.EXE_1964_rwx_07F80000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07FB0000_00001000:

RegCreateKeyExA

IEXPLORE.EXE_1964_rwx_07FC0000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_07FF0000_00001000:

RegOpenKeyExA

IEXPLORE.EXE_1964_rwx_08000000_00001000:

advapi32.dll

IEXPLORE.EXE_1964_rwx_10410000_00045000:

.idata
.reloc
P.rsrc
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
%sysdir%\
%serverexe%
%serverexe%\
%serverpath%\
Ht.HtZ
Software\Microsoft\Windows\CurrentVersion\
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
MSG|Can't Access Drive !
MSG|Directory Doesn't Exist !
$000000.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1 localhost #Redirects^To^Local^IP
MSG|Settings Change was Successful
MSG|The Computer Must Be Rebooted To Apply Changes
MSG|An Invalid Set of Flags Was Passed
MSG|The Display Driver Failed the Specified Graphics Mode
MSG|Graphics Mode Not Supported
MSG|Unable to Write Settings to Registry
MSG|Frequency Changed To
MSG|Error Changing Frequency
MSG|Error, Frequency Not Supported
MSG|Clipboard Monitoring Started
kernel32.dll
PSAPI.dll
\\StringFileInfo\\%.4x%.4x\\%s
ntdll.dll
|Key|-|
TPortScannerThread
PORTOPEND|
MSG|Port Scan Completed
MSG|Port Scanning Stopped
TMemoryExecute
|File Executed In Memory, PID :
|Error Executing File In Memory|
http://
HTTP/1.1
|Error, Can't Execute File|
avesvc.exe
ashdisp.exe
avgrsx.exe
bdss.exe
spider.exe
avp.exe
nod32krn.exe
cclaw.exe
dvpapi.exe
ewidoctrl.exe
mcshield.exe
pavfires.exe
almon.exe
ccapp.exe
pccntmon.exe
fssm32.exe
Dr.Web
issvc.exe
vsmon.exe
cpf.exe
ca.exe
tnbutil.exe
mpfservice.exe
npfmsg.exe
outpost.exe
tpsrv.exe
kpf4ss.exe
persfw.exe
vsserv.exe
smc.exe
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 95
Windows 98
Windows Me
rpcrt4.dll
Explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit.exe,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\WindowsName
Software\Microsoft\Windows\CurrentVersion\WindowsName\
Software\Microsoft\Windows NT\CurrentVersion
UnitPasswords
** Password Unknown **
Password
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
userenv.dll
\Application Data\Mozilla\Firefox\profiles.ini
\Application Data\Mozilla\Firefox\
\signons3.txt
MSG|Failed To Get Firefox Passwords
\signons2.txt
MSG|Firefox Not Found On Remote PC
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command\
firefox.exe
BCAST|FIREFOX|
FIREFOXPASSWORDS|
-|-|-|-|
password
aim.ini
yahoo.ini
msn.ini
TRILLIANPASSWORDS|
Trillian.SkinZip\DefaultIcon
BCAST|TRILLIANPASSWORDS|
LoginName
\*.dat
MIRANDAPASSWORDS|
BCAST|MIRANDAPASSWORDS|
PIDGINPASSWORDS|
GAIMPASSWORDS|
\.purple\accounts.xml
\.gaim\accounts.xml
** Password Unknown **|
@rapidshare[1].txt
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
\cookies.sqlite
\cookies.txt
BCAST|RSPASSWORDS|
RSPASSWORDS|
[t]Password-Protected Web Site$|[l]
BCAST|INTERNETEXPLORERPASSWORDS|
INTERNETEXPLORERPASSWORDS|
TWebDownloader
TFTPUploader
TFTPDownloader
DOWNSTARTED|HTTP Download|
|Download Complete, Executed|
|Download Complete, Error Executing !|
ftp://
DOWNSTARTED|FTP Download|
|Download Complete, Error Executing|
MSG|Updating Server...
MSG|Server Downloaded, Executing...
MSG|Server Updated Successfully
MSG|Server Update Failed, Error Executing
MSG|Server Update Failed, Error Downloading
UPSTARTED|FTP Upload|
|Error !, Unable To Connect To FTP Server|
SetupApi.dll
cfgmgr32.dll
SetupDiOpenClassRegKey
MSG|Device Enabled
MSG|Error Enabling Device
MSG|Device Disabled
MSG|Error Disabling Device
PowrProf.dll
BCASTSEARCHWINDOWS
WEBCAMCAP
MSG|Error Capturing Webcam
00-00-00-00-00-00
IP: %s, SubNetMask : %s
0.0.0.0
127.0.0.1
%d.%d.%d.%d
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
autorun.inf
MSG|Can't Find File To Copy To USB !
MSG|File Copied To USB Successfully
MSG|Error Copying File To USB !
Connected Device/Port :
Operation Unidentified:
GetAsyncKeyState
user32.dll
GetKeyState
TskMultiChatForm.UnicodeClass
%WinDir%\log.txt
MSG|Server Accepted Hello, Controlling Started
FIREFOX
INTERNETEXPLORERPASSWORDS
MIRANDAPASSWORDS
TRILLIANPASSWORDS
PIDGINPASSWORDS
GAIMPASSWORDS
RSPASSWORDS
cmd.exe /k
MSG|Registry Search Started...
MSG|Registry Key Doesn't Exists !
STARTPORTSCAN
MSG|Port Scanning Started...
STOPPORTSCAN
SEARCHWINDOWS
MSG|Process
MSG|Error Setting Process Priority
MSG|DLL Unloaded
MSG|Error Unloading DLL
MSG|Process Terminated - PID :
MSG|Error Terminating Process - PID :
MSG|Process Restarted
MSG|Couldn't Restart Process
MSG|Process Suspended - PID :
MSG|Error Suspending Process - PID :
MSG|Process Resumed - PID
MSG|Error Resuming Process - PID :
NOIPPASSWORDS
NOIPPASSWORDS|
MSG|No No-IP Passwords Found
MSNPASSWORDS
MSNPASSWORDS|
FIREFOXPASSWORDS
SOCKSSTATUS|Socks Server Already Active on Port :
MSG|Uninstaller Executed
MSG|Could't Execute Uninstaller
CDKEYS
CDKEYS|
ACTIVEPORTS
ACTIVEPORTS|
MSG|Error Listing Active Ports
MSG|Host Removed
MSG|Error Removing Host
MSG|Host Added
MSG|Error Adding Host
MSG|Window Closed - Handel :
MSG|Window Diabled - Handel :
MSG|Window Enabled - Handel :
MSG|Window Maximized - Handel :
MSG|Window Minimized - Handel :
MSG|Window Hided - Handel :
MSG|Window Showed - Handel :
MSG|Close Button On Window With Handel :
MSG|Close Button on Window With Handel :
MSG|Window Title Changed To :
MSG|Can't Change Window Title To :
SENDKEYS
MSG|Text Sent To Window With Handel :
MSG|Error Sending Text To Window - Handel :
MSG|Script Created and Executed
MSG|Erorr Creating/Executing Script
MSG|User Clicked : OK
MSG|User Clicked : Cancel
MSG|User Clicked : Retry
MSG|User Clicked : Yes
MSG|User Clicked : No
MSG|User Clicked : Abort
MSG|User Clicked : Ignore
MSG|Clipboard Enabled
MSG|Clipboard Disabled
MSG|This Directory Doesn't Exist
MSG|Desktop Wallpaper Set To "
MSG|Error Changing Desktop Wallpaper
winlogon.exe
MSG|Application Executed as System
MSG|Error Executiong Application as System
MSG|File Executed Visiblly
MSG|Error While Trying to Run File
MSG|File Executed Hidden
MSG|Error Executing File
MSG|File Secure-Deleted
MSG|Error Secure-Deleting File
MSG|File Doesn't Exist
MSG|File Deleted
MSG|Error Deleting File
MSG|Folder Deleted Succesfully
MSG|Error Deleting Folder
MSG|Folder Doesn't Exist
MSG|File/Folder Renamed
MSG|Can't Rename File/Folder
MSG|File/Folder Doesn't Exist
MSG|Folder Created
MSG|Can't Creat Folder
MSG|Folder Already Exist, Choose another name
LISTKEYS
LISTKEYS|
MSG|Key Renamed
MSG|Error Renaming Key
DELETEKEY
MSG|Key/Value Deleted
MSG|Error Deleting Key/Value
NEWKEY
MSG|Key Created
MSG|Error Creating Key
MSG|Value Added
MSG|Error Adding Value
MSG|USB Monitor is Already Active
MSG|USB Monitoring Started
MSG|USB Monitor is Not Active
MSG|USB Monitoring Stopped
MSG|Can't Stop USB Monitoring
MSG|Clipboard Monitor is Already Active
MSG|Clipboard Monitor is Not Active
MSG|Clipboard Monitoring Stopped
|Error, Target File or File To Execute Doesn't Exists|
DOWNLOADFROMFTP
UPLOADTOFTP
MSG|Offline Key Logger Is Disabled !
MSG|Error, Log Doesn't Exists !
MSG|Offline Log Cleared !
MSG|Error Clearing Log File !
LISTWEBCAMS
LISTWEBCAMS|
MSG|Error, File Not Found
MSG|Service Stopped
MSG|Service Started
MSG|Service "
MSG|Error Deleting Service
MSG|Service Created
MSG|Error Creating Service
MSG|Logoff Command Executed
MSG|Restart Command Executed
MSG|Shutdown Command Executed
MSG|Standby Command Executed
MSG|Hibernate Command Executed
MSG|Power Off Command Executed
?456789:;<=
!"#$%&'()* ,-./0123
abe2869f-9b47-4cd9-a358-c22904dba7f7
Unable to resolve HTTP prox
$#&(%'!"-.
&{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}
wiki.dyndns-wiki.com
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
WinExec
PeekNamedPipe
GetWindowsDirectoryA
GetProcessHeap
CreatePipe
version.dll
gdi32.dll
keybd_event
VkKeyScanA
SetKeyboardState
MsgWaitForMultipleObjects
MapVirtualKeyA
GetKeyboardState
ExitWindowsEx
EnumWindows
EnumChildWindows
wsock32.dll
shell32.dll
ShellExecuteA
SHFileOperationA
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
FtpSetCurrentDirectoryA
FtpPutFileA
FtpOpenFileA
FtpFindFirstFileA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
crypt32.dll
URLMON.DLL
URLDownloadToFileA
AVICAP32.DLL
secur32.dll
netapi32.dll
303C3K3p3x3
6 6$6(6,6064686
? ?6?\?{?
1,2j2}2
:.|Port=
=wiki.dy
vs.exe
vKeylo
1&{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}F833CU}|
InjectInto=Þfaultbrows(
InjectInto=Þfaultbrowser%
wiki.dyndns-wiki.comleSafeMode
{4MO5UU47-M7LK-842G-7GS7-USY8J431PHRF}

Explorer.EXE_1912_rwx_00EF0000_00001000:

.text
`.data
.reloc

Explorer.EXE_1912_rwx_02050000_00010000:

hcc.dholea


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1624
    taskkill.exe:1092
    statcvs.exe:1744
    statcvs.exe:236
    statcvs.exe:1200
    statcvs.exe:532
    NvTaskbarInh.exe:1644
    NvTaskbarInh.exe:868
    l1rezerv.exe:1688
    wuauclt.exe:540
    7252550.exe:652
    rundll32.exe:1804
    foxit.exe:204

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\NvTaskbarInh.exe (17261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\7252550.exe (4984 bytes)
    %WinDir%\statcvs.exe (2321 bytes)
    %System%\statcvs.exe (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\NvTaskbarInh.exe (7385 bytes)
    %System%\foxit.exe (2392 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %WinDir%\l1rezerv.exe (1281 bytes)
    %WinDir%\morgr32.dll (79 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "IDT PC Audio" = "%WinDir%\statcvs.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Nvidia Control Center3" = "%System%\NvTaskbarInh.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "l1rezerv.exe" = "%WinDir%\l1rezerv.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Ihoragiqinicim" = "rundll32.exe %WinDir%\morgr32.dll,Startup"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now