Backdoor.Win32.PcClient_d6e53e9d0f

by malwarelabrobot on September 4th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Backdoor.Win32.PcClient.FD, TrojanDropperVtimrun.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: d6e53e9d0f4a9383f67993ec0f2358c4
SHA1: 89f5d38d55d53f13f9823f5a3a339379f222c89b
SHA256: 38d0310df16ec015122ccae35d2205c881af6066fb57a5135b3cc93b18dd1bca
SSDeep: 6144:MsehzRFf6vAe4gwKPN2pC59k/sZlZ8REk:Mr7a4sB5Sspdk
Size: 235520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2003-03-25 09:08:18


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

QVODSE~1.EXE:748
sc.exe:1816
sc.exe:1556
sc.exe:1328
sc.exe:1732
sc.exe:1736
sc.exe:916
sc.exe:1296
net1.exe:1748
net1.exe:1520
net.exe:1260
net.exe:608
Rundll32.exe:684
Rundll32.exe:1596
Setup3.exe:624

The Backdoor injects its code into the following process(es):

d6e53e9d0f4a9383f67993ec0f2358c4.exe:1652

File activity

The process QVODSE~1.EXE:748 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%System%\tvvet.dll (22 bytes)
%System%\pgrxt.dll (77 bytes)

The process d6e53e9d0f4a9383f67993ec0f2358c4.exe:1652 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup3.exe (6690 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QVODSE~1.EXE (2784 bytes)

The process Rundll32.exe:684 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

C:\Perl\lib\Moose\Meta\Method\Accessor\Native (4 bytes)
C:\Perl\lib\TAP (8 bytes)
%System%\CatRoot2 (96 bytes)
C:\Perl\lib\auto\Win32\Console (4 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
C:\Perl\lib\Moose\Meta (8 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
C:\Perl\html\lib\CPANPLUS\Internals (4 bytes)
C:\Perl\html\lib\ActiveState (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C__DOCUME~1_adm_LOCALS~1_Temp_IXP000.TMP_QvodSetupPlus.exe.torrent (12 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
C:\Perl\lib\auto\LWP (4 bytes)
C:\Perl\html\lib\PPI\Statement (4 bytes)
C:\Perl\html\lib\Net (8 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
C:\Perl\html\lib\Module\Build (4 bytes)
C:\Perl\lib\unicore\lib (12 bytes)
C:\Perl\html\lib\autodie (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
C:\Perl\html\lib\Perl (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
C:\Perl\lib\Term (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
C:\Perl\lib\SQL (4 bytes)
C:\Perl\html\lib\Perl\Critic\Policy (4 bytes)
%Program Files%\Java\jre6\lib (24 bytes)
C:\Perl\html\lib\Devel (4 bytes)
C:\Perl (4 bytes)
%Documents and Settings%\Default User (540 bytes)
C:\Perl\html\lib\TAP (8 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\pchealth\helpctr\System (8 bytes)
C:\$Directory (2848 bytes)
C:\Perl\html\lib\Test\Builder (4 bytes)
C:\Perl\eg (4 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (616 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
C:\Perl\html\lib\Win32 (8 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%WinDir%\Prefetch (8 bytes)
C:\Perl\lib\PPI (4 bytes)
C:\Perl\html\lib\Perl\Critic\Exception\Configuration (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%System%\CatRoot (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
C:\Perl\lib\auto\Encode (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (8754 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
C:\Perl\html\lib\Archive (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
C:\Perl\html\lib\Date (4 bytes)
C:\Perl\html\lib\Data (4 bytes)
%System% (37844 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%Program Files%\Wireshark (772 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
C:\Perl\lib\IO (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
C:\Perl\lib\Moose\Meta\Method (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
C:\Perl\lib\Locale (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (1156 bytes)
C:\Perl\html\faq (4 bytes)
C:\Perl\html\lib\Class\MOP (4 bytes)
%WinDir%\Microsoft.NET (4 bytes)
C:\Perl\eg\PerlEx (4 bytes)
C:\Perl\html\lib\SQL (4 bytes)
C:\Perl\html\lib\Moose\Cookbook (4 bytes)
C:\Perl\html\lib\TAP\Formatter (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%WinDir%\SoftwareDistribution\Download (5004 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (192 bytes)
C:\Perl\html\lib\XML (4 bytes)
C:\Perl\lib\Devel\NYTProf (4 bytes)
C:\Perl\html\lib\ExtUtils (196 bytes)
C:\ (8 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (188 bytes)
%Program Files%\VMware\VMware Tools (96 bytes)
C:\Perl\lib\CPAN (8 bytes)
C:\Perl\html\lib\PPIx (4 bytes)
C:\Perl\html\lib\DBI (4 bytes)
C:\Perl\lib\Devel\NYTProf\js (4 bytes)
C:\Perl\lib\ActivePerl\PPM (4 bytes)
C:\Perl\lib\Encode (4 bytes)
C:\Perl\lib\Test (4 bytes)
C:\Perl\html\lib\PPIx\Regexp\Token\CharClass (4 bytes)
%Program Files%\Movie Maker (4 bytes)
C:\Perl\lib\B (4 bytes)
C:\Perl\lib\Moose (4 bytes)
C:\Perl\html\lib\Sub (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32 (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
C:\Perl\lib\auto\HTTP (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Program Files%\Wireshark\snmp\mibs (1292 bytes)
C:\Perl\lib\Tie (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
C:\Perl\html\lib\Perl\Critic (8 bytes)
C:\Perl\lib\unicore\lib\Perl (4 bytes)
%Program Files%\Java\jre6\lib\security (4 bytes)
%WinDir%\WinSxS (300 bytes)
C:\Perl\lib\LWP (4 bytes)
C:\Perl\lib\URI (8 bytes)
C:\Perl\html\lib\File (96 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir% (2600 bytes)
%System%\wbem\Repository\FS\MAPPING2.MAP (12 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
C:\Perl\html\lib\Perl\Critic\Utils (4 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
C:\Perl\html\lib\Class (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
C:\PROGRAM FILES (12 bytes)
C:\Perl\lib\Moose\Cookbook (4 bytes)
C:\Perl\html\lib\Tie (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
C:\Perl\html\lib\Unicode (4 bytes)
C:\Perl\lib\auto\GD (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
C:\Perl\lib\ExtUtils\CBuilder\Platform (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dns_tmp.txt (12 bytes)
%Program Files%\Java\jre6\lib\zi\America (772 bytes)
%Documents and Settings% (8 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (104 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
C:\Perl\lib\CPANPLUS (4 bytes)
%Program Files%\Java\jre6\lib\deploy (4 bytes)
C:\Perl\html\lib\Module (4 bytes)
C:\Perl\lib\DBI\Gofer (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (8 bytes)
%Program Files%\Adobe\Reader 9.0\Resource (8 bytes)
C:\Perl\lib\Moose\Meta\Role (4 bytes)
C:\Perl\lib\unicore (8 bytes)
C:\Perl\lib\Perl\Critic\Policy (4 bytes)
C:\Perl\html\lib\JSON (4 bytes)
C:\Perl\html\lib\Perl\Critic\Exception\Configuration\Option (4 bytes)
C:\Perl\lib\auto\Win32 (104 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer (4 bytes)
C:\Perl\lib\TAP\Parser (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
C:\Perl\lib\auto\CPAN\Meta (4 bytes)
C:\Perl\html\lib\PPIx\Utilities (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
C:\Perl\html\lib\CPANPLUS\Dist (4 bytes)
C:\Perl\html\lib\WWW (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%System%\oobe (8 bytes)
C:\Perl\lib\HTML (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
C:\Perl\html\lib\Moose\Meta (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
C:\Perl\lib\Perl\Critic (8 bytes)
C:\Perl\lib\Win32 (4 bytes)
D:\ (20 bytes)
C:\Perl\html\lib\PPIx\Regexp (4 bytes)
%WinDir%\Installer (8 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
C:\Perl\html\lib\HTTP (4 bytes)
%Documents and Settings%\All Users (4 bytes)
C:\Perl\html\lib\Test (4 bytes)
C:\Perl\lib\CORE (196 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (1732 bytes)
C:\Perl\lib\Class (4 bytes)
C:\Perl\lib\auto (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QvodSetupPlus.exe.!qd (3345 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (17387 bytes)
C:\Perl\lib\GD (4 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (20 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dns.txt (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
C:\Perl\lib\Perl\Critic\Utils (4 bytes)
C:\Perl\lib\HTTP (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (4 bytes)
C:\Perl\html\lib\DBI\Gofer (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (12 bytes)
C:\Perl\html\lib\Perl\Critic\Exception (4 bytes)
C:\Perl\html (12 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
C:\Perl\html\lib\PPI (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (12 bytes)
%Documents and Settings%\All Users\Documents\My Music (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C__DOCUME~1_adm_LOCALS~1_Temp_IXP000.TMP_QvodSetupPlus.exe.mem (40 bytes)
C:\Perl\lib\ExtUtils (8 bytes)
%Program Files%\Windows NT (4 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\Web (4 bytes)
C:\Perl\html\lib\File\HomeDir (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
%Program Files%\Wireshark\snmp\mibs\.index (8 bytes)
%System%\wbem\Logs\wbemcore.log (248 bytes)
C:\totalcmd (4 bytes)
C:\Perl\html\lib\DBD (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
C:\Perl\html\lib\Math (4 bytes)
C:\Perl\html\lib\Moose (8 bytes)
C:\Perl\bin (192 bytes)
%Program Files%\Windows Media Player (4 bytes)
C:\Perl\lib\ActiveState (8 bytes)
C:\Perl\lib\PPIx\Regexp\Token (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (392 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
C:\Perl\html\lib\IO (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
C:\Perl\html\lib\LWP (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
C:\Perl\html\lib\GD (4 bytes)
%WinDir%\msagent (4 bytes)
C:\Perl\html\lib\Text (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
C:\Perl\html\lib\PPI\Token (96 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (2900 bytes)
C:\Perl\lib\ActiveState\PerlCritic (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (96 bytes)
C:\Perl\lib\WWW (4 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
C:\Perl\lib\IO\Uncompress (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\http.txt (4 bytes)
C:\Perl\lib\Perl\Critic\Exception (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
C:\Perl\html\lib\CPANPLUS (4 bytes)
C:\Perl\lib\Devel (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\http_tmp.txt (8 bytes)
%System%\mui (8 bytes)
C:\Perl\html\lib\Encode (8 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
C:\Perl\lib\Pod (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%Program Files%\Java\jre6\bin (308 bytes)
C:\Perl\html\lib\PPIx\Regexp\Token (8 bytes)
C:\Perl\html\lib (2280 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
C:\Perl\lib\Class\MOP (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (15740 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
C:\Perl\lib\TAP\Formatter (4 bytes)
C:\Perl\lib\File\HomeDir (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (20382 bytes)
%WinDir%\Temp (4 bytes)
C:\Perl\html\lib\Moose\Util (4 bytes)
C:\Perl\lib\CPANPLUS\Dist (4 bytes)
C:\Perl\html\lib\Locale (4 bytes)
C:\Perl\html\lib\CPAN (4 bytes)
%Documents and Settings%\%current user%\Local Settings (44 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%Program Files%\Java\jre6\lib\fonts (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
C:\Perl\lib\auto\ActiveState (4 bytes)
C:\Perl\html\lib\CPANPLUS\Module (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
C:\Perl\lib\Text (4 bytes)
%Program Files%\Wireshark\plugins\0.99.6a (8 bytes)
C:\Perl\lib\Module\Build (4 bytes)
%Program Files%\Java\jre6\lib\ext (4 bytes)
C:\Perl\lib (6244 bytes)
%Program Files%\Adobe\Reader 9.0 (4 bytes)
C:\Perl\lib\File\Spec (4 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
C:\Perl\lib\CPANPLUS\Module (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (53629 bytes)
C:\Perl\lib\Math (4 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (1824 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727 (1848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
C:\Perl\html\lib\Term (4 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%Documents and Settings%\%current user% (28 bytes)
C:\Perl\lib\DBI (4 bytes)
C:\Perl\lib\DBD (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
C:\Perl\lib\IO\Compress (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
C:\Perl\lib\JSON (4 bytes)
C:\Perl\html\lib\PerlIO (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
C:\Perl\lib\auto\Win32\API (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\config\systemprofile (4 bytes)
C:\Perl\html\lib\Pod (96 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%WinDir%\Web\printers (4 bytes)
C:\Perl\lib\Module (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (676 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Wireshark\dtds (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
C:\Perl\html\lib\Moose\Meta\Role (4 bytes)
C:\Perl\lib\Time (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5 (12 bytes)
%System%\config\SysEvent.Evt (208 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
C:\Perl\lib\PPI\Statement (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
C:\Perl\lib\Net (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
C:\Perl\html\lib\DBI\Const (4 bytes)
C:\Perl\lib\CPANPLUS\Internals (4 bytes)
C:\Perl\html\lib\DBD\Oracle (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
C:\Perl\lib\auto\Devel (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%System%\oobe\html\mouse (4 bytes)
C:\Perl\html\lib\B (4 bytes)
%Program Files%\Java\jre6\lib\zi (8 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
C:\Perl\lib\File (12 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
C:\Perl\lib\PPI\Token (8 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
C:\Perl\html\lib\HTML (4 bytes)
C:\Perl\lib\PPIx\Regexp (4 bytes)
C:\Perl\html\lib\Package (4 bytes)
C:\Perl\html\lib\Win32\API (4 bytes)
%WinDir%\assembly (4 bytes)
C:\Perl\lib\auto\Module (4 bytes)
%WinDir%\Prefetch\CMD.EXE-087B4001.pf (64 bytes)
C:\Perl\html\lib\TAP\Parser (4 bytes)
C:\Perl\lib\auto\Text (8 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)

The Backdoor deletes the following file(s):

%System%\wininet.dll (0 bytes)

The process Rundll32.exe:1596 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\AAV\CDriver.sys (11 bytes)

The Backdoor deletes the following file(s):

%Program Files%\AAV\CDriver.sys (0 bytes)
%Program Files%\AAV (0 bytes)

The process Setup3.exe:624 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QvodSetupPlus.exe.!qd (56480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C__DOCUME~1_adm_LOCALS~1_Temp_IXP000.TMP_QvodSetupPlus.exe.mem (1917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C__DOCUME~1_adm_LOCALS~1_Temp_IXP000.TMP_QvodSetupPlus.exe.torrent (392 bytes)

Registry activity

The process d6e53e9d0f4a9383f67993ec0f2358c4.exe:1652 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 D5 21 44 ED 66 08 08 76 F0 02 24 B0 47 D7 6E"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process sc.exe:1816 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 8F 06 7C 28 C7 EE F4 C9 A8 1C A0 AD C1 47 A3"

The process sc.exe:1556 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 C0 50 92 22 2C C3 BE F6 87 59 07 63 E6 D2 6E"

The process sc.exe:1328 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 54 2E 97 90 51 2D B1 26 76 9A 1C A3 4F C6 CF"

The process sc.exe:1732 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 3D B7 81 2A 5E 69 6A E9 02 B0 58 0F 1F 62 26"

The process sc.exe:1736 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 DA 37 81 F0 13 37 2F C2 19 7E 9A 1D 5E E3 BA"

The process sc.exe:916 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 ED CC 7C D5 E4 8E 13 95 CF 13 AF B0 EA AD 2A"

The process sc.exe:1296 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 F3 1C 07 4A 6F 7A 20 DE EF 7A 24 B8 14 39 34"

The process net1.exe:1748 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 24 4B B4 06 C7 45 00 81 4E F5 67 A3 23 43 69"

The process net1.exe:1520 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E A9 FE 50 55 58 C3 1A 30 CB 84 93 83 40 E0 FB"

The process net.exe:1260 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 27 4C 13 BD 20 F1 3C 78 03 74 77 7F 77 4E 22"

The process net.exe:608 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 96 C2 34 BC 86 DE C9 1C 54 AF B7 E4 DD BF 76"

The process Rundll32.exe:684 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 0C A3 92 16 60 2E 95 D4 64 99 07 E6 56 B5 13"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system" = "%System%\system.exe"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process Rundll32.exe:1596 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E BF 0E 8D 3F 28 91 E7 76 CC F2 BE 8E 57 BC 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process Setup3.exe:624 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 38 D3 F0 95 63 A0 06 19 AC 0B CD 07 0C 6F 50"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP]
"Setup3.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup3.exe:*:Enabled:QVOD"

Network activity (URLs)

URL IP
hxxp://update.qvod.com/qd.jpg
hxxp://update.qvod.com/QvodSetupPlus5_5.0.72_for_35.exe


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    QVODSE~1.EXE:748
    sc.exe:1816
    sc.exe:1556
    sc.exe:1328
    sc.exe:1732
    sc.exe:1736
    sc.exe:916
    sc.exe:1296
    net1.exe:1748
    net1.exe:1520
    net.exe:1260
    net.exe:608
    Rundll32.exe:684
    Rundll32.exe:1596
    Setup3.exe:624

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %System%\tvvet.dll (22 bytes)
    %System%\pgrxt.dll (77 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup3.exe (6690 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QVODSE~1.EXE (2784 bytes)
    C:\Perl\lib\Moose\Meta\Method\Accessor\Native (4 bytes)
    C:\Perl\lib\TAP (8 bytes)
    %System%\CatRoot2 (96 bytes)
    C:\Perl\lib\auto\Win32\Console (4 bytes)
    %WinDir%\SoftwareDistribution (4 bytes)
    %WinDir%\pchealth\helpctr\System\images (4 bytes)
    %WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
    %WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
    %WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals (4 bytes)
    C:\Perl\html\lib\ActiveState (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C__DOCUME~1_adm_LOCALS~1_Temp_IXP000.TMP_QvodSetupPlus.exe.torrent (12 bytes)
    %WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
    C:\Perl\lib\auto\LWP (4 bytes)
    C:\Perl\html\lib\PPI\Statement (4 bytes)
    C:\Perl\html\lib\Net (8 bytes)
    %WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
    C:\Perl\html\lib\Module\Build (4 bytes)
    C:\Perl\lib\unicore\lib (12 bytes)
    C:\Perl\html\lib\autodie (4 bytes)
    %WinDir%\pchealth\helpctr\System\panels (4 bytes)
    C:\Perl\html\lib\Perl (4 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
    C:\Perl\lib\Term (4 bytes)
    %WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
    C:\Perl\lib\SQL (4 bytes)
    C:\Perl\html\lib\Perl\Critic\Policy (4 bytes)
    %Program Files%\Java\jre6\lib (24 bytes)
    C:\Perl\html\lib\Devel (4 bytes)
    %Documents and Settings%\Default User (540 bytes)
    C:\Perl\html\lib\TAP (8 bytes)
    %WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
    C:\$Directory (2848 bytes)
    C:\Perl\html\lib\Test\Builder (4 bytes)
    C:\Perl\eg (4 bytes)
    %Documents and Settings%\%current user%\My Documents (4 bytes)
    %System%\config (616 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
    C:\Perl\html\lib\Win32 (8 bytes)
    %WinDir%\Prefetch (8 bytes)
    C:\Perl\lib\PPI (4 bytes)
    C:\Perl\html\lib\Perl\Critic\Exception\Configuration (4 bytes)
    %Documents and Settings%\All Users\Application Data (4 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
    %WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
    %WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
    C:\Perl\lib\auto\Encode (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (8754 bytes)
    %WinDir%\assembly\GAC_32 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
    C:\Perl\html\lib\Archive (4 bytes)
    %Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
    C:\Perl\html\lib\Date (4 bytes)
    C:\Perl\html\lib\Data (4 bytes)
    %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
    %Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
    %Program Files%\Wireshark (772 bytes)
    %WinDir%\Installer\$PatchCache$\Managed (4 bytes)
    C:\Perl\lib\IO (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
    %Program Files%\Common Files\VMware\Drivers (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
    %Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
    C:\Perl\lib\Locale (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
    %WinDir%\assembly\GAC_MSIL (1156 bytes)
    C:\Perl\html\faq (4 bytes)
    C:\Perl\html\lib\Class\MOP (4 bytes)
    C:\Perl\eg\PerlEx (4 bytes)
    C:\Perl\html\lib\SQL (4 bytes)
    C:\Perl\html\lib\Moose\Cookbook (4 bytes)
    C:\Perl\html\lib\TAP\Formatter (4 bytes)
    %WinDir%\WinSxS\Policies (8 bytes)
    %System%\oobe\html (4 bytes)
    %WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
    %WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
    %Documents and Settings%\%current user%\Cookies (192 bytes)
    C:\Perl\html\lib\XML (4 bytes)
    C:\Perl\lib\Devel\NYTProf (4 bytes)
    C:\Perl\html\lib\ExtUtils (196 bytes)
    %Documents and Settings%\%current user%\Favorites (4 bytes)
    %WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
    %Program Files%\VMware\VMware Tools (96 bytes)
    C:\Perl\lib\CPAN (8 bytes)
    C:\Perl\html\lib\PPIx (4 bytes)
    C:\Perl\html\lib\DBI (4 bytes)
    C:\Perl\lib\Devel\NYTProf\js (4 bytes)
    C:\Perl\lib\ActivePerl\PPM (4 bytes)
    C:\Perl\lib\Encode (4 bytes)
    C:\Perl\lib\Test (4 bytes)
    C:\Perl\html\lib\PPIx\Regexp\Token\CharClass (4 bytes)
    %Program Files%\Movie Maker (4 bytes)
    C:\Perl\lib\B (4 bytes)
    C:\Perl\html\lib\Sub (4 bytes)
    %WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
    C:\Perl\lib\auto\HTTP (4 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
    %Program Files%\Wireshark\snmp\mibs (1292 bytes)
    C:\Perl\lib\Tie (4 bytes)
    %Documents and Settings%\LocalService (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
    C:\Perl\lib\unicore\lib\Perl (4 bytes)
    %Program Files%\Java\jre6\lib\security (4 bytes)
    C:\Perl\lib\LWP (4 bytes)
    C:\Perl\lib\URI (8 bytes)
    C:\Perl\html\lib\File (96 bytes)
    %WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
    %System%\wbem\Repository\FS\MAPPING2.MAP (12 bytes)
    %WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
    C:\Perl\html\lib\Perl\Critic\Utils (4 bytes)
    %Documents and Settings%\NetworkService\Local Settings (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
    C:\PROGRAM FILES (12 bytes)
    C:\Perl\lib\Moose\Cookbook (4 bytes)
    C:\Perl\html\lib\Tie (4 bytes)
    %WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
    C:\Perl\html\lib\Unicode (4 bytes)
    C:\Perl\lib\auto\GD (4 bytes)
    %WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
    C:\Perl\lib\ExtUtils\CBuilder\Platform (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dns_tmp.txt (12 bytes)
    %Program Files%\Java\jre6\lib\zi\America (772 bytes)
    %Documents and Settings%\Default User\Local Settings (4 bytes)
    %WinDir%\$hf_mig$ (104 bytes)
    %System%\spool\XPSEP\amd64 (4 bytes)
    C:\Perl\lib\CPANPLUS (4 bytes)
    %Program Files%\Java\jre6\lib\deploy (4 bytes)
    C:\Perl\lib\DBI\Gofer (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
    %WinDir%\ime\imjp8_1 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (8 bytes)
    C:\Perl\lib\Moose\Meta\Role (4 bytes)
    C:\Perl\lib\Perl\Critic\Policy (4 bytes)
    C:\Perl\html\lib\JSON (4 bytes)
    C:\Perl\html\lib\Perl\Critic\Exception\Configuration\Option (4 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
    C:\Perl\lib\TAP\Parser (4 bytes)
    C:\Perl\lib\auto\CPAN\Meta (4 bytes)
    C:\Perl\html\lib\PPIx\Utilities (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
    %WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
    C:\Perl\html\lib\CPANPLUS\Dist (4 bytes)
    C:\Perl\html\lib\WWW (4 bytes)
    %WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
    C:\Perl\lib\HTML (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
    C:\Perl\html\lib\Moose\Meta (4 bytes)
    %Program Files%\Microsoft Office\Office14 (4 bytes)
    C:\Perl\lib\Win32 (4 bytes)
    D:\ (20 bytes)
    %WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
    C:\Perl\html\lib\HTTP (4 bytes)
    C:\Perl\lib\CORE (196 bytes)
    %WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
    C:\Perl\lib\Class (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QvodSetupPlus.exe.!qd (3345 bytes)
    %System%\wbem\Repository\FS\OBJECTS.DATA (17387 bytes)
    C:\Perl\lib\GD (4 bytes)
    %WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7ac.dat (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dns.txt (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
    C:\Perl\lib\Perl\Critic\Utils (4 bytes)
    C:\Perl\lib\HTTP (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (4 bytes)
    C:\Perl\html\lib\DBI\Gofer (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (12 bytes)
    %WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
    %WinDir%\ime\imkr6_1 (4 bytes)
    %WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
    %WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
    %WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5 (12 bytes)
    %Documents and Settings%\All Users\Documents\My Music (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C__DOCUME~1_adm_LOCALS~1_Temp_IXP000.TMP_QvodSetupPlus.exe.mem (40 bytes)
    %Program Files%\Windows NT (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
    %WinDir%\Web (4 bytes)
    C:\Perl\html\lib\File\HomeDir (4 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
    %Program Files%\Wireshark\snmp\mibs\.index (8 bytes)
    %System%\wbem\Logs\wbemcore.log (248 bytes)
    C:\totalcmd (4 bytes)
    C:\Perl\html\lib\DBD (4 bytes)
    %Program Files%\Common Files\System (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
    C:\Perl\html\lib\Math (4 bytes)
    C:\Perl\bin (192 bytes)
    %Program Files%\Windows Media Player (4 bytes)
    C:\Perl\lib\ActiveState (8 bytes)
    C:\Perl\lib\PPIx\Regexp\Token (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (392 bytes)
    %WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
    C:\Perl\html\lib\IO (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
    %WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
    C:\Perl\html\lib\LWP (4 bytes)
    %WinDir%\pchealth\helpctr\Config (4 bytes)
    C:\Perl\html\lib\GD (4 bytes)
    %WinDir%\msagent (4 bytes)
    C:\Perl\html\lib\Text (4 bytes)
    %Program Files%\Movie Maker\Shared (4 bytes)
    C:\Perl\html\lib\PPI\Token (96 bytes)
    %WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
    C:\Perl\lib\ActiveState\PerlCritic (4 bytes)
    %WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
    C:\Perl\lib\WWW (4 bytes)
    %WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
    C:\Perl\lib\IO\Uncompress (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\http.txt (4 bytes)
    C:\Perl\lib\Perl\Critic\Exception (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\http_tmp.txt (8 bytes)
    %System%\mui (8 bytes)
    C:\Perl\html\lib\Encode (8 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %System%\spool\XPSEP\i386 (4 bytes)
    C:\Perl\lib\Pod (4 bytes)
    %WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
    %Program Files%\Java\jre6\bin (308 bytes)
    %WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
    C:\Perl\lib\Class\MOP (4 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (15740 bytes)
    %System%\config\systemprofile\Start Menu\Programs (4 bytes)
    C:\Perl\lib\TAP\Formatter (4 bytes)
    C:\Perl\lib\File\HomeDir (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
    %System%\wbem\Repository\FS\INDEX.BTR (20382 bytes)
    C:\Perl\html\lib\Moose\Util (4 bytes)
    C:\Perl\lib\CPANPLUS\Dist (4 bytes)
    C:\Perl\html\lib\Locale (4 bytes)
    %WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
    %WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
    %Program Files%\Java\jre6\lib\fonts (4 bytes)
    %System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
    C:\Perl\lib\auto\ActiveState (4 bytes)
    C:\Perl\html\lib\CPANPLUS\Module (4 bytes)
    %WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
    C:\Perl\lib\Text (4 bytes)
    %Program Files%\Wireshark\plugins\0.99.6a (8 bytes)
    C:\Perl\lib\Module\Build (4 bytes)
    %Program Files%\Java\jre6\lib\ext (4 bytes)
    C:\Perl\lib\File\Spec (4 bytes)
    C:\Perl\lib\CPANPLUS\Module (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (53629 bytes)
    C:\Perl\lib\Math (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
    %System%\drivers (1824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
    C:\Perl\html\lib\Term (4 bytes)
    %Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
    C:\Perl\lib\DBD (4 bytes)
    %WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
    C:\Perl\lib\IO\Compress (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
    %WinDir%\security (4 bytes)
    C:\Perl\lib\JSON (4 bytes)
    C:\Perl\html\lib\PerlIO (4 bytes)
    %WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
    C:\Perl\lib\auto\Win32\API (4 bytes)
    C:\Perl\html\lib\Pod (96 bytes)
    %WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
    %WinDir%\Web\printers (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (676 bytes)
    %System%\config\systemprofile\Local Settings (4 bytes)
    %WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
    %Program Files%\Wireshark\dtds (4 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    %WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
    C:\Perl\html\lib\Moose\Meta\Role (4 bytes)
    C:\Perl\lib\Time (4 bytes)
    %WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
    %Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
    %System%\config\SysEvent.Evt (208 bytes)
    %Documents and Settings%\LocalService\Local Settings (4 bytes)
    C:\Perl\lib\PPI\Statement (4 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    C:\Perl\lib\Net (4 bytes)
    %WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
    C:\Perl\html\lib\DBI\Const (4 bytes)
    C:\Perl\lib\CPANPLUS\Internals (4 bytes)
    C:\Perl\html\lib\DBD\Oracle (4 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
    C:\Perl\lib\auto\Devel (4 bytes)
    %System%\oobe\html\mouse (4 bytes)
    C:\Perl\html\lib\B (4 bytes)
    %WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
    C:\Perl\lib\PPI\Token (8 bytes)
    %WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
    C:\Perl\html\lib\HTML (4 bytes)
    C:\Perl\html\lib\Package (4 bytes)
    C:\Perl\html\lib\Win32\API (4 bytes)
    C:\Perl\lib\auto\Module (4 bytes)
    %WinDir%\Prefetch\CMD.EXE-087B4001.pf (64 bytes)
    C:\Perl\html\lib\TAP\Parser (4 bytes)
    C:\Perl\lib\auto\Text (8 bytes)
    %WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
    %Program Files%\AAV\CDriver.sys (11 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "system" = "%System%\system.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now