DeepScan.Generic.Zlob.7.1FED44BB_4b61bfb74b

by malwarelabrobot on July 12th, 2015 in Malware Descriptions.

Trojan.Win32.DNSChanger.ueb (Kaspersky), DeepScan:Generic.Zlob.7.1FED44BB (B) (Emsisoft), DeepScan:Generic.Zlob.7.1FED44BB (AdAware), Trojan.NSIS.StartPage.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4b61bfb74b4518d0733aa550c6fc7f0b
SHA1: 940e255e7f360235b33282e0b0a4aa600b9cd681
SHA256: f94591b202032534dc5a945891aac816808291b91975c8a47220c5835bef39d4
SSDeep: 3072:nbLpZuEskJoU4CqQ1LNALc9gWhQh22c4uSiDmXy3PnHbhEdILWoja4jbeRmotu:nbOOxBdNeczhQk4Til/nHF/jFjimH
Size: 197913 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: PC Utilities Software Limited
Created at: 2006-07-01 21:05:54
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The DeepScan creates the following process(es):

02.exe:312
UnRAR.exe:896
01.exe:1952

The DeepScan injects its code into the following process(es):

imapi.exe:1992
%original file name%.exe:1336
vmacthlp.exe:940
csrss.exe:692
winlogon.exe:724
services.exe:768
lsass.exe:780
Explorer.EXE:884
svchost.exe:952
svchost.exe:1056
svchost.exe:1144
svchost.exe:1244
svchost.exe:1364
spoolsv.exe:1468
jqs.exe:1620

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1336 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\modern-header.bmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\ns4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UnRAR.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (6357 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.rar (1552 bytes)

The DeepScan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\ns4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UnRAR.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\01.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\02.exe (0 bytes)

The process UnRAR.exe:896 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\02.exe (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\01.exe (2064 bytes)

The process 01.exe:1952 makes changes in the file system.
The DeepScan creates and/or writes to the following file(s):

%System%\kdgxy.exe (63 bytes)

Registry activity

The process %original file name%.exe:1336 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 67 8C 76 D3 A1 7F 4E D0 20 79 FB 4E E2 0C E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 02.exe:312 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DhcpNameServer" = "85.255.116.78 85.255.112.227"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E1070104-F404-44CE-B556-0622F9D63EE5}]
"NameServer" = "85.255.116.78,85.255.112.227"
"DhcpNameServer" = "85.255.116.78,85.255.112.227"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BF770B77-F559-4142-BC28-45811EFECA81}]
"NameServer" = "85.255.116.78,85.255.112.227"
"DhcpNameServer" = "85.255.116.78,85.255.112.227"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"NameServer" = "85.255.116.78 85.255.112.227"

The process 01.exe:1952 makes changes in the system registry.
The DeepScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F6 BF 8F 48 08 D4 EE 28 6E 77 E1 E3 2D 3C F1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System" = "kdgxy.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

MD5 File path
03a1a9be1f1e72f926ec9161825eedd6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp3.tmp\nsExec.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The DeepScan installs the following user-mode hooks in ntdll.dll:

ZwSetValueKey
NtQueryDirectoryFile
ZwDeleteValueKey
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23100 23552 4.43358 6f78fc1de8f5f67eabee63c82d06fe57
.rdata 28672 4338 4608 3.50085 8e200768cddae49a4df8d340f3025521
.data 36864 112660 1024 3.55915 709e767046a1d70f97c766d422853f45
.ndata 151552 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 188416 16888 16896 4.07739 6df8fb32068a79617c01c24b97d89205

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 19
3ffb3336d9384d41f0bac4c2b8d82e3f
2075a2654dd5b81d14a2a4eeed09a2d2
aa70890f8e5014db307ca3f08acb9797
11d8462b2b9525de37655407917e8a0c
cd541dbf34f9c0c0291ed04e69ca52a2
f58210eb23b46b33f2b3a7e58d191eeb
6d7962ba73746e39c007c97a4c1b4220
702590e673c626d5d43bd3651a8228eb
12a0b976982e5eff5d5c60493887676f
1b83f559e47d3f367300f6630e87741e
0b3565b87640fa94b1c98f4023d645a4
b8f08b83773467cec410800ab024d10f
ed5efac45ea5977cb23871b5e5c7ad84
23ead42a8992207ac7942b32ff639ccb
87addd642f325e0bdc04ee1b85defd52
657f1c97025339c3bf80da2209308123
bb030a70df5cbbd7da0a5cd1676821c3
c4bb89c7082f18edb3c894754fe9ccf8
7ba53e066ca765e0b9e4e6855e7baae6

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The DeepScan connects to the servers at the folowing location(s):

%original file name%.exe_1336:

.text
`.rdata
@.data
.ndata
.rsrc
t%SPV
tDSSh
shlwapi.dll
.DEFAULT\Control Panel\International
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
%s %s
... %d%%
verifying installer: %d%%
unpacking data: %d%%
Au_.exe
~nsu.tmp\
RichEd20.dll
%u.%u%s%s
\wininit.ini
%s=%s
%Program Files%
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\modern-header.bmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
adm\LOCALS~1\Temp\nsp3.tmp\modern-header.bmp
StartMenu.dll
%7XXZUVZVWZZX%
&&,%/*--30,&
>(*?0%%/
%,,,,%3-
777%7%%%%
.JHZI
.8FtP
O%CW3
C.Qo5%
.Ol1[G
%UY7b
u|%Sl
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\02.exe
02.exe
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp3.tmp
c:\%original file name%.exe
%Program Files%\PrivateVideo
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
-1861614643
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.18</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

%original file name%.exe_1336_rwx_003F0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

%original file name%.exe_1336_rwx_012F0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

%original file name%.exe_1336_rwx_01320000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

%original file name%.exe_1336_rwx_01350000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

%original file name%.exe_1336_rwx_01370000_00001000:

kdgxy.exe

%original file name%.exe_1336_rwx_01390000_00001000:

kdgxy.exe

%original file name%.exe_1336_rwx_013B0000_00001000:

explorer.exe

%original file name%.exe_1336_rwx_013D0000_00001000:

winlogon.exe

%original file name%.exe_1336_rwx_01400000_00001000:

runonce.exe

%original file name%.exe_1336_rwx_01420000_00001000:

services.exe

csrss.exe_692_rwx_027F0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

csrss.exe_692_rwx_02AB0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

csrss.exe_692_rwx_02AE0000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

winlogon.exe_724_rwx_00DB0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

winlogon.exe_724_rwx_00DC0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

winlogon.exe_724_rwx_00F40000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

winlogon.exe_724_rwx_012E0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

winlogon.exe_724_rwx_01300000_00001000:

kdgxy.exe

winlogon.exe_724_rwx_01580000_00001000:

kdgxy.exe

winlogon.exe_724_rwx_015A0000_00001000:

explorer.exe

winlogon.exe_724_rwx_015C0000_00001000:

winlogon.exe

winlogon.exe_724_rwx_015E0000_00001000:

runonce.exe

winlogon.exe_724_rwx_01600000_00001000:

services.exe

winlogon.exe_724_rwx_016A0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

winlogon.exe_724_rwx_016B0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

winlogon.exe_724_rwx_016D0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

winlogon.exe_724_rwx_016E0000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

winlogon.exe_724_rwx_01710000_00001000:

kdgxy.exe

winlogon.exe_724_rwx_01A00000_00001000:

kdgxy.exe

winlogon.exe_724_rwx_01A20000_00001000:

explorer.exe

winlogon.exe_724_rwx_01A40000_00001000:

winlogon.exe

winlogon.exe_724_rwx_01A60000_00001000:

runonce.exe

winlogon.exe_724_rwx_01A80000_00001000:

services.exe

services.exe_768_rwx_00B40000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

services.exe_768_rwx_00B50000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

services.exe_768_rwx_00B80000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

services.exe_768_rwx_00BD0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

services.exe_768_rwx_00DF0000_00001000:

kdgxy.exe

services.exe_768_rwx_00E10000_00001000:

kdgxy.exe

services.exe_768_rwx_00E30000_00001000:

explorer.exe

services.exe_768_rwx_00E50000_00001000:

winlogon.exe

services.exe_768_rwx_00E70000_00001000:

runonce.exe

services.exe_768_rwx_00E90000_00001000:

services.exe

services.exe_768_rwx_00EF0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

services.exe_768_rwx_00F00000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

services.exe_768_rwx_00F20000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

services.exe_768_rwx_00F30000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

services.exe_768_rwx_00F60000_00001000:

kdgxy.exe

services.exe_768_rwx_00F80000_00001000:

kdgxy.exe

services.exe_768_rwx_00FA0000_00001000:

explorer.exe

services.exe_768_rwx_00FC0000_00001000:

winlogon.exe

services.exe_768_rwx_00FE0000_00001000:

runonce.exe

services.exe_768_rwx_01020000_00001000:

services.exe

lsass.exe_780_rwx_00C70000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

lsass.exe_780_rwx_00D40000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

lsass.exe_780_rwx_00E40000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

lsass.exe_780_rwx_00E70000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

lsass.exe_780_rwx_00E90000_00001000:

kdgxy.exe

lsass.exe_780_rwx_00EB0000_00001000:

kdgxy.exe

lsass.exe_780_rwx_00ED0000_00001000:

explorer.exe

lsass.exe_780_rwx_00EF0000_00001000:

winlogon.exe

lsass.exe_780_rwx_00F10000_00001000:

runonce.exe

lsass.exe_780_rwx_00F30000_00001000:

services.exe

lsass.exe_780_rwx_00FD0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

lsass.exe_780_rwx_00FE0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

lsass.exe_780_rwx_01010000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

lsass.exe_780_rwx_01030000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

lsass.exe_780_rwx_01050000_00001000:

kdgxy.exe

lsass.exe_780_rwx_01070000_00001000:

kdgxy.exe

lsass.exe_780_rwx_01090000_00001000:

explorer.exe

lsass.exe_780_rwx_010B0000_00001000:

winlogon.exe

lsass.exe_780_rwx_010D0000_00001000:

runonce.exe

lsass.exe_780_rwx_010F0000_00001000:

services.exe

Explorer.EXE_884_rwx_01CA0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

Explorer.EXE_884_rwx_01CB0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

Explorer.EXE_884_rwx_01F40000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

Explorer.EXE_884_rwx_01F60000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

Explorer.EXE_884_rwx_01F80000_00001000:

kdgxy.exe

Explorer.EXE_884_rwx_01FA0000_00001000:

kdgxy.exe

Explorer.EXE_884_rwx_01FC0000_00001000:

explorer.exe

Explorer.EXE_884_rwx_01FE0000_00001000:

winlogon.exe

Explorer.EXE_884_rwx_02000000_00001000:

runonce.exe

Explorer.EXE_884_rwx_02020000_00001000:

services.exe

svchost.exe_952_rwx_00D40000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_952_rwx_00D50000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_952_rwx_00E30000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_952_rwx_00E60000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_952_rwx_00E80000_00001000:

kdgxy.exe

svchost.exe_952_rwx_00EA0000_00001000:

kdgxy.exe

svchost.exe_952_rwx_00EC0000_00001000:

explorer.exe

svchost.exe_952_rwx_00EE0000_00001000:

winlogon.exe

svchost.exe_952_rwx_00F00000_00001000:

runonce.exe

svchost.exe_952_rwx_00F20000_00001000:

services.exe

svchost.exe_952_rwx_00F80000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_952_rwx_00F90000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_952_rwx_00FB0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_952_rwx_00FC0000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_952_rwx_00FF0000_00001000:

kdgxy.exe

svchost.exe_952_rwx_02420000_00001000:

kdgxy.exe

svchost.exe_952_rwx_02440000_00001000:

explorer.exe

svchost.exe_952_rwx_02460000_00001000:

winlogon.exe

svchost.exe_952_rwx_02480000_00001000:

runonce.exe

svchost.exe_952_rwx_024A0000_00001000:

services.exe

svchost.exe_1056_rwx_00A00000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1056_rwx_00A10000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1056_rwx_00B60000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_1056_rwx_00B90000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1056_rwx_00BB0000_00001000:

kdgxy.exe

svchost.exe_1056_rwx_00BD0000_00001000:

kdgxy.exe

svchost.exe_1056_rwx_00BF0000_00001000:

explorer.exe

svchost.exe_1056_rwx_00C10000_00001000:

winlogon.exe

svchost.exe_1056_rwx_00C30000_00001000:

runonce.exe

svchost.exe_1056_rwx_00C50000_00001000:

services.exe

svchost.exe_1056_rwx_00CB0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1056_rwx_00CC0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1056_rwx_00CE0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1056_rwx_00CF0000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_1056_rwx_00D20000_00001000:

kdgxy.exe

svchost.exe_1056_rwx_00D40000_00001000:

kdgxy.exe

svchost.exe_1056_rwx_00D60000_00001000:

explorer.exe

svchost.exe_1056_rwx_00D80000_00001000:

winlogon.exe

svchost.exe_1056_rwx_00DA0000_00001000:

runonce.exe

svchost.exe_1056_rwx_00DC0000_00001000:

services.exe

svchost.exe_1144_rwx_01BB0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1144_rwx_01BC0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1144_rwx_02320000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_1144_rwx_02600000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1144_rwx_02620000_00001000:

kdgxy.exe

svchost.exe_1144_rwx_02680000_00001000:

kdgxy.exe

svchost.exe_1144_rwx_02730000_00001000:

explorer.exe

svchost.exe_1144_rwx_02750000_00001000:

winlogon.exe

svchost.exe_1144_rwx_02770000_00001000:

runonce.exe

svchost.exe_1144_rwx_02850000_00001000:

services.exe

svchost.exe_1144_rwx_028F0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1144_rwx_02900000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1144_rwx_02B60000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1144_rwx_02B70000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_1144_rwx_02BA0000_00001000:

kdgxy.exe

svchost.exe_1144_rwx_02BC0000_00001000:

kdgxy.exe

svchost.exe_1144_rwx_02BE0000_00001000:

explorer.exe

svchost.exe_1144_rwx_02C00000_00001000:

winlogon.exe

svchost.exe_1144_rwx_02C20000_00001000:

runonce.exe

svchost.exe_1144_rwx_02C40000_00001000:

services.exe

svchost.exe_1244_rwx_008B0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1244_rwx_008C0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1244_rwx_008F0000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_1244_rwx_00920000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1244_rwx_00940000_00001000:

kdgxy.exe

svchost.exe_1244_rwx_00960000_00001000:

kdgxy.exe

svchost.exe_1244_rwx_00980000_00001000:

explorer.exe

svchost.exe_1244_rwx_009A0000_00001000:

winlogon.exe

svchost.exe_1244_rwx_009D0000_00001000:

runonce.exe

svchost.exe_1244_rwx_009F0000_00001000:

services.exe

svchost.exe_1244_rwx_00A50000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1244_rwx_00A60000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1244_rwx_00A80000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1244_rwx_00A90000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_1244_rwx_00AC0000_00001000:

kdgxy.exe

svchost.exe_1244_rwx_00AE0000_00001000:

kdgxy.exe

svchost.exe_1244_rwx_00B00000_00001000:

explorer.exe

svchost.exe_1244_rwx_00B20000_00001000:

winlogon.exe

svchost.exe_1244_rwx_00B40000_00001000:

runonce.exe

svchost.exe_1244_rwx_00B60000_00001000:

services.exe

svchost.exe_1364_rwx_00C80000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1364_rwx_00C90000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1364_rwx_00CC0000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_1364_rwx_00CF0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1364_rwx_00D10000_00001000:

kdgxy.exe

svchost.exe_1364_rwx_00D30000_00001000:

kdgxy.exe

svchost.exe_1364_rwx_00D50000_00001000:

explorer.exe

svchost.exe_1364_rwx_00D70000_00001000:

winlogon.exe

svchost.exe_1364_rwx_00D90000_00001000:

runonce.exe

svchost.exe_1364_rwx_00DB0000_00001000:

services.exe

svchost.exe_1364_rwx_00E10000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1364_rwx_00E20000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1364_rwx_00E40000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

svchost.exe_1364_rwx_00E50000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

svchost.exe_1364_rwx_00E80000_00001000:

kdgxy.exe

svchost.exe_1364_rwx_00EA0000_00001000:

kdgxy.exe

svchost.exe_1364_rwx_00EC0000_00001000:

explorer.exe

svchost.exe_1364_rwx_00EE0000_00001000:

winlogon.exe

svchost.exe_1364_rwx_00F00000_00001000:

runonce.exe

svchost.exe_1364_rwx_00F20000_00001000:

services.exe

spoolsv.exe_1468_rwx_00EC0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

spoolsv.exe_1468_rwx_00ED0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

spoolsv.exe_1468_rwx_00F00000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

spoolsv.exe_1468_rwx_00F50000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

spoolsv.exe_1468_rwx_00F70000_00001000:

kdgxy.exe

spoolsv.exe_1468_rwx_01330000_00001000:

kdgxy.exe

spoolsv.exe_1468_rwx_01350000_00001000:

explorer.exe

spoolsv.exe_1468_rwx_01370000_00001000:

winlogon.exe

spoolsv.exe_1468_rwx_01390000_00001000:

runonce.exe

spoolsv.exe_1468_rwx_013B0000_00001000:

services.exe

spoolsv.exe_1468_rwx_01410000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

spoolsv.exe_1468_rwx_01420000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

spoolsv.exe_1468_rwx_01440000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

spoolsv.exe_1468_rwx_01450000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

spoolsv.exe_1468_rwx_01480000_00001000:

kdgxy.exe

spoolsv.exe_1468_rwx_014A0000_00001000:

kdgxy.exe

spoolsv.exe_1468_rwx_014C0000_00001000:

explorer.exe

spoolsv.exe_1468_rwx_014E0000_00001000:

winlogon.exe

spoolsv.exe_1468_rwx_01500000_00001000:

runonce.exe

spoolsv.exe_1468_rwx_01520000_00001000:

services.exe

jqs.exe_1620_rwx_01100000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

jqs.exe_1620_rwx_01110000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

jqs.exe_1620_rwx_01140000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

jqs.exe_1620_rwx_01170000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

jqs.exe_1620_rwx_01190000_00001000:

kdgxy.exe

jqs.exe_1620_rwx_011B0000_00001000:

kdgxy.exe

jqs.exe_1620_rwx_011D0000_00001000:

explorer.exe

jqs.exe_1620_rwx_011F0000_00001000:

winlogon.exe

jqs.exe_1620_rwx_01220000_00001000:

runonce.exe

jqs.exe_1620_rwx_01240000_00001000:

services.exe

jqs.exe_1620_rwx_012A0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

jqs.exe_1620_rwx_012B0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

jqs.exe_1620_rwx_012D0000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

jqs.exe_1620_rwx_012E0000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

jqs.exe_1620_rwx_01310000_00001000:

kdgxy.exe

jqs.exe_1620_rwx_01330000_00001000:

kdgxy.exe

jqs.exe_1620_rwx_01350000_00001000:

explorer.exe

jqs.exe_1620_rwx_01370000_00001000:

winlogon.exe

jqs.exe_1620_rwx_01390000_00001000:

runonce.exe

jqs.exe_1620_rwx_013B0000_00001000:

services.exe

imapi.exe_1992_rwx_00A80000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

imapi.exe_1992_rwx_00A90000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

imapi.exe_1992_rwx_00AC0000_00013000:

.text
.reloc
.RPCrypt
services.exe
runonce.exe
ntdll.dll
HttpSendRequestW
HttpSendRequestA
wininet.dll
wsock32.dll
urlmon.dll
NtDeleteValueKey
NtSetValueKey
Referer: %s
kernel32.dll
RegEnumKeyA
RegEnumKeyExA
advapi32.dll
iexplore.exe
/web?
/web/results?
/results.aspx?
results.asp
settings.aspx
ask.com
altavista.com
search.live.
search.msn.
shopping.yahoo.
search.yahoo.
VVV.google.
.live.
.msn.
.yahoo.
loginnet.passport
/ocget.dll
hXXp://85.255.119.186/frame.php
clsid\%s
%s\%s.dll
%s;%s;%s;
hXXp://%s%s&id=%d&qnaes=%s
%s&qnaes=%s
ask2.pricegrabber.com
askcareers.com
searchmarketing.yahoo
answers.yahoo
microsoft.com
videosboard.com
bbs.gofuckyourself.net
greenguyandjim.com
bigboynetwork.com
pornstarkings.com
crutop.nu
master-x.com
gfy.com
gofuckyourself.com
gallerytrafficservice.co
bbs.mediumpimpin.co
bbs.adultwebmasterinfo.co
gaywebmasterchat.co
extremebullshit.com
peppersboard.com
gaymarketforum.com
askdamagex.com
forum.krawl.com
krawl.biz
videoscash.com
tgpalliance.com
jmbsoft.com
germesia.com
webmastersarea.com
thinkreel.com
netpond.com
pornresource.com
ozyfrog.com
boards.xbiz.com
foogie.com
adultchamber.com
ynotmasters.com
ynotbob.com
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion
csrss.exe
winlogon.exe
explorer.exe
Content-Type: %s
%x %x
69.50.170.100
hXXp://%s/
NtQueryValueKey
NtEnumerateValueKey
psapi.dll
%s%s%c
%s\%s
%s\%s%c%c%c.%s
F%D,3
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
HttpQueryInfoA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
RPCRT4.dll
kedr_ver0.02.exe

imapi.exe_1992_rwx_00B00000_00001000:

%System%\kdgxy.exe
01.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\01.exe
csrss.exe
%x %x

imapi.exe_1992_rwx_00B20000_00001000:

kdgxy.exe

imapi.exe_1992_rwx_00B80000_00001000:

kdgxy.exe

imapi.exe_1992_rwx_00BA0000_00001000:

explorer.exe

imapi.exe_1992_rwx_00D40000_00001000:

winlogon.exe

imapi.exe_1992_rwx_00D60000_00001000:

runonce.exe

imapi.exe_1992_rwx_00D80000_00001000:

services.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    02.exe:312
    UnRAR.exe:896
    01.exe:1952

  3. Delete the original DeepScan file.
  4. Delete or disinfect the following files created/modified by the DeepScan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\modern-header.bmp (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp\ns4.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UnRAR.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (6357 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.rar (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\02.exe (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\01.exe (2064 bytes)
    %System%\kdgxy.exe (63 bytes)

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now