Gen.Variant.Graftor.150077_35e0958877

by malwarelabrobot on August 9th, 2014 in Malware Descriptions.

Trojan.Win32.Inject.ojdk (Kaspersky), Gen:Variant.Graftor.150077 (AdAware), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, Sinowal.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 35e09588776ec47dd0c17509c0f53eab
SHA1: 1aba8a3b9f5b3e20ff1284dc3a1bb47927fbff2c
SHA256: 6136b88af6d55bf06c87183480d9133a7c0a6840f6d963558992bf31112f776e
SSDeep: 3072:sgk0gjpvrTFdHLWFuCzxEyuUXs1e5VtPEq/ eR9nSC4LEULHaSxhKZeElFCDqLvB:sge99dHxCxp3Ke eRIEULH9oeElFLd1x
Size: 253440 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Softonic
Created at: 2014-08-02 21:34:44
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
DNSBlocker A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:600
%original file name%.exe:184
xnpgzuxbpiy.exe:976
rkrhpesxtbm.exe:1504

The Trojan injects its code into the following process(es):

xnpgzuxbpiy.exe:1852
svchost.exe:2240
calc.exe:2252
notepad.exe:2288
wmiprvse.exe:368
Explorer.EXE:692
winlogon.exe:724
services.exe:768
svchost.exe:936
svchost.exe:1016
svchost.exe:1104
svchost.exe:1156
svchost.exe:1228
spoolsv.exe:1436
mscorsvw.exe:1920
jqs.exe:1968

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:184 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)

The Trojan deletes the following file(s):

%Program Files%\Common Files\CreativeAudio\desktop.ini (0 bytes)

The process rkrhpesxtbm.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\Desktop.ini (63 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\k61523a1.exe (65 bytes)

Registry activity

The process %original file name%.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 BE FE 17 FD 11 58 B0 21 E1 9F F5 0D 96 54 8B"

The process %original file name%.exe:184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A D5 CA 81 B8 1D 8F 5A 0F 4E 99 02 4B 2B 6B 4E"

[HKCU\Software\Win7zip]
"uuid" = "E2 65 5E 69 95 E0 6F 46 BF 09 F9 AB AC 16 55 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{E2655E69-95E0-6F46-BF09-F9ABAC165551}\0E7302EC\CG1]
"HAL" = "05 EE 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nkkxqllff.exe]
"DisableExceptionChainValidation" = ""

[HKCU\Software\Classes\CLSID\{E2655E69-95E0-6F46-BF09-F9ABAC165551}\0E7302EC\CG1]
"BID" = "20 00 08 00 08 00 08 00 DE 07 00 00 14 00 88 FF"

The process xnpgzuxbpiy.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 9A FC 89 69 F4 FB 93 40 44 B1 5C D3 C5 DC 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"WireLMode" = "49 91 B0 2F 26 B5 82 08 02 2F 83 91 4C 9D 76 05"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftStCnt" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xnpgzuxbpiy.exe"

The process rkrhpesxtbm.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Taskman" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\k61523a1.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\k61523a1.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kk41566a" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\k61523a1.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Spanish (Spain, International Sort)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 66423 66560 4.61851 4ad26119e15befd280884d941b36668b
.rdata 73728 15352 15360 3.86014 63339ed4fa30fe550515c1bc6ee7a2fc
.data 90112 170668 11776 4.34375 63017765659040ce1a4c072a7aafdebf
.rsrc 262144 158484 158720 5.52778 385f902bba931266780aa4a3f5f9cf39

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

xnpgzuxbpiy.exe_1852:

.text
`.rdata
@.data
;.tej
()<>@,;:\"[]
mail.hfwjwww10proxiesss.com
%c%c==
%c%c%c=
%c%c%c%c
%d.%d.%d.%d
,.!?-;()[]<>
%s %s%0.2d00
%s  0000
%s%0.2d00
(qmail %u by uid %u)
%sd%s.%u.qmail@%s
----=_NextPart_d_X_.8lX..8lX
x.8lx$.8lx$x@%s
0.0.0.0
%s %s
MAIL FROM: <%s>
RCPT TO: <%s>
to.hex
from.domain
msgid_host
date.imp
date.custom.utc
date.custom_gmt
date.custom
date.utc
qmail_msgid
ol_msgid
hotmail.com; yahoo.com; aol.com; gmail.com; mail.com
v=%s&i=%s&d=%d&m=%d&w=%d
&t=%d
&e=%d
%d:%d;
%d:%d:%s;
hXXp://%s:%d/%s.asp
%s=%s
hotmail.com
yahoo.com
SOFTWARE\Microsoft\Windows\CurrentVersion\
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Run
{CBCDE2F2-CB31-FF5A-6FA1-731547ACF810}
WS2_32.dll
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
WININET.dll
KERNEL32.dll
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
MSVCRT.dll
_acmdln
DNSAPI.dll
uB.gT

xnpgzuxbpiy.exe_1852_rwx_00400000_0000B000:

.text
`.rdata
@.data
;.tej
()<>@,;:\"[]
mail.hfwjwww10proxiesss.com
%c%c==
%c%c%c=
%c%c%c%c
%d.%d.%d.%d
,.!?-;()[]<>
%s %s%0.2d00
%s  0000
%s%0.2d00
(qmail %u by uid %u)
%sd%s.%u.qmail@%s
----=_NextPart_d_X_.8lX..8lX
x.8lx$.8lx$x@%s
0.0.0.0
%s %s
MAIL FROM: <%s>
RCPT TO: <%s>
to.hex
from.domain
msgid_host
date.imp
date.custom.utc
date.custom_gmt
date.custom
date.utc
qmail_msgid
ol_msgid
hotmail.com; yahoo.com; aol.com; gmail.com; mail.com
v=%s&i=%s&d=%d&m=%d&w=%d
&t=%d
&e=%d
%d:%d;
%d:%d:%s;
hXXp://%s:%d/%s.asp
%s=%s
hotmail.com
yahoo.com
SOFTWARE\Microsoft\Windows\CurrentVersion\
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Run
{CBCDE2F2-CB31-FF5A-6FA1-731547ACF810}
WS2_32.dll
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
WININET.dll
KERNEL32.dll
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
MSVCRT.dll
_acmdln
DNSAPI.dll
uB.gT

xnpgzuxbpiy.exe_1852_rwx_01970000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xnpgzuxbpiy.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xnpgzuxbpiy.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

svchost.exe_2240:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_2240_rwx_00090000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

svchost.exe_2240_rwx_000D0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

svchost.exe_2240_rwx_009A0000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

calc.exe_2252:

.text
`.data
.rsrc
SHELL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
GDI32.dll
USER32.dll
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
calc.pdb
j.OXO
_acmdln
RegCloseKey
RegOpenKeyExA
name="Microsoft.Windows.Shell.calc"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
CalcMsgPumpWnd
The requested operation may take a very long time to complete.
Do you want to let the calculation continue, or stop the operation now?
Windows Calculator application file
5.1.2600.0 (xpclient.010817-1148)
CALC.EXE
Windows
Operating System
5.1.2600.0
Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.
Do you want to abort the operation now?
calc.hlp
Cannot open Clipboard.TThere is not enough memory for data.
calc.chm

notepad.exe_2288:

.text
`.data
.rsrc
comdlg32.dll
SHELL32.dll
WINSPOOL.DRV
COMCTL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
notepad.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
notepad.pdb
t%SSh
_acmdln
RegCloseKey
RegCreateKeyW
RegOpenKeyExA
SetViewportExtEx
GetKeyboardLayout
name="Microsoft.Windows.Shell.notepad"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
&*$#$$#$*
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
*.txt
/.SETUP
5.1.2600.5512 (xpsp.080413-2105)
NOTEPAD.EXE
Windows
Operating System
5.1.2600.5512
notepad.hlp
Text Documents (*.txt)
You cannot quit Windows because the Save As dialog
dialog box, and then try quitting Windows again.
Common Dialog error (0xx)
Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.
Not a valid file name.MCannot create the %% file.
Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.
Page %d
Ln %d, Col %d

calc.exe_2252_rwx_000A0000_00002000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
hu1ay.exe
oy1p2.exe
xqud5.exe
gflxt.exe
dr1z0.exe
ifit0.exe
a55g3.exe
u44az.exe
pu21x.exe
e2nt2.exe
51zes.exe
7cxg0.exe
hhsvt.exe
yzkhx.exe
216v2.exe
2rc5n.exe
cgpq4.exe
aeuhg.exe
w78nm.exe
user32.dll
urlmon.dll
URLDownloadToFileA
wininet.dll
hXXp://VVV.google.com

calc.exe_2252_rwx_00970000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\calc.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\calc.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

notepad.exe_2288_rwx_000A0000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
a.aiphon1egalaxyblack42.com
a.ajjjqws1fkxx42.com
a.adoyou1understandme42.com
a.amous1epadsafa42.com
a.acaraka1lagroup42.com
a.aire1bobohayawen42.com
a.ajhvdqw1ladies42.com
a.biphon2egalaxyblack42.com
a.bmous2epadsafa42.com
a.bcaraka2lagroup42.com
a.anabok1hasn1aser42.com
a.athemall1gonowhaha42.com
a.bdoyou2understandme42.com
a.bnabok2hasn1aser42.com
a.bjjjqws2fkxx42.com
a.bjhvdqw2ladies42.com
a.bthemall2gonowhaha42.com
a.bire2bobohayawen42.com
a.cdoyou3understandme42.com
a.cmous3epadsafa42.com
a.dmous4epadsafa42.com
a.ciphon3egalaxyblack42.com
a.cnabok3hasn1aser42.com
a.cire3bobohayawen42.com
a.cthemall3gonowhaha42.com
a.cjhvdqw3ladies42.com
a.cjjjqws3fkxx42.com
a.ccaraka3lagroup42.com
a.diphon4egalaxyblack42.com
a.ddoyou4understandme42.com
a.dnabok4hasn1aser42.com
a.dire4bobohayawen42.com
a.djjjqws4fkxx42.com
a.djhvdqw4ladies42.com
a.dthemall4gonowhaha42.com
a.edoyou5understandme42.com
a.dcaraka4lagroup42.com
a.emous5epadsafa42.com
a.ecaraka5lagroup42.com
a.eiphon5egalaxyblack42.com
a.enabok5hasn1aser42.com
a.eire5bobohayawen42.com
a.ejjjqws5fkxx42.com
a.ejhvdqw5ladies42.com
a.ethemall5gonowhaha42.com
a.roooggeyyy2.com
a.roooggeyyy3.com
a.roooggeyyy4.com
a.so1aa00.com
a.saao20000.com
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

notepad.exe_2288_rwx_008B0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\notepad.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

wmiprvse.exe_368_rwx_00DE0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\wbem\wmiprvse.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

Explorer.EXE_692_rwx_00F50000_00001000:

dq.fjwhwproxiesfwhj123.com
ws2_32.dll
advapi32.dll

Explorer.EXE_692_rwx_01540000_00002000:

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\k61523a1.exe

Explorer.EXE_692_rwx_01E10000_00001000:

dq.fjwhwproxiesfwhj123.com
ws2_32.dll
advapi32.dll

Explorer.EXE_692_rwx_01EA0000_00027000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSVSSh
RPVSSh
PSSh(
PSSh#
PSSh'
PSSh&
PSSh*
9p.uV

Explorer.EXE_692_rwx_01EC8000_00064000:

Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X\%s
0xX
SB:0xX
G:%s_0xX_%c:%s_v1$
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
IEXPLORE.EXE
IE.HTTP
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
HTTP\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Psapi.dll
%s\%s
Software\Adobe\Acrobat Reader\%s\Privileged
mscoree.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
nspr4.dll
nss3.dll
Urlmon.dll
URLDownloadToFileW
Netapi32.dll
76487-640-1457236-23837
76487-337-8429955-22614
76487-644-3177037-23510
76497-640-6308873-23835
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
comctl32.dll
ZwSetValueKey
ZwDeleteValueKey
SOFTWARE\%s
update.microsoft.com
microsoft.com
windowsupdate.microsoft.com
JOIN
PRIVMSG
.rdata
cmd_option.%s
/c %s
cmd.exe
msvcrt.dll
--x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
%s?action=up&g=%s
xul.dll
<Port>
<Pass>
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
?pid=%d
?page=%d
?id=%u
%s=%u&%s=%s
%s=%s&%s=%u
&%s=%s
&%s%u=
&%s%hu=
&%s=_%u
%d|%s|%s|%s
.info
httpget
GET /%s HTTP/1.1
Host: %s
Content-Length: %d
Accept: %s
Accept-Language: %s
Accept-Charset: %s
Accept-Encoding: %s
User-Agent: %s
Referer: %s
Connection: %s
hXXp://
iexplore.exe
firefox.exe
tbb-firefox.exe
%s:%hu
windowsupdate
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
hXXp://%s%s/image.php?id=%s
TaskDialogIndirect
hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
ÐxX
ntdll.dll
kernel32.dll
secur32.dll
crypt32.dll
user32.dll
advapi32.dll
wininet.dll
shell32.dll
shlwapi.dll
ole32.dll
version.dll
sfc.dll
dnsapi.dll
ws2_32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
8"808]9|9
9%9 919<9
=(=/=6==={=
4 4?4^4}4
6o6g6r6w6
9 9$9(90949
.text
`.rdata
@.data
.rsrc
SSh04A
This pointer, %d, is aligned on %d
This pointer, %d, is not aligned on %d
This pointer, %d, is offset by %d on alignment of %d
This pointer, %d, does not satisfy offset %d and alignment %d
Current time is %s
In %d days the time will be %s
Allocated %d bytes of stack at 0x%p
Broken pipe
Inappropriate I/O control operation
Operation not permitted
Invalid parameter passed to C runtime function.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
USER32.dll
ShellExecuteExA
FindExecutableW
ShellExecuteExW
SHELL32.dll
RegOpenKeyExW
RegOpenKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegCreateKeyW
RegCreateKeyExW
RegCloseKey
ADVAPI32.dll
GDI32.dll
dbghelp.dll
VERSION.dll
WINMM.dll
GetConsoleOutputCP
GetProcessHeap
GetCPInfo
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
%.gtst
p.htst
zcÁ
k%0sQ
'6.gr
P.eD'
n.sQa
Ow%cj
~%f<Wlq
-CY}ehN
b%U,j{
'%f~2
.Ff- 
-^=%B.Rg
4i.Iv
8.Mb[
9 >$0 (]%
R9i.nJ
Software\Classes\CLSID\%S
G:%S_0xX
chrome.exe
opera.exe
safari.exe
maxthon.exe
:Mozilla\Firefox\Profiles
cookies.sqlite
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
%s\winsxs\%s\comctl32.dll
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
%s:*:Enabled
avcuf32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
prstrui.exe
Windows Defender
MpClient.dll
Windows Defender\MSASCui.exe
MpSvc.dll
msseces.exe
MsMpEng.exe
MSASCui.exe
MpAsDesc.dll
MsMpLics.dll
avgui.exe
avgidsagent.exe
avgwdsvc.exe
avgdiagex.exe
avgmfapx.exe
avgupd.exe
avgcfgex.exe
avgnt.exe
avguard.exe
avshadow.exe
avcenter.exe
update.dll
updaterc.dll
usrreq.exe
ccsvchst.exe
symerr.exe
NIS.exe
NAV.exe
navw32.exe
avastui.exe
AvastEmUpdate.exe
ashUpd.exe
WRSA.exe
zatray.exe
ForceField.exe
updating.dll
fshoster32.exe
fsaua.dll
PSUNMain.exe
PSUAService.exe
PSANHost.exe
PSUNScan.dll
epavjobs.exe
AVENGINE.exe
Upgrader.exe
adaware.exe
BullGuard.exe.manifest
BullGuardUpdate.exe
BullGuard.exe
BullGuardScanner.exe
BullGuardBhvScanner.exe
BullGuardUpdate2.exe
BgScan.exe
BgScanEngine.dll
.manifest
updater.exe
Backup\RSD\RSSetup\updater.exe
RsTray.exe
RavMonD.exe
RsMgrSvc.exe
rsmain.exe
RsScan.dll
RsTray.dll
mbamgui.exe
mbam.exe
pctsGui.exe
pctsAuxs.exe
pctsSvc.exe
Update.exe
UpdateHlpr.dll
Definitions\vcore.dll
sbamui.exe
SBAMTray.exe
updater_client_mod.dll
FProtTray.exe
FPWin.exe
scf.dat
ALUpdate.exe
update_tmp.exe
arcaclean.exe
BavUpdater.exe
rcfp.exe
CLPSLA.exe
op_mon.exe
niu.exe
K7TSUpdT.exe
sguardxup.exe
ccupdate.exe
caupdate.dll
a2guard.exe
a2start.exe
a2service.exe
AVKTray.exe
GDSC.exe
AVK.exe
GDFirewallTray.exe
Bka.exe
BLuPro.exe
BkavSystemServer.exe
BkavService.exe
LiveUpdate.dll
LiveConnect.dll
BaseFile\Bkav\LiveUpdate.dll
V3Lite.exe
ASDSvc.exe
autoup.exe
downloader.exe
%s.config
updatesrv.exe
updatemgr.dll
egui.exe
ekrn.exe
x86\ekrn.exe
uWinMgr.exe
coreServiceShell.exe
uiSeAgnt.exe
uiWatchDog.exe
plugins\plugUpdater.dll
UiFrmwrk\uiUpdateTray.exe
coreFrameworkHost.exe
mcagent.exe
McSvHost.exe
McUICnt.exe
McPvTray.exe
mcui_exe
mcpltui_exe
mcshell.exe
mcupdmgr.exe
mcupdate.exe
mcshield.exe
mcupdui.dll
McAPExe.exe
.config
Image File Execution Options\%s
SYSTEM\CurrentControlSet\services\%s
%c:\ntusbdriver.sys
%c:\*p.exe
%c:\%s
p.exe
%WinDir%\explorer.exe
/C start /d. %s&"%s"
%COMSPEC%
%WinDir%\system32\shell32.dll
%c:\%s.lnk
VisthAux.exe
explorer.exe
t.minecraft
Works! PID: %d, Name: %s
cmdvirth
%s%s\X
tcp://
svchost.exe
csrss.exe
lsass.exe
smss.exe
wscript.exe
cscript.exe
vbc.exe
rundll32.exe
regsvr32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winlogon.exe
services.exe
%s\x.lnk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
desktop.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
wintrust.dll
chrome.dll
Applications\iexplore.exe\shell\open\command
%s_xx
x.zip
Navw32.exe
SysInspector.exe
avscan.exe
mfefire.exe
wuauclt.exe
WerFault.exe
lFileZilla\sitemanager.xml
port
Sites.dat
Quick.dat
%s\3\%s
%s\4\%s
spoolsv.exe
steam.exe
skype.exe
origin.exe
dwm.exe
tapi3.dll
/C copy "%s" "%s"
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Windows Update Service
"%s" /%s
Software\Microsoft\Windows\CurrentVersion\RunOnce
/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST
schtasks.exe
/DELETE /TN "Windows Update Check - 0xX" /F
\Windows\Explorer.exe
Low_X
%s.manifest
PendingFileRenameOperations
%s\X
Windows\CurrentVersion\Run
CurrentVersion\Windows
Windows NT\CurrentVersion\Image File Execution Options\%s
Windows has encountered a corrupted folder on your hard drive
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.
Corrupted folder: %s
Corrupted file count: %d
<a href=".ms">%s</a>
/c start "" "%s" /%s "%s"
shell32,ShellExec_RunDLL "%s" /%s "%s"
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.
Windows 3.1 Update Service
%s:Zone.Identifier
%s\X.pif
KERNEL32.DLL
KERNELBASE.DLL
kernelbase.dll
Invalid file name - %s
Wed(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
5.69.97.0
Upward.exe
Copyright (C) Oldest passage

Explorer.EXE_692_rwx_020B0000_00002000:

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-34881854\k64323a1.exe

Explorer.EXE_692_rwx_021E0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%WinDir%\Explorer.EXE
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\explorer.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

winlogon.exe_724_rwx_01580000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0Y
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
\??\%System%\winlogon.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

services.exe_768_rwx_00B00000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\services.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\services.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

svchost.exe_936_rwx_00ED0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

svchost.exe_1016_rwx_00B50000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

svchost.exe_1104_rwx_02630000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0d
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%WinDir%\System32\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

svchost.exe_1156_rwx_008B0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

svchost.exe_1228_rwx_00C30000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

spoolsv.exe_1436_rwx_00E10000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\spoolsv.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

mscorsvw.exe_1920_rwx_008E0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe

jqs.exe_1968_rwx_010C0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%Program Files%\Java\jre6\bin\jqs.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\gjvebphgblg.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:600
    %original file name%.exe:184
    xnpgzuxbpiy.exe:976
    rkrhpesxtbm.exe:1504

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
    C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\Desktop.ini (63 bytes)
    C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\k61523a1.exe (65 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MicrosoftStCnt" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xnpgzuxbpiy.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "kk41566a" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\k61523a1.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-31567854\k61523a1.exe"

  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now