Gen.Variant.Kazy.8502_3b926de6bf

by malwarelabrobot on November 2nd, 2014 in Malware Descriptions.

HEUR:Hoax.Win32.ArchSMS.gen (Kaspersky), Gen:Variant.Kazy.8502 (B) (Emsisoft), Gen:Variant.Kazy.8502 (AdAware), Trojan.Win32.EyeStye.FD, SpyEye.YR, TrojanEyeStye.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3b926de6bf3642dafdfbdcd57daae790
SHA1: 61553eda93e81936aa600ac0bcd0fd797ad00eec
SHA256: 298e36fe4b5a389600c00ba46ef53e0bb5b0cd7fc3fbf00b88df9828f9a2d0b2
SSDeep: 6144:/KkO9Qfu4PYLixPosddGBj8pdKgEVvvys1 mPbhiPFHdqqcE4ggIkuhali:/KRDggaoy5pdYpvpziPFHcNq3
Size: 314880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Premium Installer
Created at: 2011-05-03 04:14:32
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

B6232F3A951.exe:1760

The Trojan injects its code into the following process(es):

mscorsvw.exe:424
cmd.exe:244
svchost.exe:340
jqs.exe:480
winlogon.exe:716
lsass.exe:772
svchost.exe:928
svchost.exe:1012
svchost.exe:1096
svchost.exe:1144
svchost.exe:1188
spoolsv.exe:1432
Explorer.EXE:1948
wmiprvse.exe:3704

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process B6232F3A951.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Recycle.Bin\450EA779C22EAD4 (8 bytes)

Registry activity

The process B6232F3A951.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 C1 82 5D 44 F8 56 07 C0 AE 64 C7 AC 40 1C BB"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

InternetWriteFile
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
InternetQueryOptionA

The Trojan installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

send

The Trojan installs the following user-mode hooks in ntdll.dll:

ZwVdmControl
ZwSetInformationFile
NtResumeThread
ZwQueryDirectoryFile
ZwEnumerateValueKey

Propagation

VersionInfo

Company Name: Don HO [email protected]
Product Name: Notepad
Product Version: 5.7
Legal Copyright: Copyleft 1998-2006 by Don HO
Legal Trademarks:
Original Filename: Notepad .exe
Internal Name: npp.exe
File Version: 5.7
File Description: Notepad : a free (GNU) source code editor
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 180224 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 184320 311296 310784 5.51958 43ba23d7ecb65c5e65ec6c27f3765e12
.rsrc 495616 4096 3072 2.09766 5994d4f01e938e09928768f4b86091ff

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

cmd.exe_244_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_340_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

mscorsvw.exe_424_rwx_008D0000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

mscorsvw.exe_424_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

mscorsvw.exe_424_rwx_3D940000_00001000:

sensapi.dll

mscorsvw.exe_424_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

mscorsvw.exe_424_rwx_3D94F000_00001000:

QSSSSh

mscorsvw.exe_424_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

mscorsvw.exe_424_rwx_3D963000_00001000:

<>\"/:|?*

mscorsvw.exe_424_rwx_3D9A6000_00001000:

SSSSh

jqs.exe_480_rwx_010C0000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

jqs.exe_480_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

jqs.exe_480_rwx_3D940000_00001000:

sensapi.dll

jqs.exe_480_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

jqs.exe_480_rwx_3D94F000_00001000:

QSSSSh

jqs.exe_480_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

jqs.exe_480_rwx_3D963000_00001000:

<>\"/:|?*

jqs.exe_480_rwx_3D9A6000_00001000:

SSSSh

winlogon.exe_716_rwx_012D0000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

winlogon.exe_716_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

winlogon.exe_716_rwx_3D940000_00001000:

sensapi.dll

winlogon.exe_716_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

winlogon.exe_716_rwx_3D94F000_00001000:

QSSSSh

winlogon.exe_716_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

winlogon.exe_716_rwx_3D963000_00001000:

<>\"/:|?*

winlogon.exe_716_rwx_3D9A6000_00001000:

SSSSh

lsass.exe_772_rwx_00BF0000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

lsass.exe_772_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

lsass.exe_772_rwx_3D940000_00001000:

sensapi.dll

lsass.exe_772_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

lsass.exe_772_rwx_3D94F000_00001000:

QSSSSh

lsass.exe_772_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

lsass.exe_772_rwx_3D963000_00001000:

<>\"/:|?*

lsass.exe_772_rwx_3D9A6000_00001000:

SSSSh

svchost.exe_928_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_1012_rwx_00B40000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

svchost.exe_1012_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_1012_rwx_3D940000_00001000:

sensapi.dll

svchost.exe_1012_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

svchost.exe_1012_rwx_3D94F000_00001000:

QSSSSh

svchost.exe_1012_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

svchost.exe_1012_rwx_3D963000_00001000:

<>\"/:|?*

svchost.exe_1012_rwx_3D9A6000_00001000:

SSSSh

svchost.exe_1096_rwx_02980000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

svchost.exe_1096_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
c:\windows\system32\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_1096_rwx_3D940000_00001000:

sensapi.dll

svchost.exe_1096_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

svchost.exe_1096_rwx_3D94F000_00001000:

QSSSSh

svchost.exe_1096_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

svchost.exe_1096_rwx_3D963000_00001000:

<>\"/:|?*

svchost.exe_1096_rwx_3D9A6000_00001000:

SSSSh

svchost.exe_1144_rwx_00820000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

svchost.exe_1144_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

svchost.exe_1144_rwx_3D940000_00001000:

sensapi.dll

svchost.exe_1144_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

svchost.exe_1144_rwx_3D94F000_00001000:

QSSSSh

svchost.exe_1144_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

svchost.exe_1144_rwx_3D963000_00001000:

<>\"/:|?*

svchost.exe_1144_rwx_3D9A6000_00001000:

SSSSh

svchost.exe_1188_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

spoolsv.exe_1432_rwx_00D00000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

spoolsv.exe_1432_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

spoolsv.exe_1432_rwx_3D940000_00001000:

sensapi.dll

spoolsv.exe_1432_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

spoolsv.exe_1432_rwx_3D94F000_00001000:

QSSSSh

spoolsv.exe_1432_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

spoolsv.exe_1432_rwx_3D963000_00001000:

<>\"/:|?*

spoolsv.exe_1432_rwx_3D9A6000_00001000:

SSSSh

Explorer.EXE_1948_rwx_01100000_00002000:

!EYEc:\%original file name%.exe
C:\Recycle.Bin\
B6232F3A951.exe
xqCSLEoSiMC.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows

Explorer.EXE_1948_rwx_01340000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

Explorer.EXE_1948_rwx_01730000_00006000:

.text
`.rdata
@.data
.reloc
PSSSSSSh
Advapi32.dll
guid=%s&ver=%u&ie=%s&os=%u.%u.%u&ut=%s&ccrc=X&md5=%s&plg=%s&plgstat=%s&wake=%u
%s&stat=online
hXXp://VVV.microsoft.com
%s&%s
ntdll.dll
SHLWAPI.dll
GetProcessHeap
KERNEL32.dll
ADVAPI32.dll
customconnector.dll
TakeBotExeMd5Callback
TakeStartExe
TakeUpdateBotExe
Content-Type: application/x-www-form-urlencoded
5.1.2600!XP2!D8CC41DB
hXXp://troleybusikoff.ru/forum.php

Explorer.EXE_1948_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

Explorer.EXE_1948_rwx_0BB60000_0005A000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

Explorer.EXE_1948_rwx_3D94F000_00001000:

QSSSSh

Explorer.EXE_1948_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

Explorer.EXE_1948_rwx_3D9A6000_00001000:

SSSSh

wmiprvse.exe_3704_rwx_00F50000_00005000:

.text
`.rdata
@.data
.reloc
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
Plugin_CreditGrab.dll
Callback_OnBeforeProcessUrl
.google.
.ebuddy.
.facebook.
5.1.2600!XP2!D8CC41DB

wmiprvse.exe_3704_rwx_0BAD0000_0004E000:

.text
.reloc
`.data
.rsrc
KERNEL32.dll
USER32.dll
SHELL32.dll
systray.pdb
explorer.exe
threadmetadata!nfo%d
\\.\pipe\globpluginsuninstallpipe
XX
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
Content-Length: %u
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
cookies-nontor.xml
cookies.txt
sessionstore.js
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite
GdiplusShutdown
\\.\pipe\processingpipe_
\\.\pipe\globpluginspipe
Global\%s
\\.\pipe\globgatepipe
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
X X
nspr4.dll
seieapiXX
set_url
Host: %s
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
%d.%d.%d
keys
http:
urlmask
cert
rapport
%s\Content.IE5\0
%s\Content.IE5\%s
\Content.IE5\*.*
[ERROR] : Cannot dump file (%u bytes) { %s }
r = %s
%s%s&rep=%s
tid=%u&stat=
[ERROR] : dwErr == %u ( Config is damaged )
[ERROR] : dwErr == %u ( Could be invalid encryption key )
[ERROR] : dwErr == %u
%d-%d-%d
Global\X
%s%s%s
opera
wlcomm.exe
msmsgs.exe
msnmsgr.exe
HttpSendRequestA
HttpSendRequestW
hXXp://
hXXps://
Content-Type: application/x-www-form-urlencoded
HTTP/1.
.mpeg
.jpeg
chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
1.2.4
w SSh
t.VPW
FVSSh
.exeW
FTPQ
%System%\WININET.dll
C:\Recycle.Bin\450EA779C22EAD4
%System%\ntdll.dll
%System%\USER32.dll
%System%\CRYPT32.dll
C:\Recycle.Bin\B6232F3A951.exe
C:\Recycle.Bin\
B6232F3A951.exe
Iw7k5M2US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP2!D8CC41DB
config.bin
Recycle.Bin
Microsoft Windows
%System%\ADVAPI32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
CertCloseStore
CertAddCertificateContextToStore
CertOpenStore
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertNameToStrA
CertEnumCertificatesInStore
CertOpenSystemStoreA
CRYPT32.dll
ntdll.dll
WS2_32.dll
FindCloseUrlCache
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
HttpAddRequestHeadersA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
WININET.dll
SHLWAPI.dll
MSIMG32.dll
urlmon.dll
GetProcessHeap
WaitNamedPipeA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
GetKeyboardState
MsgWaitForMultipleObjects
EnumWindows
GetKeyState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
ADVAPI32.dll
ole32.dll
3$3*303\3
6%6U6t6
>)?0?9?[?|?
6)6:6?6\6
>'>.>5>{>
4-444C4T4Y4p4y4}4
Systray .exe stub
5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
systray.exe
Windows
Operating System
5.2.3790.1830
\prefs.js
(GMT %su:u) %s
RapportTanzan36.
RapportKoan.

wmiprvse.exe_3704_rwx_3D940000_00001000:

sensapi.dll

wmiprvse.exe_3704_rwx_3D94B000_00003000:

HTTP/%d.%d
FEATURE_INCLUDE_PORT_IN_SPN_KB908209

wmiprvse.exe_3704_rwx_3D94F000_00001000:

QSSSSh

wmiprvse.exe_3704_rwx_3D95E000_00001000:

Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0)

wmiprvse.exe_3704_rwx_3D963000_00001000:

<>\"/:|?*

wmiprvse.exe_3704_rwx_3D9A6000_00001000:

SSSSh


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    B6232F3A951.exe:1760

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Recycle.Bin\450EA779C22EAD4 (8 bytes)

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now