MD5: 1c4574d8af783820e7eec1902d30c073
SHA1: 88b5a656a46fd9dca75eebfdab50ebf8b8fb0b26
SHA256: 9c2ec95628363b43f0083de9eae5a102a3a6ba7e34037043ba59dd4aa0830d09
SSDeep: 49152:WYBFbTCVBoxKCnFnQXBbrtgb/iQvu0UHOau:bF60xvWbrtUTrUHOl
Size: 2096940 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2012-03-05 10:37:55
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1232
wtmps.exe:2908
mscaps.exe:2960
@AE1.tmp.exe:1632
launch.exe:2824
WdExt.exe:2284

The Trojan injects its code into the following process(es):

service.exe:1496
EmangEloh.exe:1324
winlogon.exe:1512
Explorer.EXE:1140

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe (1281 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\sql.cmd (1281 bytes)
%Documents and Settings%\%current user%\Templates\O63746Z\service.exe (1281 bytes)
%WinDir%\Ti645063ta.exe (1281 bytes)
%System%\X51334go\Z127387cie.cmd (1281 bytes)
%WinDir%\M35838\smss.exe (1281 bytes)
%WinDir%\M35838\Ja856821bLay.com (1281 bytes)
%System%\127387645063l.exe (1281 bytes)
%WinDir%\sa-755287.exe (1281 bytes)
%WinDir%\M35838\EmangEloh.exe (1281 bytes)
%WinDir%\system\msvbvm60.dll (8657 bytes)
%Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe (1281 bytes)

The process wtmps.exe:2908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\mscaps.exe (27349 bytes)

The process mscaps.exe:2960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wtime32.dll (29045 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (406 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (0 bytes)

The process @AE1.tmp.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000808E2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080901_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FF6C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000804EA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000805D5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FD69_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080008_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080400_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA6B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (244510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008050A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080047_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F673_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008074C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FEA1_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F700_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F8A6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F599_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F6B2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (1304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F932_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FB36_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000808C3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F952_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080884_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000806FE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F7DB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FD0B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F7BB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000802C8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080613_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008044E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F9BF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F625_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080671_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080354_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\buxql.exe (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080539_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000807AA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000804CB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F73E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FCBD_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F80A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080690_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080279_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FEE0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA1D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080325_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FBE2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000807C9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080112_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FE63_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080141_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F9CF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F616_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F9FE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F971_Rar\@AE1.tmp.exe (13122 bytes)
%WinDir%\system.ini (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000806DE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000800E3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FDE6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008047D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F79C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FDA7_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080076_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080316_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F819_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F8E4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000807E8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000804AC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008042F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000803A2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F4ED_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FD49_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FBC3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080567_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FC7E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080383_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000808A4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F848_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FFAB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008072D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F654_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008046D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (459254 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000808F2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080652_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000805B6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA8A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000803C2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA4C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FAC9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FD88_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F5F6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F78D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008071D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FC20_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F913_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F838_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080548_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F867_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FB17_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F6D1_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F990_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FAE8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F4CD_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F7EA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F644_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080817_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F54A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080587_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F693_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F664_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FB75_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080836_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000802A8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FE43_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FE24_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007FA2C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000806B0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000805F4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080865_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008023B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080633_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008076B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008078A_Rar\@AE1.tmp.exe (13122 bytes)

The Trojan deletes the following file(s):

%WinDir%\7f4cd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\buxql.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (0 bytes)

The process service.exe:1496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\pchealth\UploadLB\Gallery .scr (305 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\sql.cmd (1281 bytes)
%WinDir%\SoftwareDistribution\Download\TutoriaL HAcking .exe (305 bytes)
%WinDir%\ime\shared\Blink 182 .exe (305 bytes)
%Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe (1281 bytes)
%System%\X51334go\Z127387cie.cmd (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\Titip Folder Jangan DiHapus .exe (305 bytes)
%WinDir%\system\msvbvm60.dll (8657 bytes)
%WinDir%\[TheMoonlight].txt (109 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\RaHasIA .exe (305 bytes)
%Program Files%\Movie Maker\Shared\Gallery .scr (305 bytes)
%WinDir%\Downloaded Program Files\THe Best Ungu .scr (305 bytes)
%Program Files%\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe (305 bytes)

The process launch.exe:2824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (112 bytes)

The process WdExt.exe:2284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0008289F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C97_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083820_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F27_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F56_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082FF2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000818C1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E2D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839D5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000819AB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008210E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F17_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000817D6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008368A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082294_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D54_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083A33_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083273_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000834B5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000826CA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081892_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008192E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081546_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839B6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082071_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083745_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E9D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082DDF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083978_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835CE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839A6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082052_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C87_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082285_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083B8B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081DB2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A64_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083BBA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008290C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (55476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008314A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D16_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081FD5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082FC3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082042_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C77_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832C1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081601_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835AF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008382F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008331F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000816FB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081BCE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082459_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E8D_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081FC5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082B4F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008260F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082803_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081BBE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083A43_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081815_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008293B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008148A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008266D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832FF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083BAA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E5E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082544_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000834E4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081EFA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083774_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082841_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008146B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082747_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (48916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008213C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008312B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E1D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082524_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835BE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081FF4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B80_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083784_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008142D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D83_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C29_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000821AA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000819DA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082822_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E8B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B12_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083BC9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082515_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083707_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (21164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000821C9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082479_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008149A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008240B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082023_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000834D4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008383F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000823FC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000830DC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008217B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822C3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081AB5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A45_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839C6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (28924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083179_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000818A1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082330_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083447_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081640_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000815B3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008165F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E5C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D74_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081882_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000826BB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000825FF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F85_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081A76_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008361C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083A14_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008330F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008196C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082DFE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082FB4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081EEB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F46_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081ECB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008214C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (36444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083810_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A93_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814AA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083726_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C58_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D06_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B8F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081AE3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082CD5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082B3F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082062_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081F1A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008241B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B9F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081517_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083438_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082488_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083409_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083428_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083457_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081A28_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081565_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008190F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000839F5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082B5E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008198C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083188_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D26_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082B20_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008387E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E4C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000831A8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082BFA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000818EF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000819F9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E3D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832E0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082DC0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083159_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083282_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000837E1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083476_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081FE5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000824A7_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E6E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081798_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008143C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822E2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B41_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081B60_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083292_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081594_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082D62_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082469_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081F0A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082AB2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832D0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082709_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082728_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008333E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008269B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083987_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008294B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083002_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082AE1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835FD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081E4E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008388D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D35_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008366A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000828CE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008367A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (26548 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (96316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082861_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083B7B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082718_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081769_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008310B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082033_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008385E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081DA3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000830CD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E0E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814F8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C49_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082FD3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008364B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000832A2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822D3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A35_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081507_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008172A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082AD2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083467_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081853_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D93_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082498_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082E7B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082302_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082C39_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008386E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822A4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000822F2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008218B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008311B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000816CD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008215C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008362C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000835ED_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083A04_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083B5C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081621_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008166F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081EDB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000828DE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083B3D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082A26_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081650_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082014_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083755_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083263_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008390A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814C9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082321_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (18508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000821B9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081EBC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F94_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000838AC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008313A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083198_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082311_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008212D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00081D64_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00083486_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814E8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008291C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082340_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814B9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008211D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000828AF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000834A5_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00082F75_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000837F1_Rar\WdExt.exe (13122 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)

The process EmangEloh.exe:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\X51334go\Z127387cie.cmd (1281 bytes)
%WinDir%\[TheMoonlight].txt (109 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\sql.cmd (1281 bytes)
%Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe (1281 bytes)

Registry activity

The process %original file name%.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\TUX\Path]
"1" = "M35838"
"3" = "X51334go"
"2" = "O63746Z"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Templates\O63746Z]
"winlogon.exe" = "winlogon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\VB and VBA Program Settings\untukmu\version]
"me" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Templates\O63746Z]
"service.exe" = "service"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 35 A9 A9 AE 62 7A EF 51 4E 02 0B F8 C6 CE B7"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\M35838]
"smss.exe" = "smss"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\TUX\biang]
"4" = "856821"
"5" = "110343"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\M35838]
"EmangEloh.exe" = "EmangEloh"

[HKLM\SOFTWARE\Microsoft\TUX\biang]
"1" = "127387"
"2" = "755287"
"3" = "645063"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process mscaps.exe:2960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{ef2b00e3-19da-4e78-b118-6b6451b719f2}]
"Locale" = "*"
"StubPath" = "%System%\mscaps.exe /s /n /i:U shell32.dll"
"Version" = "1,125,2406,1"
"ComponentID" = "DirectShow"

The process @AE1.tmp.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Temp]
"adm1.bat" = "adm1"
"adm0.bat" = "adm0"

[HKCU\Software\Stvncyfrlda]
"m2_8" = "997419746"

[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"

[HKCU\Software\Stvncyfrlda]
"m2_2" = "3470575367"
"m2_3" = "910905639"
"m2_0" = "6889"
"m2_1" = "1735293802"
"m2_6" = "1821804778"
"m2_7" = "3557105245"
"m2_4" = "2646190109"
"m2_5" = "86520731"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "1E5571E550EC6AC53AE13D3F7DC0CC8061CA44594227D6670DCDCEE4A123B745EEAD14A703C99DD3DBA2A4D607F69A83882C176653A4259F99BD6A9AA8EBC4B5A7028BF34E1C7C726DDA76137D0018A90E5CEFA084D0BB9F20D2346760CC5762EE70F3336E4A2BF1EC3D5E297DC79279B9237BA952F46582C5B90B54CE577E6852FFEDCF4C3AF6531535847E5DA8CDE9FB42AE7DAD10CECB5628D6CB3D14BE8454AD881D29EE50C7CACF782FDC3C2625A60E29DB5AF20451090ADA90C8E812FAF069C6194C2CA266BD6AA8911F3774E5030BA04C8A9D88FAC4EFE9901B2A630033F20048AF11A37D0019DA4E355233F7FB54DC18CA8FD6E270532510C72C472D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Stvncyfrlda]
"m4_0" = "0"
"m4_1" = "1735290733"
"m4_2" = "3470581466"
"m4_3" = "910904903"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m4_6" = "1821809806"
"m4_7" = "3557100539"
"m4_8" = "997423976"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F C2 CF 4B 97 50 F8 4A 55 08 3B F5 3B 00 C3 A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Stvncyfrlda]
"m3_3" = "927474798"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Stvncyfrlda\168128873]
"-824385830" = "0"
"1821809806" = "0200687474703A2F2F7061647275702E636F6D2F736F62616B61312E67696600687474703A2F2F3139302E3132302E3232372E39313A383038302F736F62616B61766F6C6F732E676966"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m3_2" = "3487544563"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m3_7" = "3573965266"
"m3_6" = "1838544551"
"m3_5" = "69945096"
"m3_4" = "2629490589"
"m3_8" = "980422977"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "14"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Stvncyfrlda]
"m1_5" = "3898353818"
"m1_4" = "2161800132"
"m1_7" = "1991572934"
"m1_6" = "1482184409"
"m1_1" = "3902816932"
"m1_0" = "3576254676"
"m1_3" = "1738348942"
"m1_2" = "1341601299"

"m1_8" = "2910010173"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "75"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"@AE1.tmp.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\@AE1.tmp.exe:*:Enabled:ipsec"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process service.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\VB and VBA Program Settings\noGods\appActive]
"service.exe" = "ˆÕq Í‰W«"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = "127387645063l.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Startup" = "%System%\X51334go"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"fullpath" = "1"

[HKCU\Software\VB and VBA Program Settings\untukmu\version]
"me" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKCR\scrfile]
"(Default)" = "File Folder"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 19 3E 0F 60 F4 26 1B 85 EA CE C5 B6 12 D4 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"UncheckedValue" = "0"

[HKLM\SYSTEM\ControlSet002\Control\SafeBoot]
"AlternateShell" = "127387645063l.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"T46Z273" = "%WinDir%\sa-755287.exe"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe , %WinDir%\M35838\Ja856821bLay.com"

"Shell" = "explorer.exe, %Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"T1358287TT4" = "%System%\127387645063l.exe"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus-cfirltrx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AllMyBallance"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YourUnintendes"

"Bron-Spizaetus-cgglmmrv"

"dkernel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus-1101"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TryingToSpeak"

"YourUnintended"

"Bron-Spizaetus"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MomentEverComes"

"SaTRio ADie X"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADie suka kamu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lexplorer"

The process launch.exe:2824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 D1 DE CA EE 5C 3D 01 D9 13 A0 62 A3 8A EF E9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"

The process WdExt.exe:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B AC FE 75 43 0E DC 57 E9 55 3E FF 06 E2 58 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process EmangEloh.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\VB and VBA Program Settings\noGods\appActive]
"EmangEloh.exe" = "¦»óŽ½ê§tÈ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = "127387645063l.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Startup" = "%System%\X51334go"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"fullpath" = "1"

[HKCU\Software\VB and VBA Program Settings\untukmu\version]
"me" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKCR\scrfile]
"(Default)" = "File Folder"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 02 A5 F5 AC F5 3B D6 23 5D BF 14 8D 76 25 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"UncheckedValue" = "0"

[HKLM\SYSTEM\ControlSet002\Control\SafeBoot]
"AlternateShell" = "127387645063l.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"T46Z273" = "%WinDir%\sa-755287.exe"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe , %WinDir%\M35838\Ja856821bLay.com"

"Shell" = "explorer.exe, %Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"T1358287TT4" = "%System%\127387645063l.exe"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bron-Spizaetus-cfirltrx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AllMyBallance"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YourUnintendes"

"Bron-Spizaetus-cgglmmrv"

"dkernel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus-1101"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TryingToSpeak"

"YourUnintended"

"Bron-Spizaetus"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MomentEverComes"

"SaTRio ADie X"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADie suka kamu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lexplorer"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rsrc

keylog

shell32.dll

ShellExecuteA

RasApi32.dll

wininet.dll

InternetOpenUrlA

advapi32.dll

GetWindowsDirectoryA

user32.dll

EnumWindows

VBA6.DLL

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

GetKeyState

GetAsyncKeyState

Kernel32.dll

MSVBVM60.DLL

kernel32.dll

%sy5|l

SSSSSh

{6S%X

^.NrL

I.Mh|

SHELL32.DLL

KERNEL32.DLL

service.exe

.rsrc

%Documents and Settings%\%current user%\Templates\O63746Z\service.exe

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

h.rdla&

mH.MN8

T4.At%

S.twa

.klkjw:9fqwiBumW

.sysa

Zc.pBTa

~%s:*:yd:

.!.VF*

.d&?%x=

GUrlA'

"\'Web%w}

HTTP)s'PS

2GUARDCMD

o.ENHCDM

wWEBWUPD

MM.PF

%xn'[

>>?456789:;

!"#$%&'()* ,-./4

qn%CXf

UP*dB.PPd@.

%FoAN-x

ÄEW

%F" *" a

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

SHFileOperationA

%sgkU

ei.sEI

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

suport

login

ZIPPED.zip

FILEATTACH.bz2

Doc.gz

SMTP Server

SMTP Email Address

smtp.

curriculum vittae.zip

USE_RAR_To_Extract.ace

file.bz2

thisfile.gz

TITTA'S Picture.jar

<strong>free screen saver romance for you <br>Please Visit Our Web Site <a href=hXXp://VVV.moonLight.com>hXXp://VVV.moonLight.com<a>

aku mahasiswa <a href=hXXp://VVV.bsi.ac.id>Bsi</a> Margonda smt 3

12050075

<br>password lampiran 55132098

\regsvr32.exe

\twain32.dll

<br>For security reasons attached file is password protected.<br> The password is 55132098

OSSMTP.SMTPSession

*.html

TutoriaL HAcking .exe

Lagu - Server .scr

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

New mp3 BaraT !! .exe

THe Best Ungu .scr

Blink 182 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Gallery .scr

RaHasIA .exe

smss.exe

EmangEloh.exe

\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\smss.exe

\EmangEloh.exe

\winlogon.exe

cie.cmd

ta.exe

bLay.com

l.exe

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

zipfile.txt

dll.txt

payload.txt

\payload.vbs

update1.txt

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

service.exe_1496_rwx_00350000_00002000:

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

service.exe_1496_rwx_00401000_00017000:

keylog

shell32.dll

ShellExecuteA

RasApi32.dll

wininet.dll

InternetOpenUrlA

advapi32.dll

GetWindowsDirectoryA

user32.dll

EnumWindows

VBA6.DLL

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

GetKeyState

GetAsyncKeyState

Kernel32.dll

MSVBVM60.DLL

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

suport

login

ZIPPED.zip

FILEATTACH.bz2

Doc.gz

SMTP Server

SMTP Email Address

smtp.

curriculum vittae.zip

USE_RAR_To_Extract.ace

file.bz2

thisfile.gz

TITTA'S Picture.jar

<strong>free screen saver romance for you <br>Please Visit Our Web Site <a href=hXXp://VVV.moonLight.com>hXXp://VVV.moonLight.com<a>

aku mahasiswa <a href=hXXp://VVV.bsi.ac.id>Bsi</a> Margonda smt 3

12050075

<br>password lampiran 55132098

\regsvr32.exe

\twain32.dll

<br>For security reasons attached file is password protected.<br> The password is 55132098

OSSMTP.SMTPSession

*.html

TutoriaL HAcking .exe

Lagu - Server .scr

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

New mp3 BaraT !! .exe

THe Best Ungu .scr

Blink 182 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Gallery .scr

RaHasIA .exe

service.exe

smss.exe

EmangEloh.exe

\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\smss.exe

\EmangEloh.exe

\winlogon.exe

cie.cmd

ta.exe

bLay.com

l.exe

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

zipfile.txt

dll.txt

payload.txt

\payload.vbs

update1.txt

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

service.exe_1496_rwx_0041A000_00005000:

kernel32.dll

%sy5|l

SSSSSh

{6S%X

service.exe_1496_rwx_0042B000_00004000:

^.NrL

service.exe_1496_rwx_00435000_0000F000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

service.exe

.rsrc

%Documents and Settings%\%current user%\Templates\O63746Z\service.exe

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

h.rdla&

mH.MN8

T4.At%

S.twa

.klkjw:9fqwiBumW

.sysa

Zc.pBTa

~%s:*:yd:

.!.VF*

.d&?%x=

GUrlA'

"\'Web%w}

HTTP)s'PS

2GUARDCMD

o.ENHCDM

wWEBWUPD

MM.PF

%xn'[

>>?456789:;

!"#$%&'()* ,-./4

qn%CXf

UP*dB.PPd@.

%FoAN-x

ÄEW

%F" *" a

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

service.exe_1496_rwx_00F70000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

service.exe_1496_rwx_00F80000_00001000:

|service.exeM_1496_

EmangEloh.exe_1324:

.text

`.rsrc

keylog

shell32.dll

ShellExecuteA

RasApi32.dll

wininet.dll

InternetOpenUrlA

advapi32.dll

GetWindowsDirectoryA

user32.dll

EnumWindows

VBA6.DLL

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

GetKeyState

GetAsyncKeyState

Kernel32.dll

MSVBVM60.DLL

kernel32.dll

%sy5|l

SSSSSh

{6S%X

^.NrL

I.Mh|

SHELL32.DLL

KERNEL32.DLL

EmangEloh.exe

.rsrc

%WinDir%\M35838\EmangEloh.exe

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

h.rdla&

mH.MN8

T4.At%

S.twa

.klkjw:9fqwiBumW

.sysa

Zc.pBTa

~%s:*:yd:

.!.VF*

.d&?%x=

GUrlA'

"\'Web%w}

HTTP)s'PS

2GUARDCMD

o.ENHCDM

wWEBWUPD

MM.PF

%xn'[

>>?456789:;

!"#$%&'()* ,-./4

qn%CXf

UP*dB.PPd@.

%FoAN-x

ÄEW

%F" *" a

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

SHFileOperationA

%sgkU

ei.sEI

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

suport

login

ZIPPED.zip

FILEATTACH.bz2

Doc.gz

SMTP Server

SMTP Email Address

smtp.

curriculum vittae.zip

USE_RAR_To_Extract.ace

file.bz2

thisfile.gz

TITTA'S Picture.jar

<strong>free screen saver romance for you <br>Please Visit Our Web Site <a href=hXXp://VVV.moonLight.com>hXXp://VVV.moonLight.com<a>

aku mahasiswa <a href=hXXp://VVV.bsi.ac.id>Bsi</a> Margonda smt 3

12050075

<br>password lampiran 55132098

\regsvr32.exe

\twain32.dll

<br>For security reasons attached file is password protected.<br> The password is 55132098

OSSMTP.SMTPSession

*.html

TutoriaL HAcking .exe

Lagu - Server .scr

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

New mp3 BaraT !! .exe

THe Best Ungu .scr

Blink 182 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Gallery .scr

RaHasIA .exe

service.exe

smss.exe

\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\smss.exe

\EmangEloh.exe

\winlogon.exe

cie.cmd

ta.exe

bLay.com

l.exe

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

zipfile.txt

dll.txt

payload.txt

\payload.vbs

update1.txt

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

EmangEloh.exe_1324_rwx_00350000_00002000:

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

winlogon.exe_1512:

.text

`.rsrc

keylog

shell32.dll

ShellExecuteA

RasApi32.dll

wininet.dll

InternetOpenUrlA

advapi32.dll

GetWindowsDirectoryA

user32.dll

EnumWindows

VBA6.DLL

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

GetKeyState

GetAsyncKeyState

Kernel32.dll

MSVBVM60.DLL

kernel32.dll

%sy5|l

SSSSSh

{6S%X

^.NrL

I.Mh|

SHELL32.DLL

KERNEL32.DLL

winlogon.exe

.rsrc

%Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

h.rdla&

mH.MN8

T4.At%

S.twa

.klkjw:9fqwiBumW

.sysa

Zc.pBTa

~%s:*:yd:

.!.VF*

.d&?%x=

GUrlA'

"\'Web%w}

HTTP)s'PS

2GUARDCMD

o.ENHCDM

wWEBWUPD

MM.PF

%xn'[

>>?456789:;

!"#$%&'()* ,-./4

qn%CXf

UP*dB.PPd@.

%FoAN-x

ÄEW

%F" *" a

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

SHFileOperationA

%sgkU

ei.sEI

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

suport

login

ZIPPED.zip

FILEATTACH.bz2

Doc.gz

SMTP Server

SMTP Email Address

smtp.

curriculum vittae.zip

USE_RAR_To_Extract.ace

file.bz2

thisfile.gz

TITTA'S Picture.jar

<strong>free screen saver romance for you <br>Please Visit Our Web Site <a href=hXXp://VVV.moonLight.com>hXXp://VVV.moonLight.com<a>

aku mahasiswa <a href=hXXp://VVV.bsi.ac.id>Bsi</a> Margonda smt 3

12050075

<br>password lampiran 55132098

\regsvr32.exe

\twain32.dll

<br>For security reasons attached file is password protected.<br> The password is 55132098

OSSMTP.SMTPSession

*.html

TutoriaL HAcking .exe

Lagu - Server .scr

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

New mp3 BaraT !! .exe

THe Best Ungu .scr

Blink 182 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Gallery .scr

RaHasIA .exe

service.exe

smss.exe

EmangEloh.exe

\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\smss.exe

\EmangEloh.exe

\winlogon.exe

cie.cmd

ta.exe

bLay.com

l.exe

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

zipfile.txt

dll.txt

payload.txt

\payload.vbs

update1.txt

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

EmangEloh.exe_1324_rwx_00401000_00017000:

keylog

shell32.dll

ShellExecuteA

RasApi32.dll

wininet.dll

InternetOpenUrlA

advapi32.dll

GetWindowsDirectoryA

user32.dll

EnumWindows

VBA6.DLL

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

GetKeyState

GetAsyncKeyState

Kernel32.dll

MSVBVM60.DLL

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

suport

login

ZIPPED.zip

FILEATTACH.bz2

Doc.gz

SMTP Server

SMTP Email Address

smtp.

curriculum vittae.zip

USE_RAR_To_Extract.ace

file.bz2

thisfile.gz

TITTA'S Picture.jar

<strong>free screen saver romance for you <br>Please Visit Our Web Site <a href=hXXp://VVV.moonLight.com>hXXp://VVV.moonLight.com<a>

aku mahasiswa <a href=hXXp://VVV.bsi.ac.id>Bsi</a> Margonda smt 3

12050075

<br>password lampiran 55132098

\regsvr32.exe

\twain32.dll

<br>For security reasons attached file is password protected.<br> The password is 55132098

OSSMTP.SMTPSession

*.html

TutoriaL HAcking .exe

Lagu - Server .scr

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

New mp3 BaraT !! .exe

THe Best Ungu .scr

Blink 182 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Gallery .scr

RaHasIA .exe

service.exe

smss.exe

EmangEloh.exe

\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\smss.exe

\EmangEloh.exe

\winlogon.exe

cie.cmd

ta.exe

bLay.com

l.exe

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

zipfile.txt

dll.txt

payload.txt

\payload.vbs

update1.txt

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

EmangEloh.exe_1324_rwx_0041A000_00005000:

kernel32.dll

%sy5|l

SSSSSh

{6S%X

EmangEloh.exe_1324_rwx_0042B000_00004000:

^.NrL

EmangEloh.exe_1324_rwx_00435000_0000F000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

EmangEloh.exe

.rsrc

%WinDir%\M35838\EmangEloh.exe

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

h.rdla&

mH.MN8

T4.At%

S.twa

.klkjw:9fqwiBumW

.sysa

Zc.pBTa

~%s:*:yd:

.!.VF*

.d&?%x=

GUrlA'

"\'Web%w}

HTTP)s'PS

2GUARDCMD

o.ENHCDM

wWEBWUPD

MM.PF

%xn'[

>>?456789:;

!"#$%&'()* ,-./4

qn%CXf

UP*dB.PPd@.

%FoAN-x

ÄEW

%F" *" a

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

EmangEloh.exe_1324_rwx_00F60000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

EmangEloh.exe_1324_rwx_00F70000_00001000:

|emangeloh.exeM_1324_

winlogon.exe_1512_rwx_00350000_00002000:

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

winlogon.exe_1512_rwx_00401000_00017000:

keylog

shell32.dll

ShellExecuteA

RasApi32.dll

wininet.dll

InternetOpenUrlA

advapi32.dll

GetWindowsDirectoryA

user32.dll

EnumWindows

VBA6.DLL

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

RegOpenKeyExA

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

OpenUrl

GetKeyState

GetAsyncKeyState

Kernel32.dll

MSVBVM60.DLL

*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

winlogon.exe

suport

login

ZIPPED.zip

FILEATTACH.bz2

Doc.gz

SMTP Server

SMTP Email Address

smtp.

curriculum vittae.zip

USE_RAR_To_Extract.ace

file.bz2

thisfile.gz

TITTA'S Picture.jar

<strong>free screen saver romance for you <br>Please Visit Our Web Site <a href=hXXp://VVV.moonLight.com>hXXp://VVV.moonLight.com<a>

aku mahasiswa <a href=hXXp://VVV.bsi.ac.id>Bsi</a> Margonda smt 3

12050075

<br>password lampiran 55132098

\regsvr32.exe

\twain32.dll

<br>For security reasons attached file is password protected.<br> The password is 55132098

OSSMTP.SMTPSession

*.html

TutoriaL HAcking .exe

Lagu - Server .scr

Data DosenKu .exe

Titip Folder Jangan DiHapus .exe

Love Song .scr

New mp3 BaraT !! .exe

THe Best Ungu .scr

Blink 182 .exe

Norman virus Control 5.18 .exe

Windows Vista setup .scr

Gallery .scr

RaHasIA .exe

service.exe

smss.exe

EmangEloh.exe

\msvbvm60.dll

\system\msvbvm60.dll

\service.exe

\smss.exe

\EmangEloh.exe

\winlogon.exe

cie.cmd

ta.exe

bLay.com

l.exe

\sql.cmd

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

explorer.exe,

\userinit.exe ,

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

msconfig.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\notepad.exe

regedit.exe

Software\Microsoft\Windows\CurrentVersion\run

\*.pif

*.htm

hXXp://VVV.geocities.com/m00nL19ht2006/

\MYpIC.zip

zipfile.txt

dll.txt

payload.txt

\payload.vbs

update1.txt

\untk.com

hXXp://VVV.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=

\[TheMoonlight].txt

@*\AD:\DataHellSpawn\WARING_VIRII_LABORATORY\Virus Ku\Moonlight.b\Project1.vbp

Moonlight.exe

winlogon.exe_1512_rwx_0041A000_00005000:

kernel32.dll

%sy5|l

SSSSSh

{6S%X

winlogon.exe_1512_rwx_0042B000_00004000:

^.NrL

winlogon.exe_1512_rwx_00435000_0000F000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

winlogon.exe

.rsrc

%Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe

hXXp://padrup.com/sobaka1.gif

hXXp://190.120.227.91:8080/sobakavolos.gif

hXXp://89.11

.info/home.gifIh

bW.text

JKERNEL32.dll

%x.exe

h.rdla&

mH.MN8

T4.At%

S.twa

.klkjw:9fqwiBumW

.sysa

Zc.pBTa

~%s:*:yd:

.!.VF*

.d&?%x=

GUrlA'

"\'Web%w}

HTTP)s'PS

2GUARDCMD

o.ENHCDM

wWEBWUPD

MM.PF

%xn'[

>>?456789:;

!"#$%&'()* ,-./4

qn%CXf

UP*dB.PPd@.

%FoAN-x

ÄEW

%F" *" a

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

USER32.dll

WS2_32.dll

RegCloseKey

SHFileOperationA

winlogon.exe_1512_rwx_00F60000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

winlogon.exe_1512_rwx_00F70000_00001000:

|winlogon.exeM_1512_

Explorer.EXE_1140_rwx_00FF0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

Explorer.EXE_1140_rwx_01E20000_00001000:

|explorer.exeM_1140_

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1232
   wtmps.exe:2908
   mscaps.exe:2960
   @AE1.tmp.exe:1632
   launch.exe:2824
   WdExt.exe:2284
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Templates\O63746Z\winlogon.exe (1281 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Startup\sql.cmd (1281 bytes)
   %Documents and Settings%\%current user%\Templates\O63746Z\service.exe (1281 bytes)
   %WinDir%\Ti645063ta.exe (1281 bytes)
   %System%\X51334go\Z127387cie.cmd (1281 bytes)
   %WinDir%\M35838\smss.exe (1281 bytes)
   %WinDir%\M35838\Ja856821bLay.com (1281 bytes)
   %System%\127387645063l.exe (1281 bytes)
   %WinDir%\sa-755287.exe (1281 bytes)
   %WinDir%\M35838\EmangEloh.exe (1281 bytes)
   %WinDir%\system\msvbvm60.dll (8657 bytes)
   %Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe (1281 bytes)
   %System%\mscaps.exe (27349 bytes)
   %System%\wtime32.dll (29045 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\E.tmp (406 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000808E2_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080901_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FF6C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000804EA_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000805D5_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FD69_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080008_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080400_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FA6B_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (244510 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008050A_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080047_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F673_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008074C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FEA1_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F700_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F8A6_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F599_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F6B2_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Sp3.tmp (1304 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F932_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FB36_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000808C3_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F952_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080884_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000806FE_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F7DB_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FD0B_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F7BB_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000802C8_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080613_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008044E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F9BF_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F625_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080671_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080354_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\buxql.exe (561 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080539_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000807AA_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000804CB_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F73E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FCBD_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F80A_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080690_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080279_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FEE0_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FA1D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080325_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FBE2_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000807C9_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080112_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FE63_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080141_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F9CF_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F616_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F9FE_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F971_Rar\@AE1.tmp.exe (13122 bytes)
   %WinDir%\system.ini (68 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000806DE_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000800E3_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FDE6_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008047D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F79C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FDA7_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080076_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080316_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F819_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F8E4_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000807E8_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000804AC_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008042F_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000803A2_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F4ED_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FD49_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FBC3_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080567_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FC7E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080383_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000808A4_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F848_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FFAB_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008072D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F654_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008046D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (459254 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000808F2_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080652_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000805B6_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (907 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FA8A_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000803C2_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FA4C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FAC9_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Se4.tmp (1792 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FD88_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F5F6_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F78D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008071D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FC20_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F913_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F838_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080548_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F867_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FB17_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F6D1_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F990_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FAE8_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F4CD_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F7EA_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F644_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080817_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F54A_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080587_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F693_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007F664_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FB75_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080836_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000802A8_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FE43_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FE24_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0007FA2C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000806B0_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000805F4_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080865_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008023B_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00080633_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008076B_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008078A_Rar\@AE1.tmp.exe (13122 bytes)
   %WinDir%\pchealth\UploadLB\Gallery .scr (305 bytes)
   %WinDir%\SoftwareDistribution\Download\TutoriaL HAcking .exe (305 bytes)
   %WinDir%\ime\shared\Blink 182 .exe (305 bytes)
   %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\Titip Folder Jangan DiHapus .exe (305 bytes)
   %WinDir%\[TheMoonlight].txt (109 bytes)
   %Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\RaHasIA .exe (305 bytes)
   %Program Files%\Movie Maker\Shared\Gallery .scr (305 bytes)
   %WinDir%\Downloaded Program Files\THe Best Ungu .scr (305 bytes)
   %Program Files%\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus .exe (305 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008289F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082C97_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083820_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082F27_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082F56_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082FF2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000818C1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082E2D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000839D5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000819AB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008210E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082F17_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000817D6_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008368A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082294_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D54_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083A33_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083273_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000834B5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000826CA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081892_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008192E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081546_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000839B6_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082071_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083745_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081E9D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082DDF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083978_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000835CE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000839A6_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082052_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082C87_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082285_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083B8B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081DB2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082A64_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083BBA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008290C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (55476 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008314A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D16_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081FD5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082FC3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082042_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082C77_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000832C1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081601_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000835AF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008382F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008331F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000816FB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081BCE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082459_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081E8D_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081FC5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082B4F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008260F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082803_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081BBE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083A43_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081815_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008293B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008148A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008266D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000832FF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083BAA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081E5E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082544_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000834E4_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081EFA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083774_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082841_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008146B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082747_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp7.tmp (48916 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008213C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008312B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082E1D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082524_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000835BE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081FF4_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081B80_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083784_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008142D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D83_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082C29_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000821AA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000819DA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082822_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082E8B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081B12_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083BC9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082515_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083707_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (21164 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000821C9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082479_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008149A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008240B_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082023_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000834D4_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008383F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000823FC_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000830DC_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008217B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000822C3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081AB5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082A45_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000839C6_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp9.tmp (28924 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083179_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000818A1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082330_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083447_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081640_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000815B3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008165F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082E5C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D74_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081882_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000826BB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000825FF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082F85_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081A76_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008361C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083A14_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008330F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008196C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082DFE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082FB4_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081EEB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082F46_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081ECB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008214C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (36444 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083810_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082A93_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000814AA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083726_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082C58_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D06_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081B8F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081AE3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082CD5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082B3F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082062_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081F1A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008241B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081B9F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081517_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083438_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082488_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083409_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083428_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083457_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081A28_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081565_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008190F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000839F5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082B5E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008198C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083188_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D26_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082B20_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008387E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082E4C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000831A8_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082BFA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000818EF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000819F9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082E3D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000832E0_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082DC0_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083159_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083282_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000837E1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083476_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081FE5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000824A7_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081E6E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081798_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008143C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000822E2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081B41_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081B60_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083292_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081594_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082D62_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082469_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081F0A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082AB2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000832D0_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082709_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082728_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008333E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008269B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083987_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008294B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083002_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082AE1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000835FD_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081E4E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008388D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D35_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008366A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000828CE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008367A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (26548 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (96316 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082861_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083B7B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082718_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081769_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008310B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082033_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008385E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081DA3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000830CD_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082E0E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000814F8_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082C49_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082FD3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008364B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000832A2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000822D3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082A35_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081507_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008172A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082AD2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083467_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081853_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D93_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082498_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082E7B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082302_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082C39_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008386E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000822A4_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000822F2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008218B_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008311B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000816CD_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008215C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008362C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000835ED_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083A04_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083B5C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081621_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008166F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081EDB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000828DE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083B3D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082A26_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081650_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082014_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083755_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083263_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008390A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000814C9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082321_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (18508 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000821B9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081EBC_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082F94_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000838AC_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008313A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083198_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082311_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008212D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00081D64_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00083486_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000814E8_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008291C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082340_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000814B9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0008211D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000828AF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000834A5_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\00082F75_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000837F1_Rar\WdExt.exe (13122 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "T46Z273" = "%WinDir%\sa-755287.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "T1358287TT4" = "%System%\127387645063l.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"
   
   

5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "UserInit" = "%System%\userinit.exe , %WinDir%\M35838\Ja856821bLay.com"
   
   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "explorer.exe, %Documents and Settings%\%current user%\Templates\O63746Z\TuxO63746Z.exe"
   
   

6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.