MD5: 4e47e5157b88692e122d56be7e13635b
SHA1: 0c35b1f9d9a5710ef52f2a3880f9d64f28266039
SHA256: 556f0283e7d3d081b7fa30710d1cca0dfc28bf049a0f4fdbe45ef856aa33d18c
SSDeep: 1536:pdc8iDkwEvzVOBWi8LDZaY/8M6l7zXkJrfjka9wqYNqyRMqyLcXBfLFTJQZEZ4Kh:p6BpEGKe9WY/PoynyWNJQZt83B
Size: 127488 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-12 22:14:29
Analyzed on: WindowsXP ESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

kusadtylds.exe:1784
yhtdayrg.exe:2448
%original file name%.exe:980

The Trojan injects its code into the following process(es):

kusadtylds.exe:1404
%original file name%.exe:1736
ksaduytr.exe:3424
cmd.exe:1236
Explorer.EXE:1988

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process kusadtylds.exe:1404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\xxsikizcertlt[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)

The process yhtdayrg.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)

The Trojan deletes the following file(s):

%Program Files%\Common Files\CreativeAudio\desktop.ini (0 bytes)

The process %original file name%.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ksaduytr.exe (4277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bet[1].exe (64897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yhtdayrg.exe (53560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\zpm[1].exe (63199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (47784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ng[1].exe (6927 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (0 bytes)

Registry activity

The process kusadtylds.exe:1404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"WireLMode" = "3E 91 CA 5B 21 B4 87 05 02 2F 88 92 4E EB 75 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE D6 6B 5E 13 48 47 A7 01 61 F2 CD F6 3E 4B 8C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftStCnt" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process yhtdayrg.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 03 E0 E6 AA 2A 61 F6 74 01 23 F1 F0 47 D3 DF"

[HKCU\Software\Win7zip]
"uuid" = "74 93 CA 40 52 25 BE 42 85 63 49 7A A7 79 9B 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{7493CA40-5225-BE42-8563-497AA7799B6A}\0E7302EC\CG1]
"HAL" = "05 EE 00 00"
"BID" = "20 00 08 00 1D 00 08 00 DE 07 00 00 14 00 88 FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwrdsyetp.exe]
"DisableExceptionChainValidation" = ""

The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 FC AB 2C EF 49 CB 23 C5 B5 73 16 BE C4 43 EE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United Kingdom)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

KERNEL32.dll

ADVAPI32.dll

SHELL32.dll

URLDownloadToFileA

urlmon.dll

GetCPInfo

hXXp://54.191.185.232/dqnew.exe

dw3re.exe

hXXp://54.191.185.232/bnew.exe

hsadjku.exe

hXXp://54.191.185.232/ng.exe

ksaduytr.exe

hXXp://54.191.185.232/bet.exe

yhtdayrg.exe

hXXp://54.191.185.232/zpm.exe

kusadtylds.exe

c:\%original file name%.exe

%original file name%.exe_1736_rwx_00400000_00009000:

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

KERNEL32.dll

ADVAPI32.dll

SHELL32.dll

URLDownloadToFileA

urlmon.dll

GetCPInfo

hXXp://54.191.185.232/dqnew.exe

dw3re.exe

hXXp://54.191.185.232/bnew.exe

hsadjku.exe

hXXp://54.191.185.232/ng.exe

ksaduytr.exe

hXXp://54.191.185.232/bet.exe

yhtdayrg.exe

hXXp://54.191.185.232/zpm.exe

kusadtylds.exe

c:\%original file name%.exe

%original file name%.exe_1736_rwx_00DC0000_00027000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

kusadtylds.exe_1404:

.text

`.rdata

@.data

;.tej

()<>@,;:\"[]

mail.hfwjwww10proxiesss.com

%c%c==

%c%c%c=

%c%c%c%c

%d.%d.%d.%d

,.!?-;()[]<>

%s %s%0.2d00

%s  0000

%s%0.2d00

(qmail %u by uid %u)

%sd%s.%u.qmail@%s

----=_NextPart_d_X_.8lX..8lX

x.8lx$.8lx$x@%s

0.0.0.0

%s %s

MAIL FROM: <%s>

RCPT TO: <%s>

to.hex

from.domain

msgid_host

date.imp

date.custom.utc

date.custom_gmt

date.custom

date.utc

qmail_msgid

ol_msgid

hotmail.com; yahoo.com; aol.com; gmail.com; mail.com

v=%s&i=%s&d=%d&m=%d&w=%d

&t=%d

&e=%d

%d:%d;

%d:%d:%s;

hXXp://%s:%d/%s.asp

%s=%s

hotmail.com

yahoo.com

SOFTWARE\Microsoft\Windows\CurrentVersion\

kernel32.dll

Software\Microsoft\Windows\CurrentVersion\Run

{CBCDE2F2-CB31-FF5A-6FA1-731547ACF810}

WS2_32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

WININET.dll

KERNEL32.dll

RegOpenKeyExA

RegOpenKeyA

RegCloseKey

ADVAPI32.dll

MSVCRT.dll

_acmdln

DNSAPI.dll

%original file name%.exe_1736_rwx_00DE8000_0009B000:

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

<Port>

<Pass>

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

hXXp://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

hXXp://%s%s/image.php?id=%s

TaskDialogIndirect

hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

.text

`.rdata

@.data

.rsrc

Currency symbol is: %s

Thread %d writing to database...

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

ShellExecuteA

ShellExecuteW

SHELL32.dll

dbghelp.dll

CertFreeCertificateContext

CryptMsgGetParam

CryptMsgClose

CertCloseStore

CertFindCertificateInStore

CertGetNameStringW

CRYPT32.dll

SetNamedPipeHandleState

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

IK.rT

RTcp

35`.ZJpS

.pj'Q.

on>%s

U9.pD

Tu.AEG

i!cp%U

#%CgT

M.cI9Y

'.BP(

x.liu

ueK.Pr

?.yhZ

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

<a href=".ms">%s</a>

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\%current user%\My Documents\My Pictures

%Documents and Settings%\%current user%\My Documents\My Music

%Documents and Settings%\%current user%\My Documents\My Videos

%Program Files%

%WinDir%\winsxs\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

%WinDir%\explorer.exe

s\"%CurrentUserName%"\Local Settings\Temp\yhtdayrg.exe

%Program Files%\Common Files\CreativeAudio\cwrdsyetp.exe

%Documents and Settings%\%current user%\0E7302EC.pif

%Program Files%\Common Files\CreativeAudio

yhtdayrg.exe

%Documents and Settings%\%current user%\Low_00FEC012

cwrdsyetp.exe

0E7302EC.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

Error reading %s%s%s: %s

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List index out of bounds (%d)

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

DNSQuerySniffer.exe

kusadtylds.exe_1404_rwx_00400000_0000B000:

.text

`.rdata

@.data

;.tej

()<>@,;:\"[]

mail.hfwjwww10proxiesss.com

%c%c==

%c%c%c=

%c%c%c%c

%d.%d.%d.%d

,.!?-;()[]<>

%s %s%0.2d00

%s  0000

%s%0.2d00

(qmail %u by uid %u)

%sd%s.%u.qmail@%s

----=_NextPart_d_X_.8lX..8lX

x.8lx$.8lx$x@%s

0.0.0.0

%s %s

MAIL FROM: <%s>

RCPT TO: <%s>

to.hex

from.domain

msgid_host

date.imp

date.custom.utc

date.custom_gmt

date.custom

date.utc

qmail_msgid

ol_msgid

hotmail.com; yahoo.com; aol.com; gmail.com; mail.com

v=%s&i=%s&d=%d&m=%d&w=%d

&t=%d

&e=%d

%d:%d;

%d:%d:%s;

hXXp://%s:%d/%s.asp

%s=%s

hotmail.com

yahoo.com

SOFTWARE\Microsoft\Windows\CurrentVersion\

kernel32.dll

Software\Microsoft\Windows\CurrentVersion\Run

{CBCDE2F2-CB31-FF5A-6FA1-731547ACF810}

WS2_32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

WININET.dll

KERNEL32.dll

RegOpenKeyExA

RegOpenKeyA

RegCloseKey

ADVAPI32.dll

MSVCRT.dll

_acmdln

DNSAPI.dll

ksaduytr.exe_3424:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

hXXp://VVV.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\calc.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

%System%\notepad.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

kusadtylds.exe_1404_rwx_00EC0000_000C3000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

<Port>

<Pass>

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

hXXp://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

hXXp://%s%s/image.php?id=%s

TaskDialogIndirect

hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

Currency symbol is: %s

Thread %d writing to database...

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

ShellExecuteA

ShellExecuteW

SHELL32.dll

dbghelp.dll

CertFreeCertificateContext

CryptMsgGetParam

CryptMsgClose

CertCloseStore

CertFindCertificateInStore

CertGetNameStringW

CRYPT32.dll

SetNamedPipeHandleState

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

IK.rT

RTcp

35`.ZJpS

.pj'Q.

on>%s

U9.pD

Tu.AEG

i!cp%U

#%CgT

M.cI9Y

'.BP(

x.liu

ueK.Pr

?.yhZ

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

<a href=".ms">%s</a>

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

%WinDir%

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\%current user%\My Documents\My Pictures

%Documents and Settings%\%current user%\My Documents\My Music

%Documents and Settings%\%current user%\My Documents\My Videos

%Program Files%

%WinDir%\winsxs\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

%WinDir%\explorer.exe

s\"%CurrentUserName%"\Local Settings\Temp\yhtdayrg.exe

%Program Files%\Common Files\CreativeAudio\cwrdsyetp.exe

%Documents and Settings%\%current user%\0E7302EC.pif

%Program Files%\Common Files\CreativeAudio

yhtdayrg.exe

%Documents and Settings%\%current user%\Low_00FEC012

cwrdsyetp.exe

0E7302EC.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

Error reading %s%s%s: %s

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List index out of bounds (%d)

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

DNSQuerySniffer.exe

ksaduytr.exe_3424_rwx_00400000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

hXXp://VVV.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\calc.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

%System%\notepad.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

ksaduytr.exe_3424_rwx_008E0000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

hXXp://VVV.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\calc.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ksaduytr.exe

%System%\notepad.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cmd.exe_1236_rwx_009A0000_000C3000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

<Port>

<Pass>

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

hXXp://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

hXXp://%s%s/image.php?id=%s

TaskDialogIndirect

hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

Currency symbol is: %s

Thread %d writing to database...

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

ShellExecuteA

ShellExecuteW

SHELL32.dll

dbghelp.dll

CertFreeCertificateContext

CryptMsgGetParam

CryptMsgClose

CertCloseStore

CertFindCertificateInStore

CertGetNameStringW

CRYPT32.dll

SetNamedPipeHandleState

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

IK.rT

RTcp

35`.ZJpS

.pj'Q.

on>%s

U9.pD

Tu.AEG

i!cp%U

#%CgT

M.cI9Y

'.BP(

x.liu

ueK.Pr

?.yhZ

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

<a href=".ms">%s</a>

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\%current user%\My Documents\My Pictures

%Documents and Settings%\%current user%\My Documents\My Music

%Documents and Settings%\%current user%\My Documents\My Videos

%Program Files%

%WinDir%\winsxs\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

%WinDir%\explorer.exe

s\"%CurrentUserName%"\Local Settings\Temp\yhtdayrg.exe

%Program Files%\Common Files\CreativeAudio\cwrdsyetp.exe

%Documents and Settings%\%current user%\0E7302EC.pif

%Program Files%\Common Files\CreativeAudio

yhtdayrg.exe

%Documents and Settings%\%current user%\Low_00FEC012

cwrdsyetp.exe

0E7302EC.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

Error reading %s%s%s: %s

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List index out of bounds (%d)

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

DNSQuerySniffer.exe

Explorer.EXE_1988_rwx_01E00000_00027000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

Explorer.EXE_1988_rwx_01E28000_0009B000:

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

<Port>

<Pass>

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

hXXp://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

hXXp://%s%s/image.php?id=%s

TaskDialogIndirect

hXXp://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

.text

`.rdata

@.data

.rsrc

Currency symbol is: %s

Thread %d writing to database...

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

ShellExecuteA

ShellExecuteW

SHELL32.dll

dbghelp.dll

CertFreeCertificateContext

CryptMsgGetParam

CryptMsgClose

CertCloseStore

CertFindCertificateInStore

CertGetNameStringW

CRYPT32.dll

SetNamedPipeHandleState

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

IK.rT

RTcp

35`.ZJpS

.pj'Q.

on>%s

U9.pD

Tu.AEG

i!cp%U

#%CgT

M.cI9Y

'.BP(

x.liu

ueK.Pr

?.yhZ

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

<a href=".ms">%s</a>

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

Error reading %s%s%s: %s

%s.Seek not implemented$Operation not allowed on sorted list

Property %s does not exist

List index out of bounds (%d) List capacity out of bounds (%d)

List count out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List index out of bounds (%d)

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

DNSQuerySniffer.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   kusadtylds.exe:1784
   yhtdayrg.exe:2448
   %original file name%.exe:980
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\xxsikizcertlt[1].htm (33 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ksaduytr.exe (4277 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bet[1].exe (64897 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\yhtdayrg.exe (53560 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\zpm[1].exe (63199 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\kusadtylds.exe (47784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ng[1].exe (6927 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "MicrosoftStCnt" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\kusadtylds.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.