Trojan.FakeAV_c7c1b6f38f
HEUR:Trojan.Win32.PassRAR.a (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.Bumat.FD, FakeAVWinProDefence.YR (Lavasoft MAS)
Behaviour: Trojan, Fake-AV
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: c7c1b6f38f5301526c1636d00826094e
SHA1: d900788d96d868c4c2ac9948649709ee42dec1f9
SHA256: 7149cf734a8e39be871aedc963b17a2b4c418dc067aaa60f5e2888e356cf3a3b
SSDeep: 49152:DyqlvK5d MqR4DfJlfhdvfh5Z2x133/a2kYpJfc9o6ZvKPpikypiNj:DVvO3yDfj5TD2/C2kEJfc9bvKhSuj
Size: 2146516 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Express Install
Created at: 2011-03-02 09:40:24
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
temp.exe:496
filesystemscan.exe:1364
%original file name%.exe:1660
ctfmon.exe:536
sc.exe:520
sc.exe:1968
sc.exe:1144
sc.exe:2012
verclsid.exe:1648
mshta.exe:388
mshta.exe:1428
The Trojan injects its code into the following process(es):
Protector-her.exe:1416
File activity
The process temp.exe:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\filesystemscan.exe (3814656 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_7094140 (0 bytes)
The process filesystemscan.exe:1364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data (4096 bytes)
%Documents and Settings%\%current user%\Application Data\Protector-her.exe (2012672 bytes)
The process Protector-her.exe:1416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\result.db (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\cmyip[1].htm (1021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol (102 bytes)
%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû\Windows Telemetry Center.lnk (713 bytes)
%Documents and Settings%\All Users\Óûðòýþõ üõýю\ßрþóрðüüы\Windows Telemetry Center.lnk (735 bytes)
The process %original file name%.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\temp.exe (5858644 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\temp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_7092281 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\filesystemscan.exe (0 bytes)
Registry activity
The process temp.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 8D ED 47 5C 3C A6 F7 5B 8F 99 01 EE BC BA 28"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\RarSFX0]
"filesystemscan.exe" = "filesystemscan"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process filesystemscan.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 9A B6 70 98 F5 16 CB 60 C6 C2 00 F7 47 D6 9A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegedit" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Settings]
"ID" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Protector-her.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsrv51.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacktracersetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltmain.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Identity.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avciman.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hotactio.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.sweepsrv.sys.swnetsup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\belt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgsrmax.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxav.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\window.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vshwin32.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPcc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmcdlg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsadbot.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpconfg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sms.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\md.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ollydbg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\periscope.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellspyinstall.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaview.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jdbgmrg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wintsk32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-nt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxdl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loader.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRegSvr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winstart.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\st2.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blink.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rulaunch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthLic.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win-bugsfix.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webdav.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxfw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[4].exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanIELow.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winssk32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpf.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsupdate.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312]
"iexplore.exe" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe]
"debugger" = "svchost.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rb32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navlu32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\click.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthAux.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[2].exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixcfg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upgrad.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nc2000.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootconf.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rscdwld.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infus.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamapp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupsrv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exe.avxw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\localnet.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htpatch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\proport.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvtmd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gmt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titanin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\au.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winstart001.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bspatch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ray.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppvstop.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscman.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npscheck.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gator.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdos.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmnhdlr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kazza.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdmcon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monitor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDMsnScan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\doors.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnpc3000.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashPopWz.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Settings]
"net" = "2014-2-25_2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lordpe.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rapapp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnlan300.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JsRcGen.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shn.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmesys.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdater.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iedll.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\support.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsctool.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expert.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsCtrls.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pop3trap.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimpl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netd32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjsetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvcl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfwadmin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixfp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wkufind.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\soap.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsisetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak5.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dssagent.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reged.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfservice.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamstats.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAReg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmod.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssupdat.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdsetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashBug.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashChest.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winactive.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emsw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updat.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrecon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guarddog.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscache.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PavFnSvr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEShow.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecengine.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgri32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-98.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpps2.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shield.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PskSvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssys.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwservice.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgdumpx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netmon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpfsetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaiSv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srng.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹\ÃœþѠüу÷ыúð"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brasil.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDInProcPatch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostproinstall.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\b.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iedriver.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamserv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsecomr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\datemanager.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppinupdt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoupdate.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keenvalue.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswChLic.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717} {0000010B-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 7C 6C 9C 7C 58 A2 96 C4 1F 32 CF 01"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\showbehind.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navap.navapsvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe ]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvsvc32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icloadnt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\licmgr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
"debugger" = "%Documents and Settings%\%current user%\Application Data\Protector-her.exe task"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpfw30s.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lookout.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfin32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgchk.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oasrv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANCU.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intren.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[3].exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCnsnt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hbsrv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan40.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deloeminfs.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defscangui.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsched.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ODSW.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹\Ãœþø òøôõþ÷ðÿøÑÂø"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32us.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[1].exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trickler.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\optimize.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dcomx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservn.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\teekids.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stcloader.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ss3edit.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssconfg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysupd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notstart.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hbinst.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procdump.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFSrv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\poproxy.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"debugger" = "%Documents and Settings%\%current user%\Application Data\Protector-her.exe reg"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\norton_internet_secu_3.0_407.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthUpd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\patch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vettray.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\idle.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolcv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRunDll.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mapisvc32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUNMain.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebProxy.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPck.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symproxysvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxiul.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimp2.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvxd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAhlp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹\Ãœþø рøÑÂуýúø"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hotpatch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Óûðòýþõ üõýю\ßрþóрðüüы"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetlnfo.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navdx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infwin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininetd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sperm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\otfix.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Óûðòýþõ üõýю"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utpost.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scam32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavprsrv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntxconfig.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mslaugh.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaui.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intdel.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Settings]
"UID" = "nibboersyo"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TPSrv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssg_4104.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnHTTPSToHTTPRedirect" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgssfw32.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfplogvw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Settings]
"ID" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты\Ãœþø рøÑÂуýúø"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prmt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashrep.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blss.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onsrvr.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANToManager.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iface.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srexe.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msbb.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\History.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rrguard.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 13 23 04 18 4F B8 4F 32 F0 3E B5 BE 09 4F 2E"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\undoboot.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savenow.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rcsync.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoler.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmain.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininitx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSurvey.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msccn32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmasn.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdm.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bvt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bargains.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgbob.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svshost.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snetcfg.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netscanpro.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neowatchlog.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esafe.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsImSvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ethereal.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nssys32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\istsvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsbgate.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fact.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explore.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchosts.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nstask32.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msapp.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan95.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prmvr.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto-protect.nav80try.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssgrate.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\backweb.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Settings]
"GConfig" = "DE 07 02 00 02 00 19 00 0D 00 32 00 07 00 9B 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
"debugger" = "svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec16.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvmd.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supporter5.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmgt.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsched.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAcat.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe]
"debugger" = "svchost.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnad.exe]
"debugger" = "svchost.exe"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Inspector" = "%Documents and Settings%\%current user%\Application Data\Protector-her.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 20 EE A3 68 6D 5C 12 8A E0 26 1A 74 9A 26 D7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\RarSFX0]
"temp.exe" = "temp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process ctfmon.exe:536 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process sc.exe:520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 4E 34 BC C6 28 FB 31 0D 00 34 66 41 0C ED 9E"
The process sc.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 7C 93 C4 6E B3 31 BE 72 38 1F 9D 95 DB B4 63"
The process sc.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 85 C6 2A 9D F7 22 D1 00 68 CD E8 03 96 C4 81"
The process sc.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 12 0C 14 02 91 A2 83 D0 34 5B 5D 32 23 5C F7"
The process verclsid.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 16 66 46 91 00 C8 D4 40 11 62 66 4D 95 F2 27"
The process mshta.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 FC 72 BC 2A E6 E6 01 07 DE 16 5D AC 3D A9 9E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process mshta.exe:1428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F AA 1E 40 FC 18 13 C7 71 16 87 E1 BD 9C 95 38"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://dl-balancer.x.dropbox.com/u/60021057/NPSWF32.z |  |
| hxxp://duc-balancer.x.dropbox.com/u/60021057/NPSWF32.z | |
| hxxp://cmyip.com/ |  |
| dl.dropboxusercontent.com | 23.21.127.231 |
| www.cmyip.com | 198.100.149.221 |
| dl.dropbox.com | 107.21.236.243 |
| online-secure-pay.info |  |
| myrealip.info | |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Screenshot
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 71904 | 72192 | 4.54088 | ead411693117dae8deb088f5bb4a85fa |
| .rdata | 77824 | 7189 | 7680 | 3.37233 | e70f56667b8e99a1ec239fd12b1640b4 |
| .data | 86016 | 65324 | 512 | 2.43883 | 11ffdfc240c81dfe9d957f6bf1761f00 |
| .CRT | 151552 | 16 | 512 | 0.147711 | acdfc3df6b189cbcd09b1c888f95fe9a |
| .rsrc | 155648 | 16504 | 16896 | 3.22639 | 07900c12e5057f1fe09434dd1b743c9f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 27
80284946036519ada15d3ba9a34f1bf8
646bd2f207d99b3567f8c77ea3291abc
99183afbee1d39fa811a78d9d55ef2d2
5d50bccfb3331af8a6e39de5e84d1da3
a908328cf133da6c0d17f32493f784a9
16d653e4017848cd56633bfe8059f4cd
43051cc950847fec1dfd066626f77c4d
723f7a8631637cf8a4e052a67628ed15
4855e5f5c738fff49e9bab255202f5da
04c7efa6cab5d2962703bfe9f959a223
b5c512558a20357ea37613da5ad5671b
eee915652a4daa18f789e00c65f611af
88ee3eee20a4e3e6ed15205569d2ed3e
d80c5d74fb7c47c171c0d1619d522182
234bcdc273c3b7128546045ad074584c
b5f3cf5642c009c72fc8d4b76029ce07
c5d96cb510fecd39bee49c60597923db
c235c123b3f5f42cbee73fb3c9035b37
c2328f08530499b1552853dbbcd834f1
3721ae7aa092d542303e973a1d628e88
059fc2d93e8ec2f8eebc905e78a2a37b
b623eb1829f33c7bb4aff229a39e9e98
68abf345a5b756d7eb80b44161199c20
a4bd3f38efd2572b7ca9f80ebb400fd1
a5f094157a9bf35d42dc2ccadd88ea6a
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
temp.exe:496
filesystemscan.exe:1364
%original file name%.exe:1660
sc.exe:520
sc.exe:1968
sc.exe:1144
sc.exe:2012
verclsid.exe:1648
mshta.exe:388
mshta.exe:1428 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\filesystemscan.exe (3814656 bytes)
%Documents and Settings%\%current user%\Application Data (4096 bytes)
%Documents and Settings%\%current user%\Application Data\Protector-her.exe (2012672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\result.db (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\cmyip[1].htm (1021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol (102 bytes)
%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû\Windows Telemetry Center.lnk (713 bytes)
%Documents and Settings%\All Users\Óûðòýþõ üõýю\ßрþóрðüüы\Windows Telemetry Center.lnk (735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\temp.exe (5858644 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Inspector" = "%Documents and Settings%\%current user%\Application Data\Protector-her.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
