Virus.Win32.Expiro_cb076733c9

by malwarelabrobot on May 28th, 2014 in Malware Descriptions.

Win32.Expiro.CM (B) (Emsisoft), Win32.Expiro.CM (AdAware), Trojan.Win32.Alureon.FD, Virus.Win32.Expiro.FD, Virus.Win32.Expiro.FD, VirusExpiro.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cb076733c9685d3ea5995c133dca2595
SHA1: 69cf0e504a565fe0a5d0b949fb4a052ca2a29255
SHA256: 402e565483bd1d5990590ebb26203cb3b0d5b5d51a610be56fde43747aa67c18
SSDeep: 196608:7XbbU8FQGjzNdLQJJ8pI7VFPqgfs9cDDGZEEd2jB05d0mxew/IvzSOgofQproxtE:7XbA8OGvN6mIxFSgfsCyWkqmxewAvzxz
Size: 12096512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: setupprocess
Created at: 2007-05-02 06:18:38
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

BBSetup.exe:1124
infocard.exe:160
MsiExec.exe:1584
%original file name%.exe:272
cidaemon.exe:1376

The Virus injects its code into the following process(es):

cisvc.exe:340
dmadmin.exe:1684

File activity

The process cisvc.exe:340 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\pchealth\helpctr\System\panels (4 bytes)
C:\System Volume Information\catalog.wci\00000002.ps2 (65 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
C:\System Volume Information\catalog.wci\00000002.ps1 (65 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.001 (8 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.000 (1680 bytes)
C:\System Volume Information\catalog.wci\CiPT0000.002 (8 bytes)
%System%\CatRoot2 (96 bytes)
C:\System Volume Information\catalog.wci\INDEX.002 (20 bytes)
C:\System Volume Information\catalog.wci\INDEX.000 (3840 bytes)
C:\System Volume Information\catalog.wci\INDEX.001 (20 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\pchealth\helpctr\System (4 bytes)
C:\$Directory (3376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIec7c0.LOG (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (108 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\Prefetch (960 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%System%\CatRoot (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\mlhmlmci.tmp (3733 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System% (8936 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%WinDir%\SoftwareDistribution\Download (45 bytes)
%System%\oobe\html (4 bytes)
%System%\sessmgr.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (8 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
C:\$ConvertToNonresident (4 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
C:\ (8 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
C:\System Volume Information\catalog.wci\CiST0000.000 (240 bytes)
C:\System Volume Information\catalog.wci\CiP10000.000 (5280 bytes)
C:\System Volume Information\catalog.wci\CiP10000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiP10000.002 (20 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%System%\dllhost.exe (4185 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%System%\config\AppEvent.Evt (1264 bytes)
%WinDir%\WinSxS (12 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir% (972 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
C:\PROGRAM FILES (8 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
C:\System Volume Information\catalog.wci\CiVP0000.000 (240 bytes)
%Documents and Settings% (8 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\dadacani.tmp (7972 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%System%\aakckbok.tmp (3703 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%System%\oobe (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%System%\config\SysEvent.Evt (456 bytes)
%WinDir%\Temp (4 bytes)
%WinDir%\Installer (192 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
C:\System Volume Information\catalog.wci\CiP20000.002 (20 bytes)
C:\System Volume Information\catalog.wci\CiP20000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiP20000.000 (5280 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%System%\nikpbefm.tmp (3785 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
C:\System Volume Information\catalog.wci\propstor.bk2 (32328 bytes)
C:\System Volume Information\catalog.wci\propstor.bk1 (16960 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (4 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%System%\mpcjkned.tmp (3678 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\Web (4 bytes)
%System%\neijblpa.tmp (3679 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (440 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
%WinDir%\msagent (4 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (1064 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (96 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%System%\cbdgekje.tmp (3812 bytes)
C:\System Volume Information\catalog.wci (8 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (4545 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%Program Files%\Movie Maker (4 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%System%\netdde.exe (4545 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%System%\msdtc.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings (8 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.000 (4560 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.001 (16 bytes)
C:\System Volume Information\catalog.wci\CiSP0000.002 (16 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\Prefetch\INFOCARD.EXE-14622E55.pf (28 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%WinDir%\Installer\e493a.msi (756 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
C:\System Volume Information\catalog.wci\cicat.hsh (12 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727 (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (32 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
C:\System Volume Information (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\config\systemprofile (4 bytes)
C:\System Volume Information\catalog.wci\CiCL0001.000 (480 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%WinDir%\Web\printers (4 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\assembly (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%System%\mui (4 bytes)
C:\System Volume Information\catalog.wci\cicat.fid (44 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5 (12 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%System%\wbem\Logs (8 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
C:\System Volume Information\catalog.wci\CiSL0001.000 (240 bytes)
C:\System Volume Information\catalog.wci\CiFLfffd.000 (480 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%System%\mnmsrvc.exe (4185 bytes)

The Virus deletes the following file(s):

%System%\cbdgekje.tmp (0 bytes)
%System%\neijblpa.tmp (0 bytes)
%System%\mpcjkned.tmp (0 bytes)
%System%\aakckbok.tmp (0 bytes)
%System%\nikpbefm.tmp (0 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\mlhmlmci.tmp (0 bytes)
C:\System Volume Information\catalog.wci\00000001.ps2 (0 bytes)
C:\System Volume Information\catalog.wci\00000001.ps1 (0 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\dadacani.tmp (0 bytes)

The process BBSetup.exe:1124 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4A896A32D4E3413AA9A0F879EAEF04DF\BBSetupConfig.xml (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSIec7c0.LOG (190 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4A896A32D4E3413AA9A0F879EAEF04DF (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4A896A32D4E3413AA9A0F879EAEF04DF\BBSetupConfig.xml (0 bytes)

The process %original file name%.exe:272 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PF.cab (187080 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\dlejknpg.tmp (3798 bytes)
%System%\nmlmjcen.tmp (3679 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (9098 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBarPartnerConfig.cab (7 bytes)
%System%\clipsrv.exe (4185 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (4185 bytes)
%System%\jpfilhdf.tmp (3896 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\njakmpdb.tmp (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetupConfig.xml (2 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\lhddmehn.tmp (3697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetup.exe (3624 bytes)
%System%\dmadmin.exe (5873 bytes)
%System%\finngebb.tmp (3679 bytes)
%System%\mqkdhfhm.tmp (3705 bytes)
%System%\cisvc.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBar.msi (14377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PD.cab (1290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (4 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PF.cab (0 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\dlejknpg.tmp (0 bytes)
%System%\nmlmjcen.tmp (0 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\njakmpdb.tmp (0 bytes)
%System%\mqkdhfhm.tmp (0 bytes)
%System%\jpfilhdf.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBarPartnerConfig.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetupConfig.xml (0 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\lhddmehn.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetup.exe (0 bytes)
%System%\finngebb.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBar.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PD.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (0 bytes)

The process dmadmin.exe:1684 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%WinDir% (300 bytes)
%System%\config (8 bytes)
C:\$Directory (1752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (4 bytes)
%WinDir%\Installer (96 bytes)
C:\System Volume Information\catalog.wci (4 bytes)
%System% (6448 bytes)

Registry activity

The process cisvc.exe:340 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCR\EngUSWrdBrk.EngUSWrdBrk]
"(Default)" = "EngUSWrdBrk Class"

[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
"(Default)" = "%System%\query.dll"

[HKCR\MSIDXS]
"(Default)" = "Microsoft OLE DB Provider for Indexing Service"

[HKCR\IXSSO.Query\CurVer]
"(Default)" = "IXSSO.Query.3"

[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\ProgID]
"(Default)" = "EngUKWrdBrk.EngUKWrdBrk.1"

[HKCR\IXSSO.Util.2\CLSID]
"(Default)" = "{0C16C27E-A6E7-11D0-BFC3-0020F8008024}"

[HKCR\CLSID\{0285b5c0-12c7-11ce-bd31-00aa004bbb1f}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\VersionIndependentProgID]
"(Default)" = "MSIDXS"

[HKCR\CLSID\{c1243ca0-bf96-11cd-b579-08002b30bfeb}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}]
"(Default)" = "Microsoft Office Persistent Handler"

[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\ProgID]
"(Default)" = "ItlItlWrdBrk.ItlItlWrdBrk.1"

[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}]
"(Default)" = "Microsoft Index Server Administration Object"

[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\VersionIndependentProgID]
"(Default)" = "FrnFrnWrdBrk.FrnFrnWrdBrk"

[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
"(Default)" = "Microsoft.ISScopeAdm"

[HKCR\CLSID\{0C16C27E-A6E7-11D0-BFC3-0020F8008024}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\.htw\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\.css\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\CLSID\{AA205A4D-681F-11D0-A243-08002B36FCA4}\InprocServer32]
"(Default)" = "query.dll"

[HKCR\CLSID\{9478f640-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{6d36ce10-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "Italian_Italian Stemmer"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral]
"WBreakerClass" = "{369647e0-17b0-11ce-9950-00aa004bbb1f}"

[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"

[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\VersionIndependentProgID]
"(Default)" = "EngUSWrdBrk.EngUSWrdBrk"

[HKCR\CLSID\{01c6b350-12c7-11ce-bd31-00aa004bbb1f}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\CLSID\{00020811-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{860d28d0-8bf4-11ce-be59-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US]
"StemmerClass" = "{eeed4c20-7f1b-11ce-be57-00aa0051fe20}"

[HKCR\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}\InprocServer32]
"(Default)" = "query.dll"

[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ExtendedErrors]
"(Default)" = "Extended Error Service"

[HKCR\.stm\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\IXSSO.Query.2]
"(Default)" = "Indexing Service Query SSO V2."

[HKCR\CLSID\{5645C8C0-E277-11CF-8FDA-00AA00A14F93}]
"(Default)" = "NNTP filter"

[HKCR\CLSID\{5645C8C0-E277-11CF-8FDA-00AA00A14F93}\PersistentHandler]
"(Default)" = "{5645C8C1-E277-11CF-8FDA-00AA00A14F93}"

[HKCR\.xlc\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{0C16C27E-A6E7-11D0-BFC3-0020F8008024}]
"(Default)" = "Indexing Service Utility SSO V2."

[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"(Default)" = "%System%\ciodm.dll"

[HKCR\ItlItlWrdBrk.ItlItlWrdBrk.1]
"(Default)" = "ItlItlWrdBrk Class"

[HKCR\MSIDXS ErrorLookup\Clsid]
"(Default)" = "{F9AE8981-7E52-11d0-8964-00C04FD611D7}"

[HKCR\CLSID\{C04EFA90-E221-11D2-985E-00C04F575153}\InProcServer32]
"(Default)" = "%System%\query.dll"

[HKCR\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{510a4910-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "German_German Stemmer"

[HKCR\CLSID\{95ad72f0-44ce-11d0-ae29-00aa004b9986}]
"(Default)" = "Indexing Service Snapin"

[HKCR\IXSSO.Query.3]
"(Default)" = "Indexing Service Query SSO V3."

[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
"(Default)" = "Microsoft.ISAdm.1"

[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}]
"(Default)" = "FrnFrnWrdBrk Class"

[HKCR\IXSSO.Util]
"(Default)" = "Indexing Service Utility SSO V2."

[HKCR\MSIDXS\Clsid]
"(Default)" = "{F9AE8980-7E52-11d0-8964-00C04FD611D7}"

[HKCR\CLSID\{6d36ce10-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"(Default)" = "%System%\ciodm.dll"

[HKCR\CLSID\{00020C01-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}]
"(Default)" = "Plain Text persistent handler"

[HKCR\CLSID\{b0516ff0-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "Spanish_Modern Stemmer"

[HKCR\Microsoft Internet News Message\CLSID]
"(Default)" = "{5645C8C0-E277-11CF-8FDA-00AA00A14F93}"

[HKCR\CLSID\{e0ca5340-4534-11cf-b952-00aa0051fe20}\InprocServer32]
"(Default)" = "nlhtml.dll"

[HKCR\IXSSO.Query\CLSID]
"(Default)" = "{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}"

[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"

[HKCR\CLSID\{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}\InProcServer32]
"(Default)" = "%System%\ixsso.dll"

[HKCR\Interface\{F4EB8260-8DDA-11D1-B3AA-00A0C9063796}]
"(Default)" = "IFilterStatus"

[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\ProgID]
"(Default)" = "EngUSWrdBrk.EngUSWrdBrk.1"

[HKCR\CLSID\{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}]
"(Default)" = "Indexing Service Query SSO V3."

[HKCR\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\.odc\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\German_German]
"StemmerClass" = "{510a4910-7f1c-11ce-be57-00aa0051fe20}"

[HKCR\CLSID\{fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{66b37110-8bf2-11ce-be59-00aa0051fe20}]
"(Default)" = "Dutch_Dutch Word Breaker"

[HKCR\CLSID\{eeed4c20-7f1b-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\CLSID\{EA7BAE71-FB3B-11CD-A903-00AA00510EA3}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}]
"(Default)" = "Italian_Italian Word Breaker"

[HKCR\IXSSO.Query.2\CLSID]
"(Default)" = "{A4463024-2B6F-11D0-BFBC-0020F8008024}"

[HKCR\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32]
"(Default)" = "OffFilt.dll"

[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\InprocServer32]
"ThreadingModel" = "Free"

[HKCR\CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{5645C8C2-E277-11CF-8FDA-00AA00A14F93}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\French_French]
"StemmerClass" = "{2a6eb050-7f1c-11ce-be57-00aa0051fe20}"

[HKCR\.htm\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\CLSID\{c3278e90-bea7-11cd-b579-08002b30bfeb}]
"(Default)" = "Null filter"

[HKCR\CLSID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{FBF23B40-E3F0-101B-8488-00AA003E56F8}\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\InprocServer32]
"ThreadingModel" = "Free"

[HKCR\Microsoft.ISScopeAdm]
"(Default)" = "Microsoft Index Server Scope Administration Object"

[HKCR\.pot\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{c1243ca0-bf96-11cd-b579-08002b30bfeb}]
"(Default)" = "Plain Text filter"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\German_German]
"WBreakerClass" = "{9b08e210-e51b-11cd-bc7f-00aa003db18e}"

[HKCR\CLSID\{AA205A4D-681F-11D0-A243-08002B36FCA4}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Swedish_Default]
"Locale" = "1053"

[HKCR\CLSID\{5645C8C3-E277-11CF-8FDA-00AA00A14F93}\PersistentHandler]
"(Default)" = "{5645C8C4-E277-11CF-8FDA-00AA00A14F93}"

[HKCR\CLSID\{369647e0-17b0-11ce-9950-00aa004bbb1f}]
"(Default)" = "Neutral Word Breaker"

[HKCR\CLSID\{A4463024-2B6F-11D0-BFBC-0020F8008024}\ProgID]
"(Default)" = "IXSSO.Query.2"

[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\ProgID]
"(Default)" = "SpnMdrWrdBrk.SpnMdrWrdBrk.1"

[HKCR\CLSID\{78fe669a-186e-4108-96e9-77b586c1332f}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{00020810-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\French_French]
"WBreakerClass" = "{59e09848-8099-101b-8df3-00000b65c3b5}"

[HKCR\EngUKWrdBrk.EngUKWrdBrk.1]
"(Default)" = "EngUKWrdBrk Class"

[HKCR\CLSID\{78fe669a-186e-4108-96e9-77b586c1332f}\InprocServer32]
"(Default)" = "query.dll"

[HKCR\CLSID\{2a6eb050-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "French_French Stemmer"

[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ExtendedErrors\{F9AE8981-7E52-11d0-8964-00C04FD611D7}]
"(Default)" = "MSIDXS Error Lookup"

[HKCR\CLSID\{C04EFA90-E221-11D2-985E-00C04F575153}]
"(Default)" = "PSFactoryBuffer"

[HKCR\CLSID\{59e09848-8099-101b-8df3-00000b65c3b5}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Spanish_Modern]
"WBreakerClass" = "{0285b5c0-12c7-11ce-bd31-00aa004bbb1f}"

[HKCR\Microsoft.ISCatAdm.1]
"(Default)" = "Microsoft Index Server Catalog Administration Object"

[HKCR\Microsoft Internet Mail Message]
"(Default)" = "Internet E-Mail Message"

[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}]
"(Default)" = "MSIDXS ErrorLookup"

[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}]
"(Default)" = "MSIDXS"

[HKCR\CLSID\{1E9685E6-DB6D-11d0-BB63-00C04FC2F410}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{95ad72f0-44ce-11d0-ae29-00aa004b9986}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{9478f640-7f1c-11ce-be57-00aa0051fe20}]
"(Default)" = "Swedish_Default Stemmer"

[HKCR\FrnFrnWrdBrk.FrnFrnWrdBrk.1\CLSID]
"(Default)" = "{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Italian_Italian]
"StemmerClass" = "{6d36ce10-7f1c-11ce-be57-00aa0051fe20}"

[HKCR\ItlItlWrdBrk.ItlItlWrdBrk]
"(Default)" = "ItlItlWrdBrk Class"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Italian_Italian]
"Locale" = "1040"

[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Microsoft.ISCatAdm\CurVer]
"(Default)" = "Microsoft.ISCatAdm.1"

[HKCR\IXSSO.Query]
"(Default)" = "Indexing Service Query SSO V3."

[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\InprocServer32]
"(Default)" = "%System%\query.dll"

[HKCR\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32]
"(Default)" = "%System%\mimefilt.dll"

[HKCR\CLSID\{e0ca5340-4534-11cf-b952-00aa0051fe20}]
"(Default)" = "HTML filter"

[HKCR\.htx\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\CLSID\{0285b5c0-12c7-11ce-bd31-00aa004bbb1f}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK]
"StemmerClass" = "{d99f7670-7f1a-11ce-be57-00aa0051fe20}"

[HKLM\System\CurrentControlSet\Control\Server Applications]
"{95AD72F0-44CE-11D0-AE29-00AA004B9986}" = "Indexing Service"

[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\VersionIndependentProgID]
"(Default)" = "ISSimpleCommandCreator"

[HKCR\CLSID\{510a4910-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\SpnMdrWrdBrk.SpnMdrWrdBrk.1\CLSID]
"(Default)" = "{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}"

[HKCR\CLSID\{b0516ff0-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{9b08e210-e51b-11cd-bc7f-00aa003db18e}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\CLSID\{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\VersionIndependentProgID]
"(Default)" = "MSIDXSErrorLookup"

[HKCR\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{c1243ca0-bf96-11cd-b579-08002b30bfeb}"

[HKCR\EngUKWrdBrk.EngUKWrdBrk.1\CLSID]
"(Default)" = "{363F1015-FD5F-4ba8-AC58-29634F378A42}"

[HKCR\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\SpnMdrWrdBrk.SpnMdrWrdBrk.1]
"(Default)" = "SpnMdrWrdBrk Class"

[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"About" = "{95ad72f0-44ce-11d0-ae29-00aa004b9986}"

[HKCR\CLSID\{95ad72f0-44ce-11d0-ae29-00aa004b9986}\InprocServer32]
"(Default)" = "CIAdmin.dll"

[HKCR\EngUSWrdBrk.EngUSWrdBrk.1]
"(Default)" = "EngUSWrdBrk Class"

[HKCR\.asp\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\CLSID\{6d36ce10-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\ProgID]
"(Default)" = "ISSimpleCommandCreator.1"

[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}]
"(Default)" = "ItlItlWrdBrk Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 2A 5C 0A E5 F6 7E D0 31 33 4A 96 B6 7B DF 10"

[HKCR\Microsoft.ISAdm.1]
"(Default)" = "Microsoft Index Server Administration Object"

[HKCR\CLSID\{b0516ff0-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Italian_Italian]
"WBreakerClass" = "{fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}"

[HKCR\CLSID\{9478f640-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"Version" = "1.0"

[HKCR\CLSID\{2a6eb050-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\SpnMdrWrdBrk.SpnMdrWrdBrk\CurVer]
"(Default)" = "SpnMdrWrdBrk.SpnMdrWrdBrk.1"

[HKCR\CLSID\{1F247DC0-902E-11D0-A80C-00A0C906241A}]
"(Default)" = "Content Index ISearch Creator Object"

[HKCR\.eml]
"(Default)" = "Microsoft Internet Mail Message"

[HKCR\.ascx\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\Interface\{F4EB8260-8DDA-11D1-B3AA-00A0C9063796}\ProxyStubClsid32]
"(Default)" = "{C04EFA90-E221-11D2-985E-00C04F575153}"

[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\VersionIndependentProgID]
"(Default)" = "ItlItlWrdBrk.ItlItlWrdBrk"

[HKCR\CLSID\{00022603-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{01c6b350-12c7-11ce-bd31-00aa004bbb1f}]
"(Default)" = "Swedish_Default Word Breaker"

[HKCR\CLSID\{2A488070-6FD9-11D0-A808-00A0C906241A}]
"(Default)" = "File System Client DocStore Locator Object"

[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{00022602-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKCR\.aspx\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\CLSID\{d99f7670-7f1a-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ProgID]
"(Default)" = "MSIDXS.1"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Swedish_Default]
"StemmerClass" = "{9478f640-7f1c-11ce-be57-00aa0051fe20}"

[HKCR\CLSID\{59e09848-8099-101b-8df3-00000b65c3b5}]
"(Default)" = "French_French Word Breaker"

[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}]
"(Default)" = "SpnMdrWrdBrk Class"

[HKCR\Microsoft.ISAdm.1\CLSID]
"(Default)" = "{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}"

[HKCR\Microsoft.ISScopeAdm\CurVer]
"(Default)" = "Microsoft.ISScopeAdm.1"

[HKCR\CLSID\{9b08e210-e51b-11cd-bc7f-00aa003db18e}]
"(Default)" = "German_German Word Breaker"

[HKCR\CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}\PersistentHandler]
"(Default)" = "{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKCR\EngUSWrdBrk.EngUSWrdBrk.1\CLSID]
"(Default)" = "{80A3E9B0-A246-11D3-BB8C-0090272FA362}"

[HKCR\.html\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\SpnMdrWrdBrk.SpnMdrWrdBrk]
"(Default)" = "SpnMdrWrdBrk Class"

[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"

[HKCR\CLSID\{5645C8C3-E277-11CF-8FDA-00AA00A14F93}]
"(Default)" = "NNTP filter"

[HKCR\CLSID\{EA7BAE70-FB3B-11CD-A903-00AA00510EA3}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\.nws]
"(Default)" = "Microsoft Internet News Message"

[HKCR\Microsoft.ISScopeAdm.1\CLSID]
"(Default)" = "{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}"

[HKCR\.xls\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\ItlItlWrdBrk.ItlItlWrdBrk.1\CLSID]
"(Default)" = "{91870674-DE84-4313-B07D-A387415BB4F5}"

[HKCR\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}]
"(Default)" = "Null persistent handler"

[HKCR\CLSID\{860d28d0-8bf4-11ce-be59-00aa0051fe20}]
"(Default)" = "Dutch_Dutch Stemmer"

[HKCR\EngUSWrdBrk.EngUSWrdBrk\CurVer]
"(Default)" = "EngUSWrdBrk.EngUSWrdBrk.1"

[HKCR\.hta\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
"(Default)" = "Microsoft.ISScopeAdm.1"

[HKCR\CLSID\{e0ca5340-4534-11cf-b952-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Microsoft.ISCatAdm.1\CLSID]
"(Default)" = "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}"

[HKCR\.doc\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\IXSSO.Util\CLSID]
"(Default)" = "{0C16C27E-A6E7-11D0-BFC3-0020F8008024}"

[HKCR\CLSID\{66b37110-8bf2-11ce-be59-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\FrnFrnWrdBrk.FrnFrnWrdBrk.1]
"(Default)" = "FrnFrnWrdBrk Class"

[HKCR\Microsoft.ISScopeAdm\CLSID]
"(Default)" = "{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}"

[HKCR\CLSID\{d99f7670-7f1a-11ce-be57-00aa0051fe20}]
"(Default)" = "English_UK Stemmer"

[HKCR\Microsoft.ISAdm\CLSID]
"(Default)" = "{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}"

[HKCR\CLSID\{AA205A4D-681F-11D0-A243-08002B36FCA4}]
"(Default)" = "File System Client Filter Object"

[HKCR\CLSID\{0C16C27E-A6E7-11D0-BFC3-0020F8008024}\ProgID]
"(Default)" = "IXSSO.Util"

[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\InprocServer32]
"ThreadingModel" = "Free"

[HKCR\CLSID\{C04EFA90-E221-11D2-985E-00C04F575153}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\IXSSO.Util.2]
"(Default)" = "Indexing Service Utility SSO V2."

[HKCR\Microsoft.ISScopeAdm.1]
"(Default)" = "Microsoft Index Server Scope Administration Object"

[HKCR\.hhc\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"(Default)" = "%System%\ciodm.dll"

[HKCR\CLSID\{A4463024-2B6F-11D0-BFBC-0020F8008024}\InProcServer32]
"(Default)" = "%System%\ixsso.dll"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Spanish_Modern]
"Locale" = "3082"

[HKCR\.xlt\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\VersionIndependentProgID]
"(Default)" = "EngUKWrdBrk.EngUKWrdBrk"

[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"Provider" = "Microsoft Corporation"

[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
"(Default)" = "Microsoft.ISCatAdm"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US]
"Locale" = "1033"

[HKCR\CLSID\{eeed4c20-7f1b-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{F4EB8260-8DDA-11D1-B3AA-00A0C9063796}\NumMethods]
"(Default)" = "7"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Dutch_Dutch]
"WBreakerClass" = "{66b37110-8bf2-11ce-be59-00aa0051fe20}"

[HKCR\CLSID\{0C16C27E-A6E7-11D0-BFC3-0020F8008024}\InProcServer32]
"(Default)" = "%System%\ixsso.dll"

[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}]
"(Default)" = "EngUKWrdBrk Class"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral]
"Locale" = "0"

[HKCR\CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{5645C8C2-E277-11CF-8FDA-00AA00A14F93}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\German_German]
"Locale" = "1031"

[HKCR\CLSID\{0285b5c0-12c7-11ce-bd31-00aa004bbb1f}]
"(Default)" = "Spanish_Modern Word Breaker"

[HKCR\EngUKWrdBrk.EngUKWrdBrk]
"(Default)" = "EngUKWrdBrk Class"

[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\VersionIndependentProgID]
"(Default)" = "SpnMdrWrdBrk.SpnMdrWrdBrk"

[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\ProgID]
"(Default)" = "FrnFrnWrdBrk.FrnFrnWrdBrk.1"

[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}]
"(Default)" = "EngUSWrdBrk Class"

[HKCR\CLSID\{01c6b350-12c7-11ce-bd31-00aa004bbb1f}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\EngUKWrdBrk.EngUKWrdBrk\CurVer]
"(Default)" = "EngUKWrdBrk.EngUKWrdBrk.1"

[HKCR\Microsoft.ISCatAdm]
"(Default)" = "Microsoft Index Server Catalog Administration Object"

[HKCR\CLSID\{2a6eb050-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\FrnFrnWrdBrk.FrnFrnWrdBrk\CurVer]
"(Default)" = "FrnFrnWrdBrk.FrnFrnWrdBrk.1"

[HKCR\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{f07f3920-7b8c-11cf-9be8-00aa004b9986}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Dutch_Dutch]
"StemmerClass" = "{860d28d0-8bf4-11ce-be59-00aa0051fe20}"

[HKCR\.xlb\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{e0ca5340-4534-11cf-b952-00aa0051fe20}"

[HKCR\.htt\PersistentHandler]
"(Default)" = "{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKCR\CLSID\{00020900-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{c3278e90-bea7-11cd-b579-08002b30bfeb}\InprocServer32]
"(Default)" = "query.dll"

[HKCR\CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}]
"(Default)" = "Microsoft Index Server Scope Administration Object"

[HKCR\.dot\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
"(Default)" = "Microsoft.ISAdm"

[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
"(Default)" = "Microsoft.ISCatAdm.1"

[HKCR\CLSID\{59e09848-8099-101b-8df3-00000b65c3b5}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{00020820-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}\ProgID]
"(Default)" = "IXSSO.Query"

[HKCR\CLSID\{2A488070-6FD9-11D0-A808-00A0C906241A}\InprocServer32]
"(Default)" = "query.dll"

[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}]
"(Default)" = "Microsoft Index Server Catalog Administration Object"

[HKLM\SOFTWARE\Microsoft\MMC\NodeTypes\{476e6449-aaff-11d0-b944-00c04fd8d5b0}\Dynamic Extensions]
"{95AD72F0-44CE-11D0-AE29-00AA004B9986}" = "Indexing Service Snapin"

[HKCR\CLSID\{369647e0-17b0-11ce-9950-00aa004bbb1f}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}\InprocServer32]
"(Default)" = "infosoft.dll"

[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}]
"(Default)" = "IndexServer Simple Command Creator"

[HKCR\IXSSO.Util\CurVer]
"(Default)" = "IXSSO.Util.2"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Dutch_Dutch]
"Locale" = "1043"

[HKLM\SOFTWARE\Microsoft\MMC\NodeTypes\{476e6449-aaff-11d0-b944-00c04fd8d5b0}\Extensions\NameSpace]
"{95AD72F0-44CE-11D0-AE29-00AA004B9986}" = "Indexing Service Snapin"

[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\InprocServer32]
"ThreadingModel" = "Free"

[HKCR\.pps\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\MSIDXS ErrorLookup]
"(Default)" = "Microsoft OLE DB Error Lookup for Indexing Service"

[HKCR\CLSID\{c3278e90-bea7-11cd-b579-08002b30bfeb}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{A4463024-2B6F-11D0-BFBC-0020F8008024}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{eeed4c20-7f1b-11ce-be57-00aa0051fe20}]
"(Default)" = "English_US Stemmer"

[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
"(Default)" = "%System%\query.dll"

[HKLM\SOFTWARE\Microsoft\MMC\NodeTypes\{5401E3E9-F5F6-11D1-B4F7-00C04FC2DB8D}]
"(Default)" = "Indexing Service Root Subtree"

[HKCR\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}]
"(Default)" = "Microsoft Office Filter"

[HKCR\FrnFrnWrdBrk.FrnFrnWrdBrk]
"(Default)" = "FrnFrnWrdBrk Class"

[HKCR\CLSID\{00020821-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{78fe669a-186e-4108-96e9-77b586c1332f}]
"(Default)" = "Content Index Null Stemmer"

[HKCR\CLSID\{369647e0-17b0-11ce-9950-00aa004bbb1f}\InprocServer32]
"(Default)" = "query.dll"

[HKCR\CLSID\{1E9685E6-DB6D-11d0-BB63-00C04FC2F410}]
"(Default)" = "Content Index Framework Control Object"

[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\OLE DB Provider]
"(Default)" = "Microsoft OLE DB Provider for Indexing Service"

[HKCR\CLSID\{2A488070-6FD9-11D0-A808-00A0C906241A}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"

[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{9b08e210-e51b-11cd-bc7f-00aa003db18e}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\InprocServer32]
"(Default)" = "%System%\LangWrbk.dll"

[HKCR\CLSID\{66b37110-8bf2-11ce-be59-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\.ppt\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\ProgID]
"(Default)" = "MSIDXSErrorLookup.1"

[HKCR\ItlItlWrdBrk.ItlItlWrdBrk\CurVer]
"(Default)" = "ItlItlWrdBrk.ItlItlWrdBrk.1"

[HKCR\Microsoft Internet Mail Message\CLSID]
"(Default)" = "{5645C8C3-E277-11CF-8FDA-00AA00A14F93}"

[HKCR\CLSID\{48123bc4-99d9-11d1-a6b3-00c04fd91555}\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{A4463024-2B6F-11D0-BFBC-0020F8008024}]
"(Default)" = "Indexing Service Query SSO V2."

[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"NameString" = "Indexing Service"

[HKCR\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
"(Default)" = "{c3278e90-bea7-11cd-b579-08002b30bfeb}"

[HKCR\IXSSO.Query.3\CLSID]
"(Default)" = "{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}"

[HKCR\CLSID\{c1243ca0-bf96-11cd-b579-08002b30bfeb}\InprocServer32]
"(Default)" = "query.dll"

[HKCR\CLSID\{00020906-0000-0000-C000-000000000046}\PersistentHandler]
"(Default)" = "{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKCR\Microsoft.ISCatAdm\CLSID]
"(Default)" = "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK]
"Locale" = "2057"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\French_French]
"Locale" = "1036"

[HKCR\CLSID\{1E9685E6-DB6D-11d0-BB63-00C04FC2F410}\InprocServer32]
"(Default)" = "query.dll"

[HKCR\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}]
"(Default)" = "HTML File persistent handler"

[HKCR\.xsl\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKCR\CLSID\{d99f7670-7f1a-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{510a4910-7f1c-11ce-be57-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\InprocServer32]
"ThreadingModel" = "Free"

[HKCR\CLSID\{860d28d0-8bf4-11ce-be59-00aa0051fe20}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\MMC\SnapIns\{95AD72F0-44CE-11D0-AE29-00AA004B9986}]
"NodeType" = "{5401E3E9-F5F6-11D1-B4F7-00C04FC2DB8D}"

[HKCR\Microsoft.ISAdm]
"(Default)" = "Microsoft Index Server Administration Object"

[HKCR\Microsoft Internet News Message]
"(Default)" = "Internet News Message"

[HKCR\.xml\PersistentHandler]
"(Default)" = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Spanish_Modern]
"StemmerClass" = "{b0516ff0-7f1c-11ce-be57-00aa0051fe20}"

[HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Swedish_Default]
"WBreakerClass" = "{01c6b350-12c7-11ce-bd31-00aa004bbb1f}"

[HKCR\Microsoft.ISAdm\CurVer]
"(Default)" = "Microsoft.ISAdm.1"

The Virus deletes the following registry key(s):

[HKCR\MSIDXS ErrorLookup\Clsid]
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}]
[HKCR\MSIDXS\Clsid]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\InprocServer32]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\Programmable]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\VersionIndependentProgID]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\ProgID]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}]
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\InprocServer32]
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\InprocServer32]
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\InprocServer32]
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}]
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\VersionIndependentProgID]
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\ProgID]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\Programmable]
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}]
[HKCR\CLSID\{91870674-DE84-4313-B07D-A387415BB4F5}\VersionIndependentProgID]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}]
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\VersionIndependentProgID]
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\ProgID]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ExtendedErrors\{F9AE8981-7E52-11d0-8964-00C04FD611D7}]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ProgID]
[HKCR\CLSID\{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}]
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\ProgID]
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\VersionIndependentProgID]
[HKCR\MSIDXS ErrorLookup]
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\VersionIndependentProgID]
[HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}\InprocServer32]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\VersionIndependentProgID]
[HKCR\CLSID\{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}\ProgID]
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}]
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\InprocServer32]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\ExtendedErrors]
[HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}\InprocServer32]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\VersionIndependentProgID]
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\ProgID]
[HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}\ProgID]
[HKCR\MSIDXS]
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}]
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}\VersionIndependentProgID]
[HKCR\CLSID\{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}\Programmable]
[HKCR\CLSID\{F9AE8981-7E52-11d0-8964-00C04FD611D7}\InprocServer32]
[HKCR\CLSID\{F9AE8980-7E52-11d0-8964-00C04FD611D7}\OLE DB Provider]
[HKCR\CLSID\{C7B6C04A-CBB5-11d0-BB4C-00C04FC2F410}\ProgID]
[HKCR\CLSID\{1F7E6C6D-C3F8-4c80-8D77-C4825ABBE5CF}]

The process BBSetup.exe:1124 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 54 1E 78 42 2D 7D E7 A7 55 8E 7C C7 DB D4 FC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\BingBar]
"ECPoint"

The process infocard.exe:160 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 7D 0D 2E E9 13 3F FA DF 9E 35 39 B7 94 13 5D"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The process MsiExec.exe:1584 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\BingBar]
"ECPoint" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 88 47 8A 23 57 18 99 0B 1D FB 9D EC D4 AB D7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:272 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A DD 5D B0 09 E7 44 66 C5 E1 18 AB 9A 54 D4 7A"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The Virus deletes the following value(s) in system registry:
The Virus disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

The process cidaemon.exe:1376 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 9F EB 7A 4E 86 74 3E B7 F9 8D 38 B5 0C 78 A4"

The process dmadmin.exe:1684 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD E3 79 14 CA 88 9D F0 5F 9E D1 91 B6 B9 8A D4"

Dropped PE files

MD5 File path
e898d59a617e2e65c390830479ef0bac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\BBSetup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Bing Bar
Product Version: 7.3.132.0
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 7.3.132.0
File Description: Bing Bar Setup
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 43516 43520 4.52066 5aaf18b0265b228406b74943da74970c
.data 49152 8796 1536 4.57321 f3764284f4d25ed35f75b9c16e1ab608
.rsrc 61440 11448200 11448320 5.54479 f5dc50d13f40ef315a22acefac8de6be
.reloc 11509760 2465792 602112 5.49384 b52df8df2c5674426da93c028f61e5ce

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://toolbar.search.msn.com.akadns.net/8SE/711?MI=560BE6998B924FEEB7F6347C0BAFC17D&OS=5.1.2600&TE=1&TV=pcB8DF|iv7.3.132.0|tloem|ts20140527012527102|mu0|buProd|db|io0
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 188.43.73.9
hxxp://g.ceipmsn.com/8SE/711?MI=560BE6998B924FEEB7F6347C0BAFC17D&OS=5.1.2600&TE=1&TV=pcB8DF|iv7.3.132.0|tloem|ts20140527012527102|mu0|buProd|db|io0 157.55.34.241
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 188.43.73.9


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY BingBar ToolBar User-Agent (BingBar)

Traffic

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 24 May 2014 05:04:51 GMT
Accept-Ranges: bytes
ETag: "96bfbfb1d77cf1:0"
Server: Microsoft-IIS/8.5
VTag: 438365225700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Tue, 27 May 2014 01:26:03 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..140523204817Z..
140822090816Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......%0... .....7......140821205816
Z0...*[email protected](..w.R.m..!.....4.....F....t...e..
.h~...y9..F..^.yp^.)...V.. .........i......[.2.3coIRE..[...3..S.-..R..
.p..(.... "V n.R."....0.5....P.....Ex..U..`.4S.p..ceE...a..8.N.....a..
.! ..\i.........7.e).....2.P.9%.]..".R.4.....3~B..l..RA..8..e.O....kim
..."X..o..M......0C..Q...?R....;XG....B......~.......[N........Q......
...fI.........OJ.x....l....?.E...rS.....9#.hP_z?3....D_.X.........S<
;.Bi.-*#.M......H...L.]s....J.x T....D...h.l..UU.!K..........r!}.Q....
.k8..n*.*.....O..A&..y..6/...#$.....](.Y.%....HTTP/1.1 200 OK..Content
-Type: application/pkix-crl..Last-Modified: Sat, 24 May 2014 05:04:51 
GMT..Accept-Ranges: bytes..ETag: "96bfbfb1d77cf1:0"..Server: Microsoft
-IIS/8.5..VTag: 438365225700000000..P3P: CP="ALL IND DSP COR ADM CONo 
CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY P
RE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..Cache-Control
: max-age=900..Date: Tue, 27 May 2014 01:26:03 GMT..Connection: keep-a
live..0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d.
...microsoft1-0 ..U...$Microsoft Root Certificate Authority..140523204
817Z..140822090816Z0.0...a......../..100208014912Z._0]0...U.#..0......
`@V'..%..*..S.Y..0... .....7.......0...U......%0... .....7......14
<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 29 Apr 2014 05:04:18 GMT
Accept-Ranges: bytes
ETag: "5c09f796863cf1:0"
Server: Microsoft-IIS/8.5
VTag: 438809327800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Tue, 27 May 2014 01:26:05 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..140428200830Z..140729082830Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......H0... .....7......140728201830Z0.
..*.H............. E.6..A..r....V.-..a...d%2..|......=X...|....V.'..X.
}.:.H..u.....q.{%....7.....V."...);....ur....#..]..=.z.xMb....9c.....N
X.s5S...Z..4../.k...A........_..~.....y.b.].5...NK,./..3..}*...>..X
F..78.....X........`.3....m.b.sI.\...hd..t..SH..q{.4.l.)<..d.I...K.
HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Tu
e, 29 Apr 2014 05:04:18 GMT..Accept-Ranges: bytes..ETag: "5c09f796863c
f1:0"..Server: Microsoft-IIS/8.5..VTag: 438809327800000000..P3P: CP="A
LL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo C
NT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Le
ngth: 554..Cache-Control: max-age=900..Date: Tue, 27 May 2014 01:26:05
 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....U
S1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporati
on1#0!..U....Microsoft Code Signing PCA..140428200830Z..140729082830Z.
a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......H0.
.. .....7......140728201830Z0...*.H............. E.6..A..r....V.-..a..
.d%2..|......=X...|....V.'..X.}.:.H..u......
<<< skipped >>>


GET /8SE/711?MI=560BE6998B924FEEB7F6347C0BAFC17D&OS=5.1.2600&TE=1&TV=pcB8DF|iv7.3.132.0|tloem|ts20140527012527102|mu0|buProd|db|io0 HTTP/1.1
User-Agent: BingBar 7.3.132.0
Host: g.ceipmsn.com


HTTP/1.1 200 OK
Content-Length: 0
Date: Tue, 27 May 2014 01:25:28 GMT
HTTP/1.1 200 OK..Content-Length: 0..Date: Tue, 27 May 2014 01:25:28 GM
T..

The Virus connects to the servers at the folowing location(s):

cisvc.exe_340:

.text
`.data
.rsrc
query.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
cisvc.pdb
.data
.idata
.reloc
.edata
.Fk?Z 
p^.nh
%.C<1
C.QV>
3W.GS
@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C
SZ9LiXk$Y
.eBzvw
P .eBzvw
R.kg>=KE,sD
Z.Ut<7*
%S]! qjg% &/NiQ]\'\@g%"cw
B}%fgc
8PPP [Aq;su%Xd]LBu
< '0%CxGQ_([^7v1!9_dPTQ5J^5s!("_n@P].[Vyur7(BoGPBt
Z/t.wG_(>2ZH3B
.sz~f
.cevy
3HE%c
.dohA
`%C@'0.&_`au
 X|}9.PFg.6&JmEx}7o
7GX[,%s
*.GjMJ]"Md
*.Gj~jqtN6
.DqT`
K-fc}c1
'EgUch\L
~)%UbaG
.up61
>;&  JbYTX.WDi*.61
s-%!.Vu
9qp.NdIA
CRTDLL.DLL
1 2%2.242>2
1!1'1-13191?1
5%6U6q6~6
9":.:9:?:
4M4T4Z4t4
>$>*>^>}>
>$>,>2>[>
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
9 *\ ,]8
7".lf
['[??^
.DU7)2)
%dz(3
%.pzMWdz
.fga]LM
gIC.Ux>U*1@a8Dig|@
M/ ac[=/M.CZ"SE*X
/H%cJ!LQ*P
r>lz{-L(hM.Zq
@E)HVL' z~w.Fpp/bHM#_S%Y ]
A"p/%uMJOlQ*
A;(@qm-v}
X.DUIQsdD_X>
`a$K.Y.QAuoa!-S
N##<,P%4X(
%DW7 :#
[!x%c@M
vKV%c
*
\[{"SShG$UK;Y3$h*=
sh2}@j.NGVc5
UV.McpOvxrq"m[C}gT
/OC2M#:]".Gb9}ZC64]o;}g
kkqvx_64.dll
pstorec.dll
#pstorec.dll
0oleaut32.dll
Ishell32.dll
.SYSTEM
%sfc_os.dll
sfc_os.dll
22EnumDesktopWindows
user32.dll
47PeekNamedPipe
09WinExec
48CreatePipe
R.tmp
chrome.exe
consent.exe
rsvp.exe
CertEnumCertificatesInStore
;CertOpenStore
CertCloseStore
CryptFindCertificateKeyProvInfo
PFXExportCertStore
xCertOpenSystemStoreA
CertFreeCertificateContext
 CertGetNameStringA
Pcrypt32.dll
sfc.dll
}sfc.dll
%s_%u
eole32.dll
04RegCloseKey
02RegCreateKeyExA
00RegOpenKeyExA
32RegSetKeySecurity
31RegEnumKeyExA
advapi32.dll
crtdll.dll
`crtdll.dll
\\?\UN
5.1.2600.5512 (xpsp.080413-0852)
cisvc.exe
Windows
Operating System
5.1.2600.5512

cisvc.exe_340_rwx_01001000_00001000:




cisvc.pdb
query.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
\\?\UN

cisvc.exe_340_rwx_01003000_0025A000:




.text
.data
.idata
.reloc
.edata
.Fk?Z 
p^.nh
%.C<1
C.QV>
3W.GS
@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C
SZ9LiXk$Y
.eBzvw
P .eBzvw
R.kg>=KE,sD
Z.Ut<7*
%S]! qjg% &/NiQ]\'\@g%"cw
B}%fgc
8PPP [Aq;su%Xd]LBu
< '0%CxGQ_([^7v1!9_dPTQ5J^5s!("_n@P].[Vyur7(BoGPBt
Z/t.wG_(>2ZH3B
.sz~f
.cevy
3HE%c
.dohA
`%C@'0.&_`au
 X|}9.PFg.6&JmEx}7o
7GX[,%s
*.GjMJ]"Md
*.Gj~jqtN6
.DqT`
K-fc}c1
'EgUch\L
~)%UbaG
.up61
>;&  JbYTX.WDi*.61
s-%!.Vu
9qp.NdIA
KERNEL32.dll
CRTDLL.DLL
1 2%2.242>2
1!1'1-13191?1
5%6U6q6~6
9":.:9:?:
4M4T4Z4t4
>$>*>^>}>
>$>,>2>[>
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
9 *\ ,]8
7".lf
['[??^
.DU7)2)
%dz(3
%.pzMWdz
.fga]LM
gIC.Ux>U*1@a8Dig|@
M/ ac[=/M.CZ"SE*X
/H%cJ!LQ*P
r>lz{-L(hM.Zq
@E)HVL' z~w.Fpp/bHM#_S%Y ]
A"p/%uMJOlQ*
A;(@qm-v}
X.DUIQsdD_X>
`a$K.Y.QAuoa!-S
N##<,P%4X(
%DW7 :#
[!x%c@M
vKV%c
*
\[{"SShG$UK;Y3$h*=
sh2}@j.NGVc5
UV.McpOvxrq"m[C}gT
/OC2M#:]".Gb9}ZC64]o;}g
kkqvx_64.dll
pstorec.dll
#pstorec.dll
0oleaut32.dll
Ishell32.dll
.SYSTEM
%sfc_os.dll
sfc_os.dll
22EnumDesktopWindows
user32.dll
47PeekNamedPipe
09WinExec
48CreatePipe
R.tmp
chrome.exe
consent.exe
rsvp.exe
CertEnumCertificatesInStore
;CertOpenStore
CertCloseStore
CryptFindCertificateKeyProvInfo
PFXExportCertStore
xCertOpenSystemStoreA
CertFreeCertificateContext
 CertGetNameStringA
Pcrypt32.dll
sfc.dll
}sfc.dll
%s_%u
eole32.dll
04RegCloseKey
02RegCreateKeyExA
00RegOpenKeyExA
32RegSetKeySecurity
31RegEnumKeyExA
advapi32.dll
crtdll.dll
`crtdll.dll
5.1.2600.5512 (xpsp.080413-0852)
cisvc.exe
Windows
Operating System
5.1.2600.5512

dmadmin.exe_1684:




.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
ole32.dll
RPCRT4.dll
SETUPAPI.dll
CLUSAPI.dll
dmutil.dll
OSUNINST.dll
%S,%lX
%S, %ld
%lx,%S
%S, %lX
{lX-X-X-XX-XXXXXX}
Dmserver.ProductType
\Device\%s%c
\\.\FtControl
dmadmin.pdb
HtAHt.Ht
PSSSSh
RegCloseKey
RegOpenKeyA
ReportEventW
RegOpenKeyExW
RegLoadKeyW
RegUnLoadKeyW
RegCreateKeyExW
RegOpenKeyW
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyW
GetProcessHeap
ntdll.dll
DynamicSupport
Error loading operating system
Missing operating system
WG4%UG4
EYG4%UG4
hSB\%UWd
lSRP%UW;R
fSW=%X
Í11'V$n
2%Ds6%
2%Dw6%
.WG4D
Q~q%X
SW=%X
URlG
.Ds6%
mSW=%X
n.Cod
%FmVt/
WG4QUG4%UG41TG4
%x4UWG
.USD.m
>.Sv0U~
~"65.MnI=
.GV~z
?pv%F
.Otha.
.GqpvU
Ww.do%
%s`(m
nJô'
.tAGq
?{trC%c
:|.fb
w.ldjhkpw7
.DJ_#
>Ðj_c
P?Z.ZFW
B.DRh
Fcrt
.pX]?
TD_%S
Meh.nEDMc
/*7.GZ_n
.Fk?Z 
pstorec.dll
#pstorec.dll
p^.nh
0oleaut32.dll
lshell32.dll
Ishell32.dll
.SYSTEM
%.C<1
C.QV>
3W.GS
@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C
SZ9LiXk$Y
.eBzvw
P .eBzvw
R.kg>=KE,sD
Z.Ut<7*
%S]! qjg% &/NiQ]\'\@g%"cw
B}%fgc
8PPP [Aq;su%Xd]LBu
< '0%CxGQ_([^7v1!9_dPTQ5J^5s!("_n@P].[Vyur7(BoGPBt
%sfc_os.dll
sfc_os.dll
22EnumDesktopWindows
user32.dll
Z/t.wG_(>2ZH3B
.sz~f
.cevy
47PeekNamedPipe
09WinExec
48CreatePipe
`%C@'0.&_`au
 X|}9.PFg.6&JmEx}7o
7GX[,%s
*.GjMJ]"Md
*.Gj~jqtN6
.DqT`
K-fc}c1
'EgUch\L
~)%UbaG
.up61
>;&  JbYTX.WDi*.61
CertEnumCertificatesInStore
;CertOpenStore
CertCloseStore
CryptFindCertificateKeyProvInfo
PFXExportCertStore
xCertOpenSystemStoreA
CertFreeCertificateContext
 CertGetNameStringA
Pcrypt32.dll
sfc.dll
}sfc.dll
%s_%u
eole32.dll
s-%!.Vu
9qp.NdIA
04RegCloseKey
02RegCreateKeyExA
00RegOpenKeyExA
32RegSetKeySecurity
31RegEnumKeyExA
advapi32.dll
crtdll.dll
`crtdll.dll
\DosDevices\%s
\\.\MountPointManager
signature({lx-x-x-xx-xxxxxx}-lx-6I64x-6I64x)%s
%s\%s
boot.ini
%s,%lX,%s,%lX,%s,%lX
%s\Partition0
%s\Partition1\
%s\Partition1
%s\Partition%d
\??\%c:
signature({lx-x-x-xx-xxxxxx}-lx-6I64x-6I64x)
oNETAPI32.DLL
\Device\CdRom%d
\Device\Harddisk%d\Partition%d
\Device\Harddisk%d
\pipe\dmserver.pnp.dmadmin
System\%s
%c:\SYSTEM
%s\*.*
fmifs.dll
MSG_FORMAT_FAILED
MSG_CLUSTER_COUNT_TOO_HIGH
MSG_CLUSTER_SIZE_TOO_BIG
MSG_CLUSTER_SIZE_TOO_SMALL
MSG_VOL_TOO_BIG
MSG_VOL_TOO_SMALL
MSG_IO_ERROR
MSG_CANT_QUICK_FORMAT
MSG_BAD_LABEL
MSG_FORMAT_CANT_LOCK
MSG_WRITE_PROTECTED
MSG_FORMAT_ACCESS_DENIED
MSG_INCOMPATIBLE_MEDIA
MSG_INCOMPATIBLE_FILE_SYSTEM
:* =|\;.,<>?/[]"
\PAGEFILE.SYS
%s\partition%u
\Device\HarddiskDmVolumes\%S\%S
Drive: %c:\, Device:
\Device\%S
%c%cmulti(0)disk(0)rdisk(%ld)partition(%ld)
signature(xxxxxxxxxxxxxxxx)
%1 (%2).
Failed to load DmConfig.dll. Error: %1
The Logical Disk Manager Administrative Service reported an error. Error: %1
2600.5512.503.0
Portions Copyright
dmadmin.exe
Logical Disk Manager for Windows NT
Logical Disk Manager Administrative Service encountered a failure updating boot.ini (x86) or NVRAM (IA64). Do not reboot until you have corrected the problem with your boot entry. Old partition number for current boot partition: 3. New partition number for current boot partition:

dmadmin.exe_1684_rwx_010CA000_001C7000:




.Fk?Z 
pstorec.dll
#pstorec.dll
p^.nh
0oleaut32.dll
lshell32.dll
Ishell32.dll
.SYSTEM
%.C<1
C.QV>
3W.GS
@OH*2kS2^%XBe""$B2jT!^%ZBe,"$HLk6_^/ C
SZ9LiXk$Y
.eBzvw
P .eBzvw
R.kg>=KE,sD
Z.Ut<7*
%S]! qjg% &/NiQ]\'\@g%"cw
B}%fgc
8PPP [Aq;su%Xd]LBu
< '0%CxGQ_([^7v1!9_dPTQ5J^5s!("_n@P].[Vyur7(BoGPBt
%sfc_os.dll
sfc_os.dll
22EnumDesktopWindows
user32.dll
Z/t.wG_(>2ZH3B
.sz~f
.cevy
47PeekNamedPipe
09WinExec
48CreatePipe
`%C@'0.&_`au
 X|}9.PFg.6&JmEx}7o
7GX[,%s
*.GjMJ]"Md
*.Gj~jqtN6
.DqT`
K-fc}c1
'EgUch\L
~)%UbaG
.up61
>;&  JbYTX.WDi*.61
CertEnumCertificatesInStore
;CertOpenStore
CertCloseStore
CryptFindCertificateKeyProvInfo
PFXExportCertStore
xCertOpenSystemStoreA
CertFreeCertificateContext
 CertGetNameStringA
Pcrypt32.dll
sfc.dll
}sfc.dll
%s_%u
eole32.dll
s-%!.Vu
9qp.NdIA
04RegCloseKey
02RegCreateKeyExA
00RegOpenKeyExA
32RegSetKeySecurity
31RegEnumKeyExA
advapi32.dll
crtdll.dll
`crtdll.dll

cidaemon.exe_1376:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
query.dll
ntdll.dll
ole32.dll
cidaemon.pdb
\\?\UN
5.1.2600.0 (xpclient.010817-1148)
cidaemon.exe
Windows
Operating System
5.1.2600.0

DW20.EXE_1380:




.text
`.data
.cdata
.rsrc
watson.microsoft.com
.mdmp
%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S
/dw/stagetwo.asp
%s/%S/%S/%S/%S/%S/%S/%S/%S.htm
Failed to fill report params from generic params
Not offering reporting
%s Mode
Failed to get a reporting destination
Nothing to report from queue
No reports left to send. Removing queue triggers and bailing.
Failed to plug UI; LCID=%u
Ignoring %S due to unknown queue version
Reporting is disabled
SignOff queue reporting is disabled
Queued Reporting Mode called but still want to report to the queue
Bad queue type to report from
No reports for given queue mask - %u
Invalid queue mask - %u
Suspending: Force cancel to queued reporting
Suspending: Force cancel to network reporting
CreateWindowExA failed with %d.
Application Error Reporting %d
WatsonQueuedReportingInstanceVerification
riched20.dll
qMicrosoft\PCHealth\ErrorReporting\DW
msaccess.exe
http://watson.microsoft.com/dw/dcp.asp
http://watson.microsoft.com/dw/watsoninfo.asp
dwintl20.dll
Launching lightweight browser with URL
mshtml.dll
Not reporting
Reporting
DWBypassQueue
DWExplainerURL
DWNoSignOffQueueReporting
DWAlwaysReport
DWReporteeName
DWURLLaunch
DWNoExternalURL
DWStressReport
ole32.dll
imm32.dll
BTLog.dll
Microsoft\PCHealth\ErrorReporting\DW
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
http://
https://
Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
%s\%s
https
DwBTLog.log
Failed to get minidump for %S!
szAppName=%s
szAppVer=%d.%d.%d.%d
szAppStamp=x
szModName=%s
szModVer=%d.%d.%d.%d
szModStamp=x
fDebug=%s
offset=x
microsoft.com
.msn.com
.microsoft.com
d:d:d d-d-d
/dw/generictwo.asp
kernel32.dll
psapi.dll
mso.dll
MsoDWRecover%x
MsoDWHang%x
Launching browser with URL
shell32.dll
%d.%d.%d.%d
%d.%d.%d.%d.x.%d.%d
shfolder.dll
unknown.sig
%s dw20.exe %d.%d.%d.%d
RegKey=
ResponseURL=
URLLaunch=
NoExternalURL=
%s:(%s) XX
%s:(%s) X
%s:(%s)
%s:(%s) %s
registry.txt
wql.txt
Windows NT Version %d.%d Build: %d
Stage 1 server response: %s
Stage 2 server response: %s
Stage 4 server response: %s
StatusCode: %d
Opening server: %s
HttpOpen failed.
Opening %s Request:
HTTPS
HttpSend Failed.
HttpWrite Failed, GLE=%d.
HttpEndReq failed.
Count filename length greater than MAX_PATH, can't report.
Filesystem reporting: count file updated
FReportToQueue: GetLastError=%u
FReportToQueue: File Tree Root does not exist: %S
Failed to add heap file to cab: %S
memory.dmp
mdmpmem.hdmp
version.txt
Network reporting complete.
Network reporting failed.
Application Error Reporting Transfer %d
Filesystem reporting complete
Filesystem reporting: cab successfully written
Filesystem reporting: could not find/create directory for cab/count
Filesystem reporting: redirection failure, too many redirects
Filesystem reporting: redirection failure, no previous roots
Filesystem reporting: improper file tree root
Filesystem reporting cancelled
Filesystem reporting: file tree root is too long
Record: 0xxx
Address: 0xxx
Code: 0xx
Flags: 0xx
x:x
(%d.%d:%d.%d)
Checksum: 0xx
Time Stamp: 0xx
Image Base: 0xx
Image Size: 0xx
Module %d
Windows NT %d.%d Build: %d
CPU AMD Feature Code: X
CPU Version: X CPU Feature Code: X
CPU Vendor Code: X - X - X
0xx:
0xx: x x x x
EFlags: 0xx ESP: 0xx SegSs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
Thread ID: 0xx
Thread %d
Memory Range %d
Software\Microsoft\PCHealth\ErrorReporting\DW
OkToReportFromTheseQueues
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Failed to obtain queue mutex. GetLastError=%u
FGetQueueMutex: WaitForSingleObject returned %u
Failed to open or create queue mutex. GetLastError=%u
Failed queued reporting pester check
Failed to create run reg key
Persistent run key is set.
CoInitializeEx() returned 0x%x.
Reporting to Admin Queue
Reporting to Regular Queue
Reporting to SignOff Queue
Reporting to Headless Queue
Reporting from Regular Queue
Reporting from SignOff Queue
Reporting from Headless Queue
OOM Failed to alloc QueuedReportData
FAllocSD: GetLastError=%u
%s%s%s
FEnsureQueueDirW: GetLastError=%u
Failed to write snt. GLE: %u
Failed to create snt. GLE: %u
Failed to set info; bad queue type: %u
Failed to open reg key for queue
Failed to get windows folder path for queue: %u
Failed to move instr file from queue A to queue B - %u
Failed to move cab file from queue A to queue B - %u
Did not move any reports from admin q to user q
Did not move any reports from user q to headless q
Queue types that have reports: %u
Setting triggerAtConnectionMade to: %u
Setting triggerAtLogon to: %u
Setting the queue trigger based upon: %u
SUCCESS adding report to queue
Launched (%S)
Failed to store the SensSubscription. hr: %d
failed to allocate PROGID string: %S
Failed putting SubscriberInterface. hr: %d
Failed putting PerUser. hr: %d
Failed putting Enabled. hr: %d
Failed putting MachineName. hr: %d
Failed putting OwnerSID. hr: %d
Failed putting Description. hr: %d
Failed putting InterfaceID. hr: %d
Failed putting EventClassID. hr: %d
Failed putting MethodName. hr: %d
Failed putting SubscriptionName. hr: %d
Failed putting PublisherID. hr: %d
Failed putting SubscriberCLSID. hr: %d
Failed putting SubscriptionID. hr: %d
Failed CoCreateInstance on EventSubscription. hr: %d
Failed to remove the SensSubscription. hr: %d
failed to allocate query string: %S
Failed CoCreateInstance on EventSystem. hr: %d
SENS: StringFromIID() returned <%x>
DWSHARED: SysAllocString(%s) failed!
Failed to subscribe subscription %u. hr: %d
Failed to get data for subscription %u. hr: %d
Failed to query install reg key
Failed to open install reg key
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
creating CDwAccessible: hwnd %x, idc %d
WriteAtOffset.Write(0x%x) failed, 0xx
WriteAtOffset.Seek(0x%x) failed, 0xx
WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx
WriteStringToPool.Write(0x%x) failed, 0xx
WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx
WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.Seek(0x%x) failed, 0xx
WriteDirectoryEntry.Write(0x%x) failed, 0xx
Thread(0x%x) callback returned FALSE
WriteSystemInfo.GetOsCsdString failed, 0xx
WriteSystemInfo.GetCpuInfo failed, 0xx
CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx
WriteHeader.GetCurrentTimeDate failed, 0xx
WriteDirectoryTable.Seek(0x%x) failed, 0xx
WriteMemoryInfo.Write(0x%x) failed, 0xx
WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx
WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)
WriteFullMemory.Memory.Write(0x%x) failed, 0xx
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx
WriteFullMemory.Desc.Write(0x%x) failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx
Kernel minidump write failed, 0xx
MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx
Invalid exception record parameter count (0x%x)
Invalid exception record size (0x%x)
Invalid CPU type (0x%x)
Invalid function table size (0x%x)
GetSystemType.GetOsInfo failed, 0xx
GetSystemType.GetCpuType failed, 0xx
Write.Start failed, 0xx
Dump type requires streaming but output provider does not support streaming
Invalid dump type 0x%x
dbghelp.dll
Alloc(0x%x) failed
Thread(0x%x) will not be included
GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.GenImageNtHeader(0x%I64x) failed
GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx
0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx
GenAllocateThreadObject.GetContext(0x%x) failed, 0xx
GenAllocateThreadObject.Open(0x%x) failed, 0xx
GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x
GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx
GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx
GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx
GenGenTebMemory.TLS(0x%I64x) failed, 0xx
GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx
0GenGetAuxMemory(%ws) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) looped
GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) looped
GenGetProcessInfo.EnumModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumModules(0x%x) looped
GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx
GenGetProcessInfo.EnumThreads(0x%x) looped
GenGetProcessInfo.Start(0x%x) failed, 0xx
GenWriteHandleData.Desc.Write(0x%x) failed, 0xx
GenWriteHandleData.Header.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.Start(0x%x) failed, 0xx
GenWriteHandleData.Seek(0x%x) failed, 0xx
Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
version.dll
ntdll.dll
%$%,%4%<%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
!"#$%&'()* ,-./0123456789:;<=
!!!!2222
%%%f||||
!!!!2222||||
!"#$%&'(
'()* ,-./0
&'()* ,-./
&'()* ,-./012345
3456789
.ASex
!"#$%&'()* ,-./012
!"#$%&'()
?msodatad.dat
msodatalast.dat
Unicows.dll
Kernel32.dll
SHLWAPI.DLL
GDI32.DLL
wintrust.dll
1108160
0u.hN
0SSh 
t.WWWj
PSSh07
t5SSh(
PSSSSSSh
0SSSSh
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll
OLEAUT32.dll
MSVCRT.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
VERSION.dll
WININET.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ReportEventA
ReportEventW
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyW
GetProcessHeap
GetSystemWindowsDirectoryW
_amsg_exit
_acmdln
ShellExecuteExA
UrlGetPartA
CreateURLMoniker
CreateDialogIndirectParamA
EnumWindows
HttpQueryInfoA
HttpSendRequestExA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpEndRequestA
dw20.pdb
\devsplab1\otools\BBT_TEMP\DW20O.pdb
winword.exe
wwordlt.exe
excel.exe
excellt.exe
mspub.exe
frontpg.exe
outlook.exe
powerpnt.exe
powpntlt.exe
onenote.exe
infopath.exe
winproj.exe
ois.exe
visio.exe
`!`'`)` `
e%f-f|3 f'f/f
]!^"^#^ ^$^
t.uGuHu
x4x7x%x-x x
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
ichczc]eVeQeYeWe_UOeXeUeTe
{1{ {-{/{2{8{
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
duewexei
kCpDpJpHpIpEpFp
S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S
U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU
c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c
m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm
nRsSsh
evg%f
m.tRa
gtr%x
Q%SKg
f.ebp>QI
y.yxT
fn:q%uN
aw.Toiz
RMeXe
S#S$S%S;ScSdSrSsStSuS
`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`
^ ^!^"^#^$^%^&^'^.^}^
c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe
f f!f"f#f$f%f&f'f(f)f*f f,f-f
m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;mm?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm
u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu
U U!U"U#U$U%U&U'U(U4UJU
](^)^*^ ^,^-^/^0^1^
m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m
x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;xx?x@xAxXy_yaycydyeygyiyjykylynyoy
} }!}"}#}$}%}&}'}
] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]
]2^3^4^5^6^7^8^9^:^;^<^>^
cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX
d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele
s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs
u$u%u&u/ujukulumunuouqurusutu
duewexeyeze{e
~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0
| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|
{3~3}3|3
eZl%u
Q.YeY
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei
s4s/s)s%s>sNsOs
s&t*t)t.tbt
2%2.bx
{ | }9},
d6exe9j
]%sOu4](n
m.t.zB}
w%xIyWy
^vcÓv
%f?iCt
U>_.lE
f.ebp
.nrR=
{fn:q%uN
infocard.exe
name="Microsoft.Windows.ErrorReporter"
version="5.1.0.0"
publicKeyToken="6595b64144ccf1df" />
Windows Error Reporting
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
1%s\%s\%s\%s\%s\%s\%s\%s
AppName: %s AppVer: %s AppStamp:%s
ModName: %s ModVer: %s ModStamp:%s
fDebug: %s Offset: %s
Main_AlwaysReportBtn=
Main_NoReportBtn=
Main_ReportBtn=
General_Reportee=
CheckBoxRegKey=
ReportingFlags=
Stage1URL=
Stage2URL=
%General_Reportee%
%u %s
%u.%u %s
%s %s %s %s in %s %s %s fDebug %s at offset %s
Bucket: d
BucketTable %d
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s
\dw.log
policy.txt
crash.log
status.txt
hits.log
count.txt
%s\%s\%s
%s\%s\%s\%s
eDWQueuedReporting
DWPersistentQueuedReporting
"%s\%s" -%c
dwtrig20.exe
ReportSize=
\*.cab
dwq.snt
"%s" -%c %u
SEventSystem.EventSubscription
SubscriptionID=%s
#$%&%&'(
Comctl32.dll
%WinDir%\TEMP\F0C3B.tmp
%WinDir%\TEMP\F014F.dmp
%WinDir%\TEMP
Windows CardSpace
.NET Runtime 2.0 Error Reporting
%WinDir%\TEMP\dw.log
Microsoft Application Error Reporting
11.0.8160
Windows
DW20.Exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    BBSetup.exe:1124
    infocard.exe:160
    MsiExec.exe:1584
    %original file name%.exe:272
    cidaemon.exe:1376

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %WinDir%\pchealth\helpctr\System\panels (4 bytes)
    C:\System Volume Information\catalog.wci\00000002.ps2 (65 bytes)
    %WinDir%\SoftwareDistribution (4 bytes)
    C:\System Volume Information\catalog.wci\00000002.ps1 (65 bytes)
    %WinDir%\pchealth\helpctr\System\images (4 bytes)
    %WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
    %WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
    %WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
    %WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
    C:\System Volume Information\catalog.wci\CiPT0000.001 (8 bytes)
    C:\System Volume Information\catalog.wci\CiPT0000.000 (1680 bytes)
    C:\System Volume Information\catalog.wci\CiPT0000.002 (8 bytes)
    %System%\CatRoot2 (96 bytes)
    C:\System Volume Information\catalog.wci\INDEX.002 (20 bytes)
    C:\System Volume Information\catalog.wci\INDEX.000 (3840 bytes)
    C:\System Volume Information\catalog.wci\INDEX.001 (20 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
    %WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
    %Documents and Settings%\Default User (540 bytes)
    %WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
    C:\$Directory (3376 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MSIec7c0.LOG (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
    %Documents and Settings%\%current user%\My Documents (4 bytes)
    %System%\config (108 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
    %WinDir%\Prefetch (960 bytes)
    %Documents and Settings%\All Users\Application Data (4 bytes)
    %WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
    %WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
    %WinDir%\assembly\GAC_32 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\mlhmlmci.tmp (3733 bytes)
    %Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
    %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
    %Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
    %WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
    %Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
    %WinDir%\assembly\GAC_MSIL (36 bytes)
    %Documents and Settings%\NetworkService\Local Settings (4 bytes)
    %WinDir%\WinSxS\Policies (8 bytes)
    %System%\oobe\html (4 bytes)
    %System%\sessmgr.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (8 bytes)
    %WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
    C:\$ConvertToNonresident (4 bytes)
    %WinDir%\ime (4 bytes)
    %WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
    %Documents and Settings%\%current user%\Cookies (96 bytes)
    %Documents and Settings%\%current user%\Favorites (4 bytes)
    %WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
    C:\System Volume Information\catalog.wci\CiST0000.000 (240 bytes)
    C:\System Volume Information\catalog.wci\CiP10000.000 (5280 bytes)
    C:\System Volume Information\catalog.wci\CiP10000.001 (16 bytes)
    C:\System Volume Information\catalog.wci\CiP10000.002 (20 bytes)
    %WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
    %System%\dllhost.exe (4185 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
    %Documents and Settings%\LocalService (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
    %System%\config\AppEvent.Evt (1264 bytes)
    %WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
    C:\PROGRAM FILES (8 bytes)
    %WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
    %WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
    %WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
    C:\System Volume Information\catalog.wci\CiVP0000.000 (240 bytes)
    %Documents and Settings%\Default User\Local Settings (4 bytes)
    %WinDir%\$hf_mig$ (8 bytes)
    %System%\spool\XPSEP\amd64 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
    %WinDir%\ime\imjp8_1 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\dadacani.tmp (7972 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
    %System%\aakckbok.tmp (3703 bytes)
    %WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
    %Program Files%\Microsoft Office\Office14 (4 bytes)
    %System%\config\SysEvent.Evt (456 bytes)
    %WinDir%\Temp (4 bytes)
    %WinDir%\Installer (192 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
    %WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
    %WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
    C:\System Volume Information\catalog.wci\CiP20000.002 (20 bytes)
    C:\System Volume Information\catalog.wci\CiP20000.001 (16 bytes)
    C:\System Volume Information\catalog.wci\CiP20000.000 (5280 bytes)
    %WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
    %System%\nikpbefm.tmp (3785 bytes)
    %WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
    %WinDir%\ime\imkr6_1 (4 bytes)
    C:\System Volume Information\catalog.wci\propstor.bk2 (32328 bytes)
    C:\System Volume Information\catalog.wci\propstor.bk1 (16960 bytes)
    %WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
    %WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
    %WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
    %Documents and Settings%\All Users\Documents\My Music (4 bytes)
    %Program Files%\Windows NT (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
    %System%\mpcjkned.tmp (3678 bytes)
    %WinDir%\Web (4 bytes)
    %System%\neijblpa.tmp (3679 bytes)
    C:\totalcmd (4 bytes)
    %Program Files%\Common Files\System (4 bytes)
    %Program Files%\Windows Media Player (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (440 bytes)
    %WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
    %WinDir%\AppPatch (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
    %WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
    %WinDir%\msagent (4 bytes)
    %Program Files%\Movie Maker\Shared (4 bytes)
    %WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
    %System%\wbem (1064 bytes)
    %WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
    %WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
    %System%\cbdgekje.tmp (3812 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (4545 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %System%\spool\XPSEP\i386 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
    %System%\config\systemprofile\Start Menu\Programs (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
    %System%\netdde.exe (4545 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
    %System%\msdtc.exe (4185 bytes)
    C:\System Volume Information\catalog.wci\CiSP0000.000 (4560 bytes)
    C:\System Volume Information\catalog.wci\CiSP0000.001 (16 bytes)
    C:\System Volume Information\catalog.wci\CiSP0000.002 (16 bytes)
    %WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
    %WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
    %System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
    %WinDir%\Prefetch\INFOCARD.EXE-14622E55.pf (28 bytes)
    %WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
    %WinDir%\Installer\e493a.msi (756 bytes)
    %Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
    %WinDir%\pchealth\helpctr\Config (4 bytes)
    C:\System Volume Information\catalog.wci\cicat.hsh (12 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
    %System%\drivers (32 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
    %Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
    %WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
    %WinDir%\security (4 bytes)
    %WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
    C:\System Volume Information\catalog.wci\CiCL0001.000 (480 bytes)
    %WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
    %WinDir%\Installer\$PatchCache$\Managed (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
    %WinDir%\Web\printers (4 bytes)
    %System%\config\systemprofile\Local Settings (4 bytes)
    %WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    %System%\mui (4 bytes)
    C:\System Volume Information\catalog.wci\cicat.fid (44 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
    %WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
    %Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
    %Documents and Settings%\LocalService\Local Settings (4 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
    %System%\oobe\html\mouse (4 bytes)
    %System%\wbem\Logs (8 bytes)
    %WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
    %WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
    C:\System Volume Information\catalog.wci\CiSL0001.000 (240 bytes)
    C:\System Volume Information\catalog.wci\CiFLfffd.000 (480 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
    %System%\mnmsrvc.exe (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4A896A32D4E3413AA9A0F879EAEF04DF\BBSetupConfig.xml (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PF.cab (187080 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\dlejknpg.tmp (3798 bytes)
    %System%\nmlmjcen.tmp (3679 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (9098 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBarPartnerConfig.cab (7 bytes)
    %System%\clipsrv.exe (4185 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (4185 bytes)
    %System%\jpfilhdf.tmp (3896 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\njakmpdb.tmp (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetupConfig.xml (2 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\lhddmehn.tmp (3697 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BBSetup.exe (3624 bytes)
    %System%\dmadmin.exe (5873 bytes)
    %System%\finngebb.tmp (3679 bytes)
    %System%\mqkdhfhm.tmp (3705 bytes)
    %System%\cisvc.exe (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\BingBar.msi (14377 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PD.cab (1290 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now