Virus.Win32.Sality_1bc0a1c7ac
Trojan-Dropper.Win32.Agent.hjne (Kaspersky), Virus.Win32.Sality.at (v) (VIPRE), Trojan-Dropper.Win32.Agent!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, Worm.Win32.Dorkbot.FD, GenericUSBInfector.YR, GenericProxy.YR, GenericSYNFlooder.YR, GenericUDPFlooder.YR, GenericDNSBlocker.YR, GenericMSNWorm.YR, GenericIRCBot.YR, GenericAutorunWorm.YR, VirusSality.YR, WormDorkbot.YR, GenericPhysicalDrive0.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Banker, Trojan, Backdoor, Flooder, Worm, Virus, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 1bc0a1c7ace1c7f051232d7a5f799e59
SHA1: 0d8cf6df62021391308579f6f94a23a891f4b461
SHA256: 7795d5da8506760083613153cba46fcbf7fd22bd6ec3d40faf567a94f281215f
SSDeep: 3072:ZAjVNMdCIlMj2g/jkKZCAqgixX5IboQvrcWCZmAN6JZ/joxngBJeT VhP8oY :Z8NMkmWLk2FqgAJITs6z7EPnVK
Size: 371712 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-04-13 17:05:59
Summary:
Virus. A program that recursively replicates a possibly evolved copy of itself.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
| UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
| SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
| USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Virus creates the following process(es):
1bc0a1c7ace1c7f051232d7a5f799e59.exe:47268
1bc0a1c7ace1c7f051232d7a5f799e59.exe:48316
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
The Virus injects its code into the following process(es):
1bc0a1c7ace1c7f051232d7a5f799e59.exe:1936
mspaint.exe:48340
File activity
The process 1bc0a1c7ace1c7f051232d7a5f799e59.exe:47268 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (2105 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (2105 bytes)
The process 1bc0a1c7ace1c7f051232d7a5f799e59.exe:1936 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (12 bytes)
D:\disablejavawarnsec.exe (984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lntmk.exe (601 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
C:\totalcmd\TOTALCMD.EXE (858 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\lntmk.exe (0 bytes)
C:\4fe42 (0 bytes)
D:\50259 (0 bytes)
The process wuauclt.exe:344 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Virus deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process mspaint.exe:48340 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S4NG8BFT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EM7LJHNP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VHLKOK3G\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STOTAXG7\desktop.ini (67 bytes)
The Virus deletes the following file(s):
C:\1bc0a1c7ace1c7f051232d7a5f799e59.exe (0 bytes)
The process jusched.exe:1056 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process 1bc0a1c7ace1c7f051232d7a5f799e59.exe:47268 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 1E E2 50 DC F1 C1 30 1A A4 0D 01 E5 13 C6 1F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"
The process 1bc0a1c7ace1c7f051232d7a5f799e59.exe:1936 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Aas]
"a4_116" = "831618036"
[HKCU\Software\Aas]
"a4_157" = "1125551997"
[HKCU\Software\Aas]
"a3_149" = "1051199068"
[HKCU\Software\Aas]
"a4_156" = "1118382876"
[HKCU\Software\Aas]
"a3_148" = "1044210237"
[HKCU\Software\Aas]
"a2_180" = "1290436958"
[HKCU\Software\Aas]
"a4_159" = "1139890239"
[HKCU\Software\Aas]
"a2_182" = "1304772897"
[HKCU\Software\Aas]
"a2_183" = "1311954076"
[HKCU\Software\Aas]
"a2_184" = "1319123295"
[HKCU\Software\Aas]
"a2_185" = "1326295698"
[HKCU\Software\Aas]
"a2_186" = "1333459826"
[HKCU\Software\Aas]
"a4_158" = "1132721118"
[HKCU\Software\Aas]
"a2_188" = "1347792820"
[HKCU\Software\Aas]
"a2_189" = "1354957799"
[HKCU\Software\Aas]
"a1_185" = "4133069888"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a1_184" = "1752426952"
[HKCU\Software\Aas]
"a1_183" = "2232084750"
[HKCU\Software\Aas]
"a1_182" = "145306952"
[HKCU\Software\Aas]
"a1_181" = "388598472"
[HKCU\Software\Aas]
"a1_180" = "1879236713"
[HKCU\Software\Aas]
"a3_78" = "542637991"
[HKCU\Software\Aas]
"a3_79" = "549622726"
[HKCU\Software\Aas]
"a3_72" = "533156193"
[HKCU\Software\Aas]
"a3_73" = "506656128"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas]
"a3_71" = "525712590"
[HKCU\Software\Aas]
"a3_76" = "561686245"
[HKCU\Software\Aas]
"a3_77" = "568613636"
[HKCU\Software\Aas]
"a3_74" = "513568291"
[HKCU\Software\Aas]
"a3_75" = "554631746"
[HKCU\Software\Aas]
"a4_181" = "1297610901"
[HKCU\Software\Aas]
"a3_152" = "1106310065"
[HKCU\Software\Aas]
"a3_153" = "1080268752"
[HKCU\Software\Aas]
"a4_108" = "774265068"
[HKCU\Software\Aas]
"a4_109" = "781434189"
[HKCU\Software\Aas]
"a3_156" = "1135231285"
[HKCU\Software\Aas]
"a3_157" = "1108731220"
[HKCU\Software\Aas]
"a3_154" = "1087178867"
[HKCU\Software\Aas]
"a3_155" = "1127787666"
[HKCU\Software\Aas]
"a4_102" = "731250342"
[HKCU\Software\Aas]
"a4_103" = "738419463"
[HKCU\Software\Aas]
"a4_100" = "716912100"
[HKCU\Software\Aas]
"a4_101" = "724081221"
[HKCU\Software\Aas]
"a4_106" = "759926826"
[HKCU\Software\Aas]
"a4_107" = "767095947"
[HKCU\Software\Aas]
"a4_104" = "745588584"
[HKCU\Software\Aas]
"a4_105" = "752757705"
[HKCU\Software\Aas]
"a2_59" = "422983736"
[HKCU\Software\Aas]
"a2_58" = "415803291"
[HKCU\Software\Aas]
"a2_53" = "379965954"
[HKCU\Software\Aas]
"a2_52" = "372800483"
[HKCU\Software\Aas]
"a2_51" = "365619769"
[HKCU\Software\Aas]
"a2_50" = "358450128"
[HKCU\Software\Aas]
"a2_57" = "408633536"
[HKCU\Software\Aas]
"a2_56" = "401468578"
[HKCU\Software\Aas]
"a2_55" = "394310406"
[HKCU\Software\Aas]
"a2_54" = "387136059"
[HKCU\Software\Aas]
"a2_187" = "1340633699"
[HKCU\Software\Aas]
"a4_55" = "394301655"
[HKCU\Software\Aas]
"a4_54" = "387132534"
[HKCU\Software\Aas]
"a4_57" = "408639897"
[HKCU\Software\Aas]
"a4_56" = "401470776"
[HKCU\Software\Aas]
"a4_51" = "365625171"
[HKCU\Software\Aas]
"a4_50" = "358456050"
[HKCU\Software\Aas]
"a4_53" = "379963413"
[HKCU\Software\Aas]
"a4_52" = "372794292"
[HKCU\Software\Aas\695404737]
"50183847" = "512A3F38199DD83BA732456580332482BBB8EAD7E72D5B197B1EF5C909752ACDA97C4D9D9C2D667AC5C011A1212ED19E778C061665A1B4C5A99AFA99162E4A89B8B8F395FA9E3B10241CC784C8D7ADD9D99135B04ED9D8E4C6A3F45479ACEACCE0A5EC765216EBBE7FFAF387D6EBEF240BC00CDC941F27CC9BDBB93931356F6C"
[HKCU\Software\Aas]
"a4_59" = "422978139"
[HKCU\Software\Aas]
"a4_58" = "415809018"
[HKCU\Software\Aas]
"a1_178" = "1975573961"
[HKCU\Software\Aas]
"a1_179" = "1806437770"
[HKCU\Software\Aas]
"a1_176" = "3669923305"
[HKCU\Software\Aas]
"a3_135" = "950830350"
[HKCU\Software\Aas]
"a1_174" = "708727217"
[HKCU\Software\Aas]
"a1_175" = "2330253570"
[HKCU\Software\Aas]
"a1_172" = "956388498"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a1_170" = "2253934755"
[HKCU\Software\Aas]
"a1_171" = "2512090526"
[HKCU\Software\Aas]
"a3_94" = "690598327"
[HKCU\Software\Aas]
"a3_95" = "698045910"
[HKCU\Software\Aas]
"a3_96" = "671534665"
[HKCU\Software\Aas]
"a3_97" = "678453992"
[HKCU\Software\Aas]
"a3_90" = "662052915"
[HKCU\Software\Aas]
"a3_91" = "669107282"
[HKCU\Software\Aas]
"a3_92" = "643004661"
[HKCU\Software\Aas]
"a3_93" = "649993492"
[HKCU\Software\Aas]
"a3_98" = "685967115"
[HKCU\Software\Aas]
"a3_99" = "726580138"
[HKCU\Software\Aas]
"a2_181" = "1297605950"
[HKCU\Software\Aas]
"a1_138" = "1334561923"
[HKCU\Software\Aas]
"a1_139" = "1921237776"
[HKCU\Software\Aas]
"a1_159" = "1855201898"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a1_130" = "257677851"
[HKCU\Software\Aas]
"a2_157" = "1125552954"
[HKCU\Software\Aas]
"a2_156" = "1118385846"
[HKCU\Software\Aas]
"a2_155" = "1111217075"
[HKCU\Software\Aas]
"a1_131" = "2231632590"
[HKCU\Software\Aas]
"a2_153" = "1096865843"
[HKCU\Software\Aas]
"a2_152" = "1089702913"
[HKCU\Software\Aas]
"a2_99" = "709740160"
[HKCU\Software\Aas]
"a2_98" = "702565573"
[HKCU\Software\Aas]
"a2_97" = "695406612"
[HKCU\Software\Aas]
"a2_96" = "688227437"
[HKCU\Software\Aas]
"a2_95" = "681058136"
[HKCU\Software\Aas]
"a2_94" = "673890545"
[HKCU\Software\Aas]
"a2_93" = "666725538"
[HKCU\Software\Aas]
"a2_92" = "659557127"
[HKCU\Software\Aas]
"a2_91" = "652392520"
[HKCU\Software\Aas]
"a2_90" = "645223998"
[HKCU\Software\Aas]
"a4_151" = "1082537271"
[HKCU\Software\Aas]
"a4_150" = "1075368150"
[HKCU\Software\Aas]
"a4_153" = "1096875513"
[HKCU\Software\Aas]
"a4_152" = "1089706392"
[HKCU\Software\Aas]
"a4_155" = "1111213755"
[HKCU\Software\Aas]
"a4_154" = "1104044634"
[HKCU\Software\Aas]
"a1_58" = "8810925"
[HKCU\Software\Aas]
"a1_59" = "36227047"
[HKCU\Software\Aas]
"a1_56" = "3795833073"
[HKCU\Software\Aas]
"a1_57" = "2844199726"
[HKCU\Software\Aas]
"a1_54" = "1070223892"
[HKCU\Software\Aas]
"a1_55" = "1795561633"
[HKCU\Software\Aas]
"a1_52" = "3575144623"
[HKCU\Software\Aas]
"a1_53" = "4250631248"
[HKCU\Software\Aas]
"a1_50" = "1932091964"
[HKCU\Software\Aas]
"a1_51" = "1108381198"
[HKCU\Software\Aas]
"a3_136" = "991836577"
[HKCU\Software\Aas]
"a1_155" = "1862502886"
[HKCU\Software\Aas]
"a3_43" = "324843106"
[HKCU\Software\Aas]
"a3_42" = "284237251"
[HKCU\Software\Aas]
"a3_41" = "277248416"
[HKCU\Software\Aas]
"a3_40" = "269796609"
[HKCU\Software\Aas]
"a3_47" = "353765350"
[HKCU\Software\Aas]
"a3_46" = "313221959"
[HKCU\Software\Aas]
"a3_45" = "305778468"
[HKCU\Software\Aas]
"a3_44" = "332278405"
[HKCU\Software\Aas]
"a1_132" = "3739232064"
[HKCU\Software\Aas]
"a1_133" = "3004981209"
[HKCU\Software\Aas]
"a3_49" = "368270520"
[HKCU\Software\Aas]
"a3_48" = "360822809"
[HKCU\Software\Aas]
"a1_136" = "3561920844"
[HKCU\Software\Aas]
"a2_119" = "853127344"
[HKCU\Software\Aas]
"a1_134" = "3693325186"
[HKCU\Software\Aas]
"a1_135" = "766418046"
[HKCU\Software\Aas]
"a4_99" = "709742979"
[HKCU\Software\Aas]
"a4_98" = "702573858"
[HKCU\Software\Aas]
"a2_118" = "845959644"
[HKCU\Software\Aas]
"a1_189" = "2601985475"
[HKCU\Software\Aas]
"a4_91" = "652390011"
[HKCU\Software\Aas]
"a4_90" = "645220890"
[HKCU\Software\Aas]
"a4_93" = "666728253"
[HKCU\Software\Aas]
"a4_92" = "659559132"
[HKCU\Software\Aas]
"a4_95" = "681066495"
[HKCU\Software\Aas]
"a4_94" = "673897374"
[HKCU\Software\Aas]
"a4_97" = "695404737"
[HKCU\Software\Aas]
"a4_96" = "688235616"
[HKCU\Software\Aas]
"a3_109" = "798021476"
[HKCU\Software\Aas]
"a3_108" = "790966981"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a1_160" = "1847538937"
[HKCU\Software\Aas]
"a3_101" = "707522668"
[HKCU\Software\Aas]
"a3_100" = "733503437"
[HKCU\Software\Aas]
"a3_103" = "754977070"
[HKCU\Software\Aas]
"a3_102" = "714511503"
[HKCU\Software\Aas]
"a3_105" = "769475040"
[HKCU\Software\Aas]
"a3_104" = "762555713"
[HKCU\Software\Aas]
"a3_107" = "750493346"
[HKCU\Software\Aas]
"a3_106" = "742980099"
[HKCU\Software\Aas]
"a2_113" = "810112738"
[HKCU\Software\Aas]
"a2_112" = "802943263"
[HKCU\Software\Aas]
"a1_165" = "3873818066"
[HKCU\Software\Aas]
"a3_70" = "485103791"
[HKCU\Software\Aas]
"a1_164" = "3167572284"
[HKCU\Software\Aas]
"a2_110" = "788595327"
[HKCU\Software\Aas]
"a2_117" = "838778882"
[HKCU\Software\Aas]
"a2_116" = "831611218"
[HKCU\Software\Aas]
"a1_169" = "2976722006"
[HKCU\Software\Aas]
"a2_115" = "824457156"
[HKCU\Software\Aas]
"a1_168" = "1307480309"
[HKCU\Software\Aas]
"a2_114" = "817270815"
[HKCU\Software\Aas]
"a2_179" = "1283273900"
[HKCU\Software\Aas]
"a2_144" = "1032350676"
[HKCU\Software\Aas]
"a1_104" = "2612319710"
[HKCU\Software\Aas]
"a2_145" = "1039531835"
[HKCU\Software\Aas]
"a2_146" = "1046684943"
[HKCU\Software\Aas]
"a2_147" = "1053867927"
[HKCU\Software\Aas]
"a2_140" = "1003669025"
[HKCU\Software\Aas]
"a2_141" = "1010850982"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_142" = "1018016207"
[HKCU\Software\Aas]
"a2_143" = "1025190328"
[HKCU\Software\Aas]
"a3_150" = "1092336383"
[HKCU\Software\Aas]
"a2_191" = "1369307160"
[HKCU\Software\Aas]
"a3_151" = "1099259678"
[HKCU\Software\Aas]
"a3_133" = "970345548"
[HKCU\Software\Aas\695404737]
"35845605" = "446"
[HKCU\Software\Aas]
"a3_116" = "814879197"
[HKCU\Software\Aas]
"a3_117" = "821922428"
[HKCU\Software\Aas]
"a3_114" = "834001179"
[HKCU\Software\Aas]
"a4_182" = "1304780022"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_180" = "1290441780"
[HKCU\Software\Aas]
"a3_115" = "807894458"
[HKCU\Software\Aas]
"a1_89" = "2905673422"
[HKCU\Software\Aas]
"a1_88" = "2144180486"
[HKCU\Software\Aas]
"a4_184" = "1319118264"
[HKCU\Software\Aas]
"a4_185" = "1326287385"
[HKCU\Software\Aas]
"a1_85" = "964852588"
[HKCU\Software\Aas]
"a1_84" = "866459270"
[HKCU\Software\Aas]
"a1_87" = "88559784"
[HKCU\Software\Aas]
"a1_86" = "1387133149"
[HKCU\Software\Aas]
"a1_81" = "1149134529"
[HKCU\Software\Aas]
"a1_80" = "341524003"
[HKCU\Software\Aas]
"a1_83" = "3592410398"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr" = "1"
[HKCU\Software\Aas]
"a3_159" = "1123168790"
[HKCU\Software\Aas]
"a3_110" = "771902343"
[HKCU\Software\Aas]
"a2_128" = "917645115"
[HKCU\Software\Aas]
"a2_129" = "924813921"
[HKCU\Software\Aas]
"a2_126" = "903313768"
[HKCU\Software\Aas]
"a2_127" = "910479923"
[HKCU\Software\Aas]
"a2_124" = "888965211"
[HKCU\Software\Aas]
"a3_111" = "778955814"
[HKCU\Software\Aas]
"a2_122" = "874629175"
[HKCU\Software\Aas]
"a2_123" = "881796088"
[HKCU\Software\Aas]
"a2_120" = "860296629"
[HKCU\Software\Aas]
"a2_121" = "867461446"
[HKCU\Software\Aas]
"a1_67" = "568555131"
[HKCU\Software\Aas]
"a1_66" = "2653133135"
[HKCU\Software\Aas]
"a1_65" = "3036817133"
[HKCU\Software\Aas]
"a1_64" = "427675388"
[HKCU\Software\Aas]
"a1_63" = "3691838710"
[HKCU\Software\Aas]
"a1_62" = "2453386598"
[HKCU\Software\Aas]
"a1_61" = "3967732188"
[HKCU\Software\Aas]
"a1_60" = "3044682729"
[HKCU\Software\Aas]
"a3_138" = "1006335587"
[HKCU\Software\Aas]
"a3_139" = "979823234"
[HKCU\Software\Aas]
"a4_162" = "1161397602"
[HKCU\Software\Aas]
"a4_163" = "1168566723"
[HKCU\Software\Aas]
"a4_164" = "1175735844"
[HKCU\Software\Aas]
"a4_165" = "1182904965"
[HKCU\Software\Aas]
"a1_69" = "601901946"
[HKCU\Software\Aas]
"a1_68" = "1906423289"
[HKCU\Software\Aas]
"a1_12" = "3073022882"
[HKCU\Software\Aas]
"a1_13" = "1876394931"
[HKCU\Software\Aas]
"a1_10" = "1351206547"
[HKCU\Software\Aas]
"a1_11" = "3905626610"
[HKCU\Software\Aas]
"a1_16" = "382938703"
[HKCU\Software\Aas]
"a1_17" = "216715324"
[HKCU\Software\Aas]
"a1_14" = "2976886151"
[HKCU\Software\Aas]
"a1_15" = "1282059760"
[HKCU\Software\Aas]
"a4_115" = "824448915"
[HKCU\Software\Aas]
"a4_114" = "817279794"
[HKCU\Software\Aas]
"a1_18" = "2456541294"
[HKCU\Software\Aas]
"a1_19" = "3662285412"
[HKCU\Software\Aas]
"a4_111" = "795772431"
[HKCU\Software\Aas]
"a4_110" = "788603310"
[HKCU\Software\Aas]
"a4_113" = "810110673"
[HKCU\Software\Aas]
"a4_112" = "802941552"
[HKCU\Software\Aas]
"a2_48" = "344096239"
[HKCU\Software\Aas]
"a2_49" = "351281824"
[HKCU\Software\Aas]
"a4_140" = "1003676940"
[HKCU\Software\Aas]
"a2_40" = "286765770"
[HKCU\Software\Aas]
"a2_41" = "293929427"
[HKCU\Software\Aas]
"a2_42" = "301099881"
[HKCU\Software\Aas]
"a2_43" = "308280348"
[HKCU\Software\Aas]
"a2_44" = "315447115"
[HKCU\Software\Aas]
"a2_45" = "322617106"
[HKCU\Software\Aas]
"a2_46" = "329785137"
[HKCU\Software\Aas]
"a2_47" = "336950175"
[HKCU\Software\Aas]
"a4_148" = "1061029908"
[HKCU\Software\Aas]
"a4_146" = "1046691666"
[HKCU\Software\Aas]
"a4_42" = "301103082"
[HKCU\Software\Aas]
"a4_43" = "308272203"
[HKCU\Software\Aas]
"a4_40" = "286764840"
[HKCU\Software\Aas]
"a4_41" = "293933961"
[HKCU\Software\Aas]
"a4_46" = "329779566"
[HKCU\Software\Aas]
"a4_47" = "336948687"
[HKCU\Software\Aas]
"a4_44" = "315441324"
[HKCU\Software\Aas]
"a4_45" = "322610445"
[HKCU\Software\Aas]
"a4_48" = "344117808"
[HKCU\Software\Aas]
"a4_49" = "351286929"
[HKCU\Software\Aas]
"a4_137" = "982169577"
[HKCU\Software\Aas]
"a4_136" = "975000456"
[HKCU\Software\Aas]
"a4_147" = "1053860787"
[HKCU\Software\Aas]
"a1_161" = "1199917406"
[HKCU\Software\Aas]
"a3_140" = "986812197"
[HKCU\Software\Aas]
"a1_163" = "520005881"
[HKCU\Software\Aas]
"a1_162" = "2833732830"
[HKCU\Software\Aas]
"a3_18" = "112354555"
[HKCU\Software\Aas]
"a3_19" = "152901914"
[HKCU\Software\Aas]
"a1_167" = "1971267899"
[HKCU\Software\Aas]
"a1_166" = "3293415092"
[HKCU\Software\Aas]
"a3_14" = "83367783"
[HKCU\Software\Aas]
"a3_15" = "124488582"
[HKCU\Software\Aas]
"a3_16" = "131411001"
[HKCU\Software\Aas]
"a3_17" = "104906840"
[HKCU\Software\Aas]
"a3_10" = "88506851"
[HKCU\Software\Aas]
"a3_11" = "95435266"
[HKCU\Software\Aas]
"a3_12" = "69459621"
[HKCU\Software\Aas]
"a3_13" = "76378820"
[HKCU\Software\Aas]
"a4_37" = "265257477"
[HKCU\Software\Aas]
"a4_36" = "258088356"
[HKCU\Software\Aas]
"a4_35" = "250919235"
[HKCU\Software\Aas]
"a4_34" = "243750114"
[HKCU\Software\Aas]
"a4_33" = "236580993"
[HKCU\Software\Aas]
"a4_32" = "229411872"
[HKCU\Software\Aas]
"a4_31" = "222242751"
[HKCU\Software\Aas]
"a4_30" = "215073630"
[HKCU\Software\Aas]
"a4_39" = "279595719"
[HKCU\Software\Aas]
"a4_38" = "272426598"
[HKCU\Software\Aas]
"a2_175" = "1254589668"
[HKCU\Software\Aas]
"a2_174" = "1247421545"
[HKCU\Software\Aas]
"a1_103" = "2947431284"
[HKCU\Software\Aas]
"a2_178" = "1276105460"
[HKCU\Software\Aas]
"a2_177" = "1268939616"
[HKCU\Software\Aas]
"a2_176" = "1261770183"
[HKCU\Software\Aas]
"a4_145" = "1039522545"
[HKCU\Software\Aas]
"a2_171" = "1225923186"
[HKCU\Software\Aas]
"a2_170" = "1218753981"
[HKCU\Software\Aas]
"a4_139" = "996507819"
[HKCU\Software\Aas]
"a1_102" = "1514394111"
[HKCU\Software\Aas]
"a4_138" = "989338698"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a4_131" = "939154851"
[HKCU\Software\Aas]
"a1_101" = "555569207"
[HKCU\Software\Aas]
"a4_149" = "1068199029"
[HKCU\Software\Aas]
"a3_141" = "1027810116"
[HKCU\Software\Aas]
"a3_181" = "1280611004"
[HKCU\Software\Aas]
"a2_88" = "630889395"
[HKCU\Software\Aas]
"a2_89" = "638043359"
[HKCU\Software\Aas]
"a3_180" = "1307180573"
[HKCU\Software\Aas]
"a2_84" = "602208483"
[HKCU\Software\Aas]
"a2_85" = "609373978"
[HKCU\Software\Aas]
"a2_86" = "616541937"
[HKCU\Software\Aas]
"a2_87" = "623708622"
[HKCU\Software\Aas]
"a2_80" = "573524282"
[HKCU\Software\Aas]
"a3_34" = "260325067"
[HKCU\Software\Aas]
"a2_82" = "587858443"
[HKCU\Software\Aas]
"a2_83" = "595039583"
[HKCU\Software\Aas]
"a4_124" = "888971004"
[HKCU\Software\Aas]
"a4_125" = "896140125"
[HKCU\Software\Aas]
"a1_29" = "970526026"
[HKCU\Software\Aas]
"a1_28" = "3891429538"
[HKCU\Software\Aas]
"a4_120" = "860294520"
[HKCU\Software\Aas]
"a4_121" = "867463641"
[HKCU\Software\Aas]
"a4_122" = "874632762"
[HKCU\Software\Aas]
"a4_123" = "881801883"
[HKCU\Software\Aas]
"a1_23" = "3896497278"
[HKCU\Software\Aas]
"a1_22" = "2164788739"
[HKCU\Software\Aas]
"a1_21" = "2577800097"
[HKCU\Software\Aas]
"a1_20" = "1418887417"
[HKCU\Software\Aas]
"a1_27" = "2779829358"
[HKCU\Software\Aas]
"a1_26" = "4268758147"
[HKCU\Software\Aas]
"a1_25" = "3436603946"
[HKCU\Software\Aas]
"a1_24" = "3471545933"
[HKCU\Software\Aas]
"a4_141" = "1010846061"
[HKCU\Software\Aas]
"a3_187" = "1324038386"
[HKCU\Software\Aas]
"a3_186" = "1316586579"
[HKCU\Software\Aas]
"a3_189" = "1371566516"
[HKCU\Software\Aas]
"a3_50" = "341766363"
[HKCU\Software\Aas]
"a3_51" = "348755322"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_53" = "396796476"
[HKCU\Software\Aas]
"a3_54" = "370165343"
[HKCU\Software\Aas]
"a3_55" = "377748222"
[HKCU\Software\Aas]
"a3_56" = "384737041"
[HKCU\Software\Aas]
"a3_57" = "425210800"
[HKCU\Software\Aas]
"a3_58" = "432789459"
[HKCU\Software\Aas]
"a3_59" = "406145138"
[HKCU\Software\Aas]
"a1_127" = "3752157603"
[HKCU\Software\Aas]
"a1_126" = "1957869932"
[HKCU\Software\Aas]
"a1_121" = "2562070918"
[HKCU\Software\Aas]
"a1_120" = "2793809953"
[HKCU\Software\Aas]
"a1_123" = "3353487042"
[HKCU\Software\Aas]
"a1_122" = "2919643240"
[HKCU\Software\Aas]
"a2_111" = "795779288"
[HKCU\Software\Aas]
"a3_178" = "1292673371"
[HKCU\Software\Aas]
"a3_179" = "1300121082"
[HKCU\Software\Aas]
"a3_174" = "1264145351"
[HKCU\Software\Aas]
"a3_175" = "1271198822"
[HKCU\Software\Aas]
"a3_176" = "1245079705"
[HKCU\Software\Aas]
"a3_177" = "1252068664"
[HKCU\Software\Aas]
"a3_170" = "1235731011"
[HKCU\Software\Aas]
"a3_171" = "1209100002"
[HKCU\Software\Aas]
"a3_172" = "1216092933"
[HKCU\Software\Aas]
"a3_173" = "1223671716"
[HKCU\Software\Aas]
"a2_31" = "222234156"
[HKCU\Software\Aas]
"a2_30" = "215081673"
[HKCU\Software\Aas]
"a2_33" = "236579826"
[HKCU\Software\Aas]
"a2_32" = "229415468"
[HKCU\Software\Aas]
"a2_35" = "250912143"
[HKCU\Software\Aas]
"a2_34" = "243745160"
[HKCU\Software\Aas]
"a2_37" = "265264827"
[HKCU\Software\Aas]
"a2_36" = "258082683"
[HKCU\Software\Aas]
"a2_39" = "279598819"
[HKCU\Software\Aas]
"a2_38" = "272432964"
[HKCU\Software\Aas]
"a4_79" = "566360559"
[HKCU\Software\Aas]
"a4_78" = "559191438"
[HKCU\Software\Aas]
"a4_73" = "523345833"
[HKCU\Software\Aas]
"a4_72" = "516176712"
[HKCU\Software\Aas]
"a4_71" = "509007591"
[HKCU\Software\Aas]
"a4_70" = "501838470"
[HKCU\Software\Aas]
"a4_77" = "552022317"
[HKCU\Software\Aas]
"a4_76" = "544853196"
[HKCU\Software\Aas]
"a4_75" = "537684075"
[HKCU\Software\Aas]
"a4_74" = "530514954"
[HKCU\Software\Aas]
"a1_137" = "4032127920"
[HKCU\Software\Aas]
"a4_86" = "616544406"
[HKCU\Software\Aas]
"a4_87" = "623713527"
[HKCU\Software\Aas]
"a4_84" = "602206164"
[HKCU\Software\Aas]
"a4_85" = "609375285"
[HKCU\Software\Aas]
"a4_82" = "587867922"
[HKCU\Software\Aas]
"a4_83" = "595037043"
[HKCU\Software\Aas]
"a4_80" = "573529680"
[HKCU\Software\Aas]
"a4_81" = "580698801"
[HKCU\Software\Aas]
"a4_183" = "1311949143"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"
[HKCU\Software\Aas]
"a4_88" = "630882648"
[HKCU\Software\Aas]
"a4_89" = "638051769"
[HKCU\Software\Aas]
"a1_158" = "683491063"
[HKCU\Software\Aas]
"a2_100" = "716909907"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Aas]
"a1_150" = "2393551787"
[HKCU\Software\Aas]
"a1_151" = "1396066154"
[HKCU\Software\Aas\695404737]
"7169121" = "195"
[HKCU\Software\Aas]
"a1_153" = "2504512160"
[HKCU\Software\Aas]
"a1_154" = "153576676"
[HKCU\Software\Aas]
"a2_102" = "731243203"
[HKCU\Software\Aas]
"a1_156" = "890431340"
[HKCU\Software\Aas]
"a1_157" = "861135915"
[HKCU\Software\Aas]
"a1_188" = "2476079458"
[HKCU\Software\Aas]
"a2_103" = "738426388"
[HKCU\Software\Aas]
"a2_104" = "745594200"
[HKCU\Software\Aas]
"a2_105" = "752760217"
[HKCU\Software\Aas]
"a2_106" = "759925441"
[HKCU\Software\Aas]
"a1_177" = "1533141854"
[HKCU\Software\Aas]
"a2_107" = "767094033"
[HKCU\Software\Aas]
"a1_187" = "1927623925"
[HKCU\Software\Aas]
"a1_96" = "2125522989"
[HKCU\Software\Aas]
"a3_185" = "1309597744"
[HKCU\Software\Aas]
"a1_173" = "2670535377"
[HKCU\Software\Aas]
"a3_183" = "1328655230"
[HKCU\Software\Aas]
"a1_186" = "1531300036"
[HKCU\Software\Aas]
"a2_131" = "939150071"
[HKCU\Software\Aas]
"a2_130" = "931979480"
[HKCU\Software\Aas]
"a4_179" = "1283272659"
[HKCU\Software\Aas]
"a2_133" = "953498815"
[HKCU\Software\Aas]
"a2_132" = "946330775"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas]
"a2_135" = "967833504"
[HKCU\Software\Aas]
"a3_182" = "1288058591"
[HKCU\Software\Aas]
"a2_134" = "960666733"
[HKCU\Software\Aas]
"a1_107" = "2273950933"
[HKCU\Software\Aas]
"a2_137" = "982166556"
[HKCU\Software\Aas]
"a4_178" = "1276103538"
[HKCU\Software\Aas]
"a1_106" = "291593050"
[HKCU\Software\Aas]
"a2_136" = "974999350"
[HKCU\Software\Aas]
"a1_105" = "1792335616"
[HKCU\Software\Aas]
"a1_98" = "3044812133"
[HKCU\Software\Aas]
"a1_99" = "3695226687"
[HKCU\Software\Aas]
"a4_191" = "1369302111"
[HKCU\Software\Aas]
"a4_190" = "1362132990"
[HKCU\Software\Aas]
"a1_92" = "1385138561"
[HKCU\Software\Aas]
"a1_93" = "1368701264"
[HKCU\Software\Aas]
"a1_90" = "1181487528"
[HKCU\Software\Aas]
"a1_91" = "2905178658"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_97" = "251732120"
[HKCU\Software\Aas]
"a1_94" = "718255691"
[HKCU\Software\Aas]
"a1_95" = "4237729101"
[HKCU\Software\Aas]
"a2_75" = "537686732"
[HKCU\Software\Aas]
"a2_74" = "530521898"
[HKCU\Software\Aas]
"a2_77" = "552020639"
[HKCU\Software\Aas]
"a2_76" = "544855313"
[HKCU\Software\Aas]
"a2_71" = "509005704"
[HKCU\Software\Aas]
"a2_70" = "501835995"
[HKCU\Software\Aas]
"a2_73" = "523338243"
[HKCU\Software\Aas]
"a2_72" = "516171623"
[HKCU\Software\Aas]
"a2_139" = "996514612"
[HKCU\Software\Aas]
"a2_138" = "989332321"
[HKCU\Software\Aas]
"a1_100" = "3801528538"
[HKCU\Software\Aas]
"a2_79" = "566354388"
[HKCU\Software\Aas]
"a2_78" = "559200013"
[HKCU\Software\Aas]
"a1_74" = "3661073748"
[HKCU\Software\Aas]
"a1_75" = "2012270884"
[HKCU\Software\Aas]
"a1_76" = "1614865045"
[HKCU\Software\Aas]
"a1_77" = "175930738"
[HKCU\Software\Aas]
"a1_70" = "147683000"
[HKCU\Software\Aas]
"a1_71" = "3807956665"
[HKCU\Software\Aas]
"a1_72" = "1095091700"
[HKCU\Software\Aas]
"a1_73" = "3486430312"
[HKCU\Software\Aas]
"a4_173" = "1240257933"
[HKCU\Software\Aas]
"a4_172" = "1233088812"
[HKCU\Software\Aas]
"a3_129" = "907869896"
[HKCU\Software\Aas]
"a3_128" = "934369961"
[HKCU\Software\Aas]
"a1_78" = "3940924999"
[HKCU\Software\Aas]
"a1_79" = "887721394"
[HKCU\Software\Aas]
"a4_175" = "1254596175"
[HKCU\Software\Aas]
"a4_174" = "1247427054"
[HKCU\Software\Aas]
"a3_123" = "898388146"
[HKCU\Software\Aas]
"a3_122" = "891468819"
[HKCU\Software\Aas]
"a3_121" = "850861040"
[HKCU\Software\Aas]
"a3_120" = "843343697"
[HKCU\Software\Aas]
"a1_109" = "1654710405"
[HKCU\Software\Aas]
"a2_173" = "1240254811"
[HKCU\Software\Aas]
"a3_127" = "927442486"
[HKCU\Software\Aas]
"a1_108" = "3840167518"
[HKCU\Software\Aas]
"a3_126" = "886312343"
[HKCU\Software\Aas]
"a1_0" = "1171514221"
[HKCU\Software\Aas]
"a3_125" = "879323508"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a3_124" = "905966805"
[HKCU\Software\Aas]
"a1_2" = "2282349211"
[HKCU\Software\Aas]
"a3_190" = "1345525207"
[HKCU\Software\Aas]
"a3_191" = "1352568438"
[HKCU\Software\Aas]
"a1_3" = "2952804858"
[HKCU\Software\Aas]
"a2_172" = "1233080534"
[HKCU\Software\Aas]
"a1_4" = "2689863132"
[HKCU\Software\Aas]
"a4_171" = "1225919691"
[HKCU\Software\Aas]
"a1_5" = "3924497847"
[HKCU\Software\Aas]
"a4_170" = "1218750570"
[HKCU\Software\Aas]
"a1_6" = "2222729243"
[HKCU\Software\Aas]
"a4_177" = "1268934417"
[HKCU\Software\Aas]
"a1_7" = "1071947249"
[HKCU\Software\Aas]
"a4_176" = "1261765296"
[HKCU\Software\Aas]
"a3_29" = "224867540"
[HKCU\Software\Aas]
"a3_28" = "183865525"
[HKCU\Software\Aas]
"a1_116" = "3360356936"
[HKCU\Software\Aas]
"a1_117" = "1942489244"
[HKCU\Software\Aas]
"a1_110" = "1586524953"
[HKCU\Software\Aas]
"a1_111" = "4219822166"
[HKCU\Software\Aas]
"a1_112" = "819346892"
[HKCU\Software\Aas]
"a1_9" = "3999277616"
[HKCU\Software\Aas]
"a3_21" = "167399900"
[HKCU\Software\Aas]
"a3_20" = "159956413"
[HKCU\Software\Aas]
"a3_23" = "148336286"
[HKCU\Software\Aas]
"a3_22" = "140888703"
[HKCU\Software\Aas]
"a3_25" = "195929936"
[HKCU\Software\Aas]
"a3_24" = "188875569"
[HKCU\Software\Aas]
"a3_27" = "176880658"
[HKCU\Software\Aas]
"a3_26" = "169827315"
[HKCU\Software\Aas]
"a4_24" = "172058904"
[HKCU\Software\Aas]
"a4_25" = "179228025"
[HKCU\Software\Aas]
"a4_26" = "186397146"
[HKCU\Software\Aas]
"a4_27" = "193566267"
[HKCU\Software\Aas]
"a4_20" = "143382420"
[HKCU\Software\Aas]
"a4_21" = "150551541"
[HKCU\Software\Aas]
"a4_22" = "157720662"
[HKCU\Software\Aas]
"a4_23" = "164889783"
[HKCU\Software\Aas]
"a4_28" = "200735388"
[HKCU\Software\Aas]
"a4_29" = "207904509"
[HKCU\Software\Aas]
"a2_81" = "580705174"
[HKCU\Software\Aas]
"a4_126" = "903309246"
[HKCU\Software\Aas]
"a1_190" = "603051681"
[HKCU\Software\Aas]
"a4_127" = "910478367"
[HKCU\Software\Aas]
"a2_162" = "1161404349"
[HKCU\Software\Aas]
"a3_112" = "785940569"
[HKCU\Software\Aas]
"a2_163" = "1168568562"
[HKCU\Software\Aas]
"a2_160" = "1147054431"
[HKCU\Software\Aas]
"a2_161" = "1154235685"
[HKCU\Software\Aas]
"a4_128" = "917647488"
[HKCU\Software\Aas]
"a4_129" = "924816609"
[HKCU\Software\Aas]
"a3_113" = "826942712"
[HKCU\Software\Aas]
"a2_164" = "1175739544"
[HKCU\Software\Aas]
"a2_165" = "1182904096"
[HKCU\Software\Aas]
"a2_101" = "724078383"
[HKCU\Software\Aas]
"a1_38" = "605202747"
[HKCU\Software\Aas]
"a1_39" = "3412029305"
[HKCU\Software\Aas]
"a4_135" = "967831335"
[HKCU\Software\Aas]
"a4_134" = "960662214"
[HKCU\Software\Aas]
"a4_133" = "953493093"
[HKCU\Software\Aas]
"a4_132" = "946323972"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_130" = "931985730"
[HKCU\Software\Aas]
"a1_30" = "1647141667"
[HKCU\Software\Aas]
"a1_31" = "505021926"
[HKCU\Software\Aas]
"a1_32" = "2569456372"
[HKCU\Software\Aas]
"a1_33" = "2661579727"
[HKCU\Software\Aas]
"a1_34" = "395573421"
[HKCU\Software\Aas]
"a1_35" = "1753368049"
[HKCU\Software\Aas]
"a1_36" = "323636592"
[HKCU\Software\Aas]
"a1_37" = "3786845532"
[HKCU\Software\Aas]
"a2_190" = "1362126905"
[HKCU\Software\Aas]
"a3_158" = "1115724279"
[HKCU\Software\Aas]
"a2_168" = "1204404976"
[HKCU\Software\Aas]
"a2_108" = "774262067"
[HKCU\Software\Aas]
"a2_109" = "781429306"
[HKCU\Software\Aas]
"a3_69" = "478110732"
[HKCU\Software\Aas]
"a3_68" = "470664173"
[HKCU\Software\Aas]
"a3_65" = "449123976"
[HKCU\Software\Aas]
"a3_64" = "442135145"
[HKCU\Software\Aas]
"a3_67" = "497168202"
[HKCU\Software\Aas]
"a3_66" = "489720619"
[HKCU\Software\Aas]
"a3_61" = "454263092"
[HKCU\Software\Aas]
"a3_60" = "413199509"
[HKCU\Software\Aas]
"a3_63" = "468244982"
[HKCU\Software\Aas]
"a3_62" = "461186391"
[HKCU\Software\Aas]
"a2_169" = "1211586897"
[HKCU\Software\Aas]
"a1_1" = "3481290144"
[HKCU\Software\Aas]
"a3_169" = "1228156448"
[HKCU\Software\Aas]
"a3_168" = "1187689857"
[HKCU\Software\Aas]
"a3_167" = "1180635502"
[HKCU\Software\Aas]
"a3_166" = "1206680783"
[HKCU\Software\Aas]
"a3_165" = "1199757484"
[HKCU\Software\Aas]
"a3_164" = "1192698893"
[HKCU\Software\Aas]
"a3_163" = "1151697898"
[HKCU\Software\Aas]
"a3_162" = "1144713035"
[HKCU\Software\Aas]
"a3_161" = "1171213096"
[HKCU\Software\Aas]
"a3_160" = "1163777673"
[HKCU\Software\Aas]
"a2_28" = "200730475"
[HKCU\Software\Aas]
"a2_29" = "207912639"
[HKCU\Software\Aas]
"a2_26" = "186395797"
[HKCU\Software\Aas]
"a2_27" = "193561584"
[HKCU\Software\Aas]
"a2_24" = "172063843"
[HKCU\Software\Aas]
"a2_25" = "179236520"
[HKCU\Software\Aas]
"a2_22" = "157727976"
[HKCU\Software\Aas]
"a2_23" = "164893551"
[HKCU\Software\Aas]
"a2_20" = "143379239"
[HKCU\Software\Aas]
"a2_21" = "150545667"
[HKCU\Software\Aas]
"a4_68" = "487500228"
[HKCU\Software\Aas]
"a4_69" = "494669349"
[HKCU\Software\Aas]
"a4_60" = "430147260"
[HKCU\Software\Aas]
"a4_61" = "437316381"
[HKCU\Software\Aas]
"a4_62" = "444485502"
[HKCU\Software\Aas]
"a4_63" = "451654623"
[HKCU\Software\Aas]
"a4_64" = "458823744"
[HKCU\Software\Aas]
"a4_65" = "465992865"
[HKCU\Software\Aas]
"a4_66" = "473161986"
[HKCU\Software\Aas]
"a4_67" = "480331107"
[HKCU\Software\Aas]
"a2_7" = "50179054"
[HKCU\Software\Aas]
"a2_6" = "43011570"
[HKCU\Software\Aas]
"a2_5" = "35843610"
[HKCU\Software\Aas]
"a2_4" = "28673103"
[HKCU\Software\Aas]
"a2_3" = "21511788"
[HKCU\Software\Aas]
"a2_2" = "14344057"
[HKCU\Software\Aas]
"a2_1" = "7175258"
[HKCU\Software\Aas]
"a2_0" = "7693"
[HKCU\Software\Aas]
"a2_9" = "64527920"
[HKCU\Software\Aas]
"a4_5" = "35845605"
[HKCU\Software\Aas]
"a4_4" = "28676484"
[HKCU\Software\Aas]
"a4_7" = "50183847"
[HKCU\Software\Aas]
"a4_6" = "43014726"
[HKCU\Software\Aas]
"a4_1" = "7169121"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKCU\Software\Aas]
"a4_3" = "21507363"
[HKCU\Software\Aas]
"a4_2" = "14338242"
[HKCU\Software\Aas]
"a1_143" = "2552191602"
[HKCU\Software\Aas]
"a1_142" = "440190360"
[HKCU\Software\Aas]
"a1_141" = "3098554897"
[HKCU\Software\Aas]
"a1_140" = "2837496773"
[HKCU\Software\Aas]
"a4_9" = "64522089"
[HKCU\Software\Aas]
"a4_8" = "57352968"
[HKCU\Software\Aas]
"a1_145" = "270599737"
[HKCU\Software\Aas]
"a1_144" = "975777578"
[HKCU\Software\Aas]
"a3_52" = "389745053"
[HKCU\Software\Aas]
"a1_129" = "2277860543"
[HKCU\Software\Aas]
"a2_8" = "57344731"
[HKCU\Software\Aas]
"a1_128" = "139676141"
[HKCU\Software\Aas]
"a3_87" = "607024862"
[HKCU\Software\Aas]
"a3_86" = "633131711"
[HKCU\Software\Aas]
"a3_85" = "626081308"
[HKCU\Software\Aas]
"a3_84" = "585598461"
[HKCU\Software\Aas]
"a3_83" = "578085210"
[HKCU\Software\Aas]
"a3_82" = "571034939"
[HKCU\Software\Aas]
"a3_81" = "597665944"
[HKCU\Software\Aas]
"a3_80" = "590099577"
[HKCU\Software\Aas]
"a2_154" = "1104049545"
[HKCU\Software\Aas]
"a1_149" = "1687581499"
[HKCU\Software\Aas]
"a3_89" = "654610320"
[HKCU\Software\Aas]
"a3_88" = "614067057"
[HKCU\Software\Aas]
"a1_125" = "1197005209"
[HKCU\Software\Aas]
"a1_148" = "2366918233"
[HKCU\Software\Aas]
"a1_124" = "3740661411"
[HKCU\Software\Aas]
"a4_186" = "1333456506"
[HKCU\Software\Aas]
"a4_168" = "1204412328"
[HKCU\Software\Aas]
"a4_187" = "1340625627"
[HKCU\Software\Aas]
"a4_169" = "1211581449"
[HKCU\Software\Aas]
"a4_188" = "1347794748"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 22 42 24 6C B7 58 95 05 89 1A 32 E2 17 6A E7"
[HKCU\Software\Aas]
"a4_189" = "1354963869"
[HKCU\Software\Aas]
"a2_125" = "896147568"
[HKCU\Software\Aas]
"a1_147" = "145765633"
[HKCU\Software\Aas]
"a1_146" = "3489525794"
[HKCU\Software\Aas]
"a1_8" = "3336673482"
[HKCU\Software\Aas]
"a1_82" = "3223181381"
[HKCU\Software\Aas]
"a2_62" = "444486125"
[HKCU\Software\Aas]
"a2_63" = "451652505"
[HKCU\Software\Aas]
"a2_60" = "430152041"
[HKCU\Software\Aas]
"a2_61" = "437319147"
[HKCU\Software\Aas]
"a2_66" = "473169436"
[HKCU\Software\Aas]
"a2_67" = "480337861"
[HKCU\Software\Aas]
"a2_64" = "458821003"
[HKCU\Software\Aas]
"a2_65" = "465986938"
[HKCU\Software\Aas]
"a2_68" = "487492283"
[HKCU\Software\Aas]
"a2_69" = "494676975"
[HKCU\Software\Aas]
"a2_148" = "1061033237"
[HKCU\Software\Aas]
"a2_149" = "1068202958"
[HKCU\Software\Aas]
"a1_41" = "2799139812"
[HKCU\Software\Aas]
"a1_40" = "3124062102"
[HKCU\Software\Aas]
"a1_43" = "754361630"
[HKCU\Software\Aas]
"a1_42" = "659623559"
[HKCU\Software\Aas]
"a1_45" = "1508301403"
[HKCU\Software\Aas]
"a1_44" = "96847093"
[HKCU\Software\Aas]
"a1_47" = "847463026"
[HKCU\Software\Aas]
"a1_46" = "3337254945"
[HKCU\Software\Aas]
"a1_49" = "3276455880"
[HKCU\Software\Aas]
"a1_48" = "2761662604"
[HKCU\Software\Aas]
"a4_144" = "1032353424"
[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F62616768646164697369676E2E636F6D2F6C6F676F2E67696600687474703A2F2F6465762E6366706177732D7363686564756C696E672E636F6D2F6C6F676F2E67696600687474703A2F2F676F6B7375616D62616C616A2E636F6D2F696D616765732F627574746F6E2E67696600687474703A2F2F7777772E6D676E6B617075727468616C612E636F6D2F6C6F676F2E67696600687474703A2F2F70617273616D6F6873656E697261642E787A6E2E69722F696D672F627574746F6E2E67696600687474703A2F2F737461727465616D636F6E73756C742E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F72616661746563682E702E68742F696D616765732F627574746F6E2E67696600687474703A2F2F66696C652E73746F726B732E636F6D2E74722F62616C696B657369722F6C6F676F2E67696600687474703A2F2F706F7765726D6963652E686F6C2E65732F6C6F676F2E67696600687474703A2F2F61626F6E656B61732E626564617661686F73742E62697A2F627574746F6E2E67696600687474703A2F2F62757273612D646967697475726B2E636F6D2F696D616765732F6C6F676F2E676966"
[HKCU\Software\Aas]
"a4_142" = "1018015182"
[HKCU\Software\Aas]
"a4_143" = "1025184303"
[HKCU\Software\Aas]
"a3_118" = "862924447"
[HKCU\Software\Aas]
"a3_119" = "869974846"
[HKCU\Software\Aas]
"a1_114" = "3397561851"
[HKCU\Software\Aas]
"a1_115" = "209378640"
[HKCU\Software\Aas]
"a2_166" = "1190068437"
[HKCU\Software\Aas]
"a3_36" = "241268621"
[HKCU\Software\Aas]
"a3_37" = "248309804"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_35" = "267899754"
[HKCU\Software\Aas]
"a3_32" = "212854281"
[HKCU\Software\Aas]
"a3_33" = "253401768"
[HKCU\Software\Aas]
"a3_30" = "231909751"
[HKCU\Software\Aas]
"a3_31" = "205278614"
[HKCU\Software\Aas]
"a2_167" = "1197238265"
[HKCU\Software\Aas]
"a3_188" = "1364647189"
[HKCU\Software\Aas]
"a1_113" = "2319442845"
[HKCU\Software\Aas]
"a3_38" = "289377359"
[HKCU\Software\Aas]
"a3_39" = "296296686"
[HKCU\Software\Aas]
"a3_184" = "1336102801"
[HKCU\Software\Aas]
"a3_130" = "915379051"
[HKCU\Software\Aas]
"a1_191" = "191470898"
[HKCU\Software\Aas]
"a3_131" = "922302346"
[HKCU\Software\Aas]
"a1_118" = "4220855544"
[HKCU\Software\Aas]
"a3_132" = "962897965"
[HKCU\Software\Aas]
"a1_119" = "2550839129"
[HKCU\Software\Aas]
"a2_17" = "121878426"
[HKCU\Software\Aas]
"a2_16" = "114712153"
[HKCU\Software\Aas]
"a2_15" = "107543305"
[HKCU\Software\Aas]
"a2_14" = "100362310"
[HKCU\Software\Aas]
"a2_13" = "93192666"
[HKCU\Software\Aas]
"a2_12" = "86021981"
[HKCU\Software\Aas]
"a2_11" = "78857956"
[HKCU\Software\Aas]
"a2_10" = "71694221"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_134" = "943841519"
[HKCU\Software\Aas]
"a2_19" = "136209412"
[HKCU\Software\Aas]
"a2_18" = "129046649"
[HKCU\Software\Aas]
"a4_11" = "78860331"
[HKCU\Software\Aas]
"a4_10" = "71691210"
[HKCU\Software\Aas]
"a4_13" = "93198573"
[HKCU\Software\Aas]
"a4_12" = "86029452"
[HKCU\Software\Aas]
"a4_15" = "107536815"
[HKCU\Software\Aas]
"a4_14" = "100367694"
[HKCU\Software\Aas]
"a4_17" = "121875057"
[HKCU\Software\Aas]
"a4_16" = "114705936"
[HKCU\Software\Aas]
"a4_19" = "136213299"
[HKCU\Software\Aas]
"a4_18" = "129044178"
[HKCU\Software\Aas]
"a3_137" = "998890944"
[HKCU\Software\Aas]
"a4_160" = "1147059360"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a3_8" = "40388897"
[HKCU\Software\Aas]
"a3_9" = "47967552"
[HKCU\Software\Aas]
"a3_6" = "59977839"
[HKCU\Software\Aas]
"a3_7" = "67032206"
[HKCU\Software\Aas]
"a3_4" = "11991981"
[HKCU\Software\Aas]
"a3_5" = "52535244"
[HKCU\Software\Aas]
"a3_2" = "31040235"
[HKCU\Software\Aas]
"a3_3" = "4933386"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKCU\Software\Aas]
"a3_1" = "23989832"
[HKCU\Software\Aas]
"a2_151" = "1082535440"
[HKCU\Software\Aas]
"a2_150" = "1075365637"
[HKCU\Software\Aas]
"a4_166" = "1190074086"
[HKCU\Software\Aas]
"a4_167" = "1197243207"
[HKCU\Software\Aas]
"a3_145" = "1022800088"
[HKCU\Software\Aas]
"a3_144" = "1015749817"
[HKCU\Software\Aas]
"a4_161" = "1154228481"
[HKCU\Software\Aas]
"a3_147" = "1070844314"
[HKCU\Software\Aas]
"a3_146" = "1063277947"
[HKCU\Software\Aas]
"a2_159" = "1139898796"
[HKCU\Software\Aas]
"a4_119" = "853125399"
[HKCU\Software\Aas]
"a2_158" = "1132717601"
[HKCU\Software\Aas]
"a4_118" = "845956278"
[HKCU\Software\Aas]
"a3_143" = "1008236550"
[HKCU\Software\Aas]
"a3_142" = "1034864615"
[HKCU\Software\Aas]
"a1_152" = "234139841"
[HKCU\Software\Aas]
"a4_117" = "838787157"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"1bc0a1c7ace1c7f051232d7a5f799e59.exe" = "c:\1bc0a1c7ace1c7f051232d7a5f799e59.exe:*:Enabled:ipsec"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The process 1bc0a1c7ace1c7f051232d7a5f799e59.exe:48316 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 16 6B 2C D2 08 E3 7A F2 35 1E 28 DD 78 E3 39"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process Reader_sl.exe:1064 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process mspaint.exe:48340 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA DF 5D 52 49 C9 10 0C 10 3F 98 10 3C 7B 7F 5C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Cukmko" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
Network activity (URLs)
No activity has been detected.
Rootkit activity
The Virus installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetWriteFile
HttpSendRequestA
The Virus installs the following user-mode hooks in dnsapi.dll:
DnsQuery_A
DnsQuery_W
The Virus installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Virus installs the following user-mode hooks in kernel32.dll:
MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA
The Virus installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
1bc0a1c7ace1c7f051232d7a5f799e59.exe:47268
1bc0a1c7ace1c7f051232d7a5f799e59.exe:48316
wuauclt.exe:344 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (2105 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (2105 bytes)
%WinDir%\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (12 bytes)
D:\disablejavawarnsec.exe (984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lntmk.exe (601 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
C:\totalcmd\TOTALCMD.EXE (858 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S4NG8BFT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EM7LJHNP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VHLKOK3G\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STOTAXG7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Cukmko" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
