Worm.Win32.Dorkbot_5752096532

by malwarelabrobot on February 21st, 2016 in Malware Descriptions.

Trojan.GenericKD.2973900 (B) (Emsisoft), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5752096532ec59f757af85969327f3d6
SHA1: 5041da44b80a15cd4a9b7ce89a3b38cd4bd34bca
SHA256: fb5a238214aebf250454ec080f869b0a407cb843776826c2a6a97405ee40cb8f
SSDeep: 6144:WOEp6Dbgh9RyOSHVA8wflj9IIbBLo7vOX7dEcn:WN64fvtjG2Lo7mREcn
Size: 265216 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-01-08 23:17:20
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
DNSBlocker A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.


Process activity

The Worm creates the following process(es):

%original file name%.exe:2100
%original file name%.exe:1216

The Worm injects its code into the following process(es):

calc.exe:1932
mspaint.exe:2068
vmacthlp.exe:924
svchost.exe:1724
wmiprvse.exe:628
csrss.exe:688
winlogon.exe:712
services.exe:756
Explorer.EXE:888
svchost.exe:936
svchost.exe:1020
svchost.exe:1104
svchost.exe:1164
svchost.exe:1244
spoolsv.exe:1436
jqs.exe:1592

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process calc.exe:1932 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)

The process mspaint.exe:2068 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\Hukmkt.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZL6VQQP0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H0XKHRAX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EB59QNZL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFGLMNBQ\desktop.ini (67 bytes)

The Worm deletes the following file(s):

C:\5752096532EC59F757AF85969327F3D6.EXE (0 bytes)

Registry activity

The process calc.exe:1932 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 97 84 85 86 C9 95 42 B8 54 3E 2D C6 0F 2F 35"

The process mspaint.exe:2068 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B C6 4C 7A 1E 71 C6 78 E3 19 C1 21 B6 7D 3C 8D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Hukmkt" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:2100 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 5A 06 40 04 0E 33 F6 39 3B 21 DE 2F 64 13 B5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:1216 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF DD 3C 7F 9B AD 3F 20 86 5E F0 B7 5F 07 0B 8C"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Worm installs the following user-mode hooks in DNSAPI.dll:

DnsQuery_A
DnsQuery_W

The Worm installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Worm installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 94381 94720 4.371 d366ad441e7c6275266f765dfb365bc5
.rdata 102400 14956 15360 3.9146 aeb992cb281c72579f23ec997907a313
.data 118784 146884 19968 1.8056 d0999781eb58b0ba9d64c6dfcd9afa0d
.text14 266240 3840 4096 1.50721 f335c852fb394298bfd13cb0326e2127
drcfvtgb 270336 4480 4608 1.55246 693fef1beaf0f7b7d2aaf2c8dc9fde73
fly 278528 2816 3072 1.49926 5b6f6b42009bfdeab58ffb8c306f06a3
wrwe 282624 3200 3584 1.46427 89fb34637b1afba1c04021c1cd2d33dc
.text8 286720 3588 4096 1.7103 6fdaa808466d75f0735e8dbd9cbba554
.rsrc 290816 114592 114688 4.18304 b41306b47efd3aa2023cd808994d692a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

svchost.exe_1724:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1724_rwx_00090000_00030000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Microsoft\Windows\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c0009X00
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
.gonewiththewings
*.exe
*.gonewiththewings
\WindowsUpdate\Updater.exe
\Microsoft\Windows
%s\Program Files\Common Files
%s\programdata
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\System32\schtasks.exe
"%s" /query /tn "Windows Updater"
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Debugger" /f
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update Installer
\WindowsUpdate
\Updater.exe
\Explorer.exe
\Update.exe
notepad.exe
msiexec.exe
bfsvc.exe
helppane.exe
hh.exe
regedit.exe
twunk_16.exe
twunk_32.exe
winhelp.exe
winhlp32.exe
write.exe
Reader_sl.exe
mspaint.exe
\mspaint.exe
\svchost.exe
log.txt
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
%s\*.*
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
\Microsoft\Windows\Themes
\Windows Live
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s\Recycler
WindowsId
Microsoft\Windows\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Microsoft\Windows\%
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
?]2596=4?@9]4@>
.tlh0
GetProcessHeap
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegFlushKey
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegEnumKeyA
ADVAPI32.dll
SHFileOperationA
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
spoolsv.exe
rundll32.exe
alg.exe
iexplore.exe
svchost.exe
WindowsMark
o1xg.org
oxxtxxt.biz
oeob.me
%Documents and Settings%\All users\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Application Data\WindowsUpdate
%Documents and Settings%\%current user%\Application Data\Windows Live
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%System%\mspaint.exe
|%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
c:\%original file name%.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
firefox.exe
.ipconfig.exe
verclsid.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

svchost.exe_1724_rwx_000E0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
%Documents and Settings%\%current user%\Application Data\WindowsUpdate\Updater.exe
%Documents and Settings%\%current user%\Application Data\c731200
\\.\pipe\9caf4c3f
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe

svchost.exe_1724_rwx_00A60000_00030000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Microsoft\Windows\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c0009X00
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
.gonewiththewings
*.exe
*.gonewiththewings
\WindowsUpdate\Updater.exe
\Microsoft\Windows
%s\Program Files\Common Files
%s\programdata
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\System32\schtasks.exe
"%s" /query /tn "Windows Updater"
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Debugger" /f
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update Installer
\WindowsUpdate
\Updater.exe
\Explorer.exe
\Update.exe
notepad.exe
msiexec.exe
bfsvc.exe
helppane.exe
hh.exe
regedit.exe
twunk_16.exe
twunk_32.exe
winhelp.exe
winhlp32.exe
write.exe
Reader_sl.exe
mspaint.exe
\mspaint.exe
\svchost.exe
log.txt
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
%s\*.*
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
\Microsoft\Windows\Themes
\Windows Live
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s\Recycler
WindowsId
Microsoft\Windows\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Microsoft\Windows\%
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
?]2596=4?@9]4@>
.tlh0
GetProcessHeap
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegFlushKey
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegEnumKeyA
ADVAPI32.dll
SHFileOperationA
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
spoolsv.exe
rundll32.exe
alg.exe
iexplore.exe
svchost.exe
WindowsMark
o1xg.org
oxxtxxt.biz
oeob.me
%Documents and Settings%\All users\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Application Data\WindowsUpdate
%Documents and Settings%\%current user%\Application Data\Windows Live
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%System%\mspaint.exe
|%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
c:\%original file name%.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
firefox.exe
.ipconfig.exe
verclsid.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

calc.exe_1932:

.text
`.data
.rsrc
SHELL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
GDI32.dll
USER32.dll
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
calc.pdb
j.OXO
_acmdln
RegCloseKey
RegOpenKeyExA
name="Microsoft.Windows.Shell.calc"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
CalcMsgPumpWnd
The requested operation may take a very long time to complete.
Do you want to let the calculation continue, or stop the operation now?
Windows Calculator application file
5.1.2600.0 (xpclient.010817-1148)
CALC.EXE
Windows
Operating System
5.1.2600.0
Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.
Do you want to abort the operation now?
calc.hlp
Cannot open Clipboard.TThere is not enough memory for data.
calc.chm

calc.exe_1932_rwx_000A0000_00002000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
511560723
a6i2k.exe
eiyu1.exe
fmyxd.exe
daet3.exe
m6mv0.exe
z3a6c.exe
fusk2.exe
3p1g0.exe
bppw5.exe
kqdd2.exe
ap4uk.exe
h0v5p.exe
ugw4j.exe
gaou4.exe
vgznn.exe
jmdwg.exe
ztuun.exe
db0yy.exe
ffodf.exe
7i300.exe
user32.dll
urlmon.dll
URLDownloadToFileA
wininet.dll
hXXp://VVV.google.com

calc.exe_1932_rwx_00970000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%System%\calc.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\calc.exe
c:\%original file name%.exe

mspaint.exe_2068:

.text
`.data
.rsrc
MFC42u.DLL
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
comdlg32.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
IMM32.dll
mspaint.chm
COMDLG32.DLL
Fhhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
gdiplus.dll
UxTheme.dll
mspaint.pdb
SSSShH
[email protected]
GdiplusShutdown
_wcmdln
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegOpenKeyW
RegEnumKeyW
SetViewportExtEx
GetKeyState
GetKeyboardLayout
MsgWaitForMultipleObjects
RegOpenKeyExA
.?AVCCmdTarget@@
.PAVCMemoryException@@
.PAVCFileException@@
.PAVCException@@
.PAVCResourceException@@
.PAVCNotSupportedException@@
name="Microsoft.Windows.Shell.mspaint"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
R.bbbbbbbbbbbbbbbbbbbbbbbbbbOR@lVSV\
.bbbbbbbbbbbbbbbbbbb
K6*z^H=.fMM
6 .BT[r!G
8-/|:[email protected]
%d~%d
%u%su
mspaint.hlp
gdi32.dll
shell32.dll
;*.jpeg
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
imm32.dll
SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Import
SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Export
5.1.2600.5512 (xpsp.080413-2105)
MSPAINT.EXE
Windows
Operating System
5.1.2600.5512
24-bit Bitmap (*.bmp;*.dib)
Palette|*.pal|
untitled.pal
.rlecOLE 2.0 was unable to start.
Bitmap Files (*.bmp)
Paint.Picture
Monochrome Bitmap (*.bmp;*.dib)
16 Color Bitmap (*.bmp;*.dib)
256 Color Bitmap (*.bmp;*.dib)
,Displays instructions about how to use Help.%Displays Help for areas you click on..Displays Help for the current task or command.
.Centers this bitmap as the desktop background.
!Pastes a file into the selection.%Selects the scanner or camera device.2Downloads a new document from a scanner or camera.
%Sends a picture by using mail or fax.
Reduces the window to an icon.!Enlarges the window to full size.%Switches to the next document window.)Switches to the previous document window.>Closes the active window and asks if you want to save changes.
gThere is not enough memory or resources to complete operation.
Close some programs, and then try again.DLow on memory or resources.
JThis is not a valid bitmap file, or its format is not currently supported.
This is not a valid .PCS file.
6The grid spacing must be an integer between %d and %d.
%s bytes
%d x %d dots per inch
PencilUErases a portion of the picture, using the selected eraser shape.
,Flips or rotates the picture or a selection..Stretches or skews the picture or a selection.1Inverts the colors of the picture or a selection.&Changes the attributes of the picture. Clears the picture or selection.&The font size must be a numeric value.8Contains commands for working with the selected item(s).7Contains commands for selecting and transferring items..Contains commands for customizing this window.CContains commands for manipulating pictures and setting attributes.>Contains commands for using custom colors and drawing options.FContains commands for displaying Help for and information about Paint.
Creates a new color.*Uses a previously saved palette of colors..Saves the current palette of colors to a file.
Shows Paint Help.(Microsoft\Windows\CurrentVersion\Applets
Downloading picture,Reading data from the device (%d%% complete)
Processing data (%d%% complete)!Transferring data (%d%% complete)

mspaint.exe_2068_rwx_000A0000_00030000:

.text
`.data
.rsrc
@.reloc
*windows defender*
*windowsupdate*
*drweb*
dwwin.exe
kernel32.dll
iphlpapi.dll
GetExtendedTcpTable
GetOwnerModuleFromTcpEntry
%systemroot%
%programfiles%\Common Files\*\*.exe
%appdata%\Microsoft\Windows\*.exe
ole32.dll
/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"
%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
%s\c731200
%s\%s
%s\%s.lnk
Windows_Shared_Mutex_231_c0009X00
ntdll.dll
\ScreenSaverPro.scr
\temp.bin
user32.dll
advapi32.dll
shell32.dll
urlmon.dll
wininet.dll
gdi32.dll
rpcrt4.dll
netapi32.dll
.gonewiththewings
*.exe
*.gonewiththewings
\WindowsUpdate\Updater.exe
\Microsoft\Windows
%s\Program Files\Common Files
%s\programdata
WinExec
URLDownloadToFileA
hXXp://VVV.google.com
\calc.exe
\System32\schtasks.exe
"%s" /query /tn "Windows Updater"
"%s" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "%s" /RL HIGHEST
"%s" /delete /tn "Windows Update Check - 0x05860166" /f
"%s" /delete /tn "Windows Update Check - 0x0E7302EC" /f
"%s" /delete /tn "Windows Update Check - 0x5C000766" /f
"%s" /delete /tn "Windows Update Check - 0x6E0A0825" /f
"%s" /delete /tn "Windows Debugger" /f
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update Installer
\WindowsUpdate
\Updater.exe
\Explorer.exe
\Update.exe
notepad.exe
msiexec.exe
bfsvc.exe
helppane.exe
hh.exe
regedit.exe
twunk_16.exe
twunk_32.exe
winhelp.exe
winhlp32.exe
write.exe
Reader_sl.exe
mspaint.exe
\mspaint.exe
\svchost.exe
log.txt
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
%s\*.*
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
%s\Documents and Settings\All users\Start Menu\Programs\Startup
\Microsoft\Windows\Themes
\Windows Live
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s\Recycler
WindowsId
Microsoft\Windows\%s
%s\%s\%s.exe
:Zone.Identifier
.quarantined
"%s" -shell
"%s" -bind
userinit.exe
explorer.exe
Microsoft\Windows\%
Windows critical error, require reboot
Windows Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
n.lotys.ru
n.jntbxduhz.ru
n.hmiblgoja.ru
n.ezjhyxxbf.ru
n.yqqufklho.ru
n.vbemnggcj.ru
n.yxntnyrap.ru
n.oceardpku.ru
n.zhgcuntif.ru
n.jupoofsnc.ru
n.aoyylwyxd.ru
n.kvupdstwh.ru
n.spgpemwqk.ru
n.zhjdwkpaz.ru
n.dclhmfkcb.ru
n.yugypkhvl.ru
n.srobpranm.ru
n.zccgyxwfa.ru
n.lgcpogvly.ru
n.mqjcctzdu.ru
n.jthxriotb.ru
n.eoifjgjxl.ru
n.mmhjrarii.ru
n.lurgcdqwk.ru
n.adkxlenod.ru
n.lumzwlhum.ru
n.spdsazjaj.ru
n.rzyyjafvk.ru
n.orvjwcvqt.ru
n.nikejqiis.ru
n.uhwumfxht.ru
n.gznzenuve.ru
n.ipdcuzrbj.ru
n.axitdflcr.ru
n.gbckjrrzu.ru
n.kntrejzkq.ru
n.srxkwklks.ru
n.knyszaijv.ru
n.yjeuatihg.ru
n.zgfvfhtli.ru
n.hceymatul.ru
n.xiabhaoii.ru
n.oysaqcxbi.ru
n.raqimfebe.ru
n.kbwuxntle.ru
n.xcuygznmk.ru
n.fxazudqiv.ru
n.keqenlhsc.ru
n.hpufkdrqr.ru
n.yfxmjmbpd.ru
n.wbakrhdqe.ru
n.fxagapbcw.ru
n.bkgywvtsx.ru
n.zervwpzra.ru
n.akyjwkkqj.ru
n.heiylmruc.ru
n.yothepdgz.ru
n.jqltfflhx.ru
n.gbfelbdjz.ru
n.sjkguntum.ru
n.lxbluoryz.ru
n.khqrqoqoe.ru
n.lujjeazun.ru
n.votjsbqxi.ru
n.whukpjket.ru
n.jspowmxsl.ru
n.bhsbqjysh.ru
n.epbdyornt.ru
n.iclcakajd.ru
n.lbxfqfcxj.ru
n.zdxappufr.ru
n.wxvwsagfj.ru
n.phbndvdsy.ru
n.gxltnbgks.ru
n.jveblfxqs.ru
n.cfqqxfduf.ru
n.bjadvjfdx.ru
n.ggxvmjwgy.ru
n.avebiwdbf.ru
n.jractocvx.ru
n.srcbrtetb.ru
n.tekwkrsll.ru
n.hbukvpirg.ru
n.rpbzpxiyg.ru
n.cdtclxicx.ru
n.cjwxfmimx.ru
n.sabqauqxz.ru
n.ysmilxqbp.ru
n.oaclzemyh.ru
n.sokjrsoge.ru
n.rqbupminx.ru
n.tsmdeqpxz.ru
n.uqeuhlpbo.ru
n.owjbbpdam.ru
n.zjadtsvrd.ru
n.cusviecqs.ru
n.plrbchand.ru
n.zqpkvolqc.ru
n.qktjrlxil.ru
n.xyxbbuxhw.ru
n.nnzykujty.ru
n.elnytydma.com
n.mrjwqrvhe.com
n.nmdlqnsqv.com
n.eoxhxlxax.com
n.kpypmhotd.com
n.iegvyabpm.com
n.vvspbjbsj.com
n.rejtobfsz.com
n.kyhoimuag.com
n.nfjmrolyt.com
n.zfluvuuez.com
n.krpjpyuvr.com
n.jijvoiiqf.com
n.pszpnkbib.com
n.zhlhvgfpj.com
n.mvhrrpbab.com
n.xqbwkgtli.com
n.yykzejasl.com
n.uafvkahxq.com
n.onnaznfpi.com
n.bvjbygkhq.com
n.celujntse.com
n.nothauweh.com
n.bffihxjxo.com
n.onqxlsjsu.com
n.nzebzahio.com
n.ylbotqjmk.com
n.cbceluvnf.com
n.gurvnrthi.com
n.ckcwacpts.com
n.irhwtkyov.com
n.wnkgkwbbb.com
n.eepixnqaa.com
n.zodoyucra.com
n.dsnkjlkfu.com
n.wpsnxnegs.com
n.cvnuxxysj.com
n.wewhftcna.com
n.zjfprawyu.com
n.ukgorgrqm.com
n.nwsxkwjtb.com
n.rzhfwlaaj.com
n.cygzrpdct.com
n.uahauuzyr.com
n.cirgfzcxh.com
n.pxktczqpg.com
n.lwoucvztu.com
n.fwmfdsrdo.com
n.ysrzbwrhy.com
n.lsisqkwax.com
n.obfzdniwo.com
n.koiqczjzt.com
n.sbliadsxt.com
n.jxgxgdmnh.com
n.pubacyixo.com
n.xqrrrfjkk.com
n.ivqxnsonc.com
n.nxnpcnedd.com
n.nxoyntdzt.com
n.rxehjwklo.com
n.igmkzotyp.com
n.aumzkzwrl.com
n.jcawsrxup.com
n.abmadwhcr.com
n.lmfbywtms.com
n.hhxxcplyd.com
n.bjlajcvcy.com
n.kpmcbjlmz.com
n.ghovcuips.com
n.pucpdbgjm.com
n.zzwwnrwum.com
n.odeujslqf.com
n.ecnpjynwc.com
n.ynxjwgdec.com
n.xrbqavrjw.com
n.ipzfjqnzj.com
n.ulffiidks.com
n.qtcyitbce.com
n.abjuylahr.com
n.zepjdorss.com
n.vlwibqnup.com
n.eaxeebvnx.com
n.rjywkggko.com
n.zmvlqrhsl.com
n.unvsceumt.com
n.vimaspimf.com
n.myyhalxbr.com
n.rsxnjdvgu.com
n.kdrlowylf.com
n.tnylqmwer.com
n.wesocfgdj.com
n.sgteglshe.com
n.kbsdxnoqc.com
n.offbizvki.com
n.msosxcmuh.com
n.uczcgpuxv.com
n.wxctgbeou.com
n.lhklpacah.com
n.adhelcnoh.com
n.jcapalebj.com
.tlh0
GetProcessHeap
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegFlushKey
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegEnumKeyA
ADVAPI32.dll
SHFileOperationA
ShellExecuteExW
SHELL32.dll
SetTcpEntry
SHLWAPI.dll
RPCRT4.dll
NETAPI32.dll
DNSAPI.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\WindowsId Manager Reader
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
spoolsv.exe
rundll32.exe
alg.exe
iexplore.exe
svchost.exe
WindowsMark
o1xg.org
oxxtxxt.biz
oeob.me
%Documents and Settings%\All users\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Application Data\WindowsUpdate
%Documents and Settings%\%current user%\Application Data\Windows Live
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%System%\mspaint.exe
|%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0A
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
%s_%d
-%sMutex
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
URLDownloadToFileW
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
Secur32.dll
ShellExecuteA
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
WS2_32.dll
MSVCRT.dll
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
RegNotifyChangeKeyValue
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
7 767<7~7
8*808;8~8
{A5DCBF10-6530-11D2-901F-00C04FB951ED}
shlwapi.dll
crypt32.dll
wtsapi32.dll
samcli.dll
netutils.dll
userenv.dll
WindowsSecondaryDesktop
\charmap.exe
\Windows Media Player\wmprph.exe
c:\%original file name%.exe
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
firefox.exe
.ipconfig.exe
verclsid.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
secur32.dll
ws2_32.dll
:%S%S\
Aadvapi32.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

mspaint.exe_2068_rwx_00930000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
c:\%original file name%.exe
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
\\.\pipe\9caf4c3f
%System%\mspaint.exe
%WinDir%
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\mspaint.exe

wmiprvse.exe_628_rwx_00DE0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%System%\wbem\wmiprvse.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe
c:\%original file name%.exe

csrss.exe_688_rwx_02C70000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\??\%System%\csrss.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe
c:\%original file name%.exe

winlogon.exe_712_rwx_015F0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0`
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
\??\%System%\winlogon.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe
c:\%original file name%.exe

services.exe_756_rwx_00B60000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%System%\services.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\services.exe
c:\%original file name%.exe

Explorer.EXE_888_rwx_01EA0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%WinDir%\Explorer.EXE
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\explorer.exe
c:\%original file name%.exe

svchost.exe_936_rwx_00E90000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe

svchost.exe_1020_rwx_00B10000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe

svchost.exe_1104_rwx_02F60000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%WinDir%\System32\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe

svchost.exe_1164_rwx_006F0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0p
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
rc:\%original file name%.exe

svchost.exe_1244_rwx_00CB0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%System%\svchost.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
c:\%original file name%.exe

spoolsv.exe_1436_rwx_00F50000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%System%\spoolsv.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe
c:\%original file name%.exe

jqs.exe_1592_rwx_010C0000_0004E000:

.text
`.rdata
@.data
.reloc
=MSG t
>MSG u`
=PASS
8httpu1
8httpuM
tlSSSSSSSSSShL0
%s.%s
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
CAL %d %6s
ngr->blocksize: %d
block_size: %d
\\.\pipe\%s
kernel32.dll
%s_%d
-%sMutex
ntdll.dll
%s-pid
%s-comm
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %5s
JOIN %5s
PRIVMSG
JOIN
%s:%d
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
%s:%s@%s:%d
PTF://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
%s-%s-%s
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
virusbuster.nprotect.
heck.tc
onecare.live.
login[password]
login[username]
*members*.iknowthatgirl*/members*
*youporn.*/login*
*members.brazzers.com*
*bcointernacional*login*
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
loginid
*enom.com/login*
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
*moniker.com/*Login*
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
loginname
*godaddy.com/login*
Password
*Password=*
*alertpay.com/login*
*netflix.com/*ogin*
*thepiratebay.org/login*
*torrentleech.org/*login*
*vip-file.com/*/signin-do*
*sms4file.com/*/signin-do*
*letitbit.net*
*what.cd/login*
*oron.com/login*
*filesonic.com/*login*
*speedyshare.com/login*
*uploaded.to/*login*
*uploading.com/*login*
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
*hotfile.com/login*
*4shared.com/login*
txtpass
*txtpass=*
*netload.in/index*
*freakshare.com/login*
login_pass
*login_pass=*
*mediafire.com/*login*
*sendspace.com/login*
*megaupload.*/*login*
*depositfiles.*/*/login*
*signin.ebay*SignIn
*officebanking.cl/*login.asp*
*secure.logmein.*/*logincheck*
session[password]
*password]=*
*twitter.com/sessions
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
\\.\PHYSICALDRIVE0
shell32.dll
httpi
dnsapi.dll
hXXp://%s/%s
hXXp://%s/
POST /23s
[%s[%s%s[%s
n%s[%s[%s%s[%s
%s[%s[%s
[DNS]: Redirecting "%s" to "%s"
%s]%s
[Logins]: Cleared %d logins
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
hXXp://
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
Software\Microsoft\Windows\CurrentVersion\Run
\\.\%c:
*bebo.*/c/profile/comment_post.json
*bebo.*/mail/MailCompose.jsp*
*friendster.*/sendmessage.php*
*friendster.*/rpc.php
*vkontakte.ru/mail.php
*vkontakte.ru/wall.php
*vkontakte.ru/api.php
*facebook.*/ajax/*MessageComposerEndpoint.php*
msg_text
*facebook.*/ajax/chat/send.php*
-_.!~*'()
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
%s_0xX
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
DNSAPI.dll
Secur32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
WS2_32.dll
MSVCRT.dll
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryW
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
o1xg.org
oxxtxxt.biz
oeob.me
]1.1.0.0
msn.set
msn.int
http.set
http.int
http.inj
logins
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SDRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
ftpinfect
httplogin
httptraff
httpspread
hXXp://api.wipmania.com/
\\.\pipe\x_ipc
\\.\pipe\9caf4c3f
%Program Files%\Java\jre6\bin\jqs.exe
%WinDir%
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe
7 767<7~7
8*808;8~8
%s\Microsoft\Windows\themes\%s.exe
\\.\pipe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%S\
winlogon.exe
mspaint.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
Akernel23.dll
y%s\%s.exe
lsass.exe
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe
c:\%original file name%.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2100
    %original file name%.exe:1216

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\Hukmkt.exe (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZL6VQQP0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H0XKHRAX\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EB59QNZL\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFGLMNBQ\desktop.ini (67 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Hukmkt" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\themes\Hukmkt.exe"

  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now