ArcadeFAQSearchLogin
Register
It is currently Mon Dec 28, 2009 2:28 am

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: baf8592e2b5a042a5799a00d07b1ad6f --> setup.exe
PostPosted: Tue May 06, 2008 6:46 pm 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://222.180.36.174/setup.exe

File Name: setup.exe
File size: 364404 bytes
MD5...: baf8592e2b5a042a5799a00d07b1ad6f
SHA1..: 0ed5cf571c81c03a4b7b0b3ddb94c667d3347a1d
SHA256:

f778e1bead1484b98681d8f143d4fd572339f4c880cf55c6e1f730acfb885

b51
SHA512:

07bd28b4ce34e7266adbbb537cc15a410f3f06ceb4665da33adbeaf143c06

cc2
bfea77998ca15341077aeb6d56e69003b58bf7347ad5c734966a424b3c2b9

b52

VirusTotal Result: 22/32 (68.75%)
AntiVir 7.8.0.11 2008.05.02 PCK/UPACK
Avast 4.8.1169.0 2008.05.02 Win32:Agent-ICL
AVG 7.5.0.516 2008.05.02 PSW.Generic6.HMN
BitDefender 7.2 2008.05.02

Dropped:Generic.Onlinegames.5.B2AAC611
CAT-QuickHeal 9.50 2008.05.02 (Suspicious) -

DNAScan
ClamAV 0.92.1 2008.05.02 PUA.Packed.UPack-2
DrWeb 4.44.0.09170 2008.05.02 Trojan.Hitpop.origin
eSafe 7.0.15.0 2008.04.28 Suspicious File
F-Prot 4.4.2.54 2008.05.02

W32/Injector.A.gen!Eldorado
F-Secure 6.70.13260.0 2008.05.02

W32/Suspicious_U.gen.dropper
Fortinet 3.14.0.0 2008.05.02

W32/POPHOT.ARL!tr.spy
Ikarus T3.1.1.26.0 2008.05.02

Virus.Win32.QQHelper.FG
Kaspersky 7.0.0.125 2008.05.02

Trojan-Spy.Win32.Pophot.ate
McAfee 5286 2008.05.02 New Malware.aj
NOD32v2 3071 2008.05.02 a variant of

Win32/Spy.Delf.NIK
Norman 5.80.02 2008.05.02 W32/Suspicious_U.gen
Panda 9.0.0.4 2008.05.01 Suspicious file
Sophos 4.29.0 2008.05.02 Mal/Packer
Sunbelt 3.0.1097.0 2008.05.01

VIPRE.Suspicious
TheHacker 6.2.92.298 2008.04.30

W32/Behav-Heuristic-060
VirusBuster 4.3.26:9 2008.05.02 Packed/Upack
Webwasher-Gateway 6.6.2 2008.05.02 Packer.UPACK

PE Structure information

( base data )
entrypointaddress.: 0x401018
timedatestamp.....: 0x4011b0be (Fri Jan 23 23:39:42 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
PS 0x1000 0x20000 0x1f0 5.35 74b208179ea8a91705a8312d08e1f34d
@B 0x21000 0x12000 0xa5e0 7.76

e71522eb575d9973e67bc9024c8a5e9e
xB@ 0x33000 0x1000 0x1f0 5.35

74b208179ea8a91705a8312d08e1f34d

( 0 imports )
( 0 exports )

Process ID 1808
Filename C:\file.exe
Filesize 364404 bytes
MD5 baf8592e2b5a042a5799a00d07b1ad6f

COM Get Class Object: C:\WINDOWS\system32\urlmon.dll,

Interface ID: ({00000001-0000-0000-C000-000000000046})

New Files
c:\tmp.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe

Opened Files
c:\tmp.tmp
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
\\.\PIPE\ntsvcs

Deleted Files
c:\tmp.tmp

Chronological order
Copy File: C:\file.exe to c:\tmp.tmp
Open File: c:\tmp.tmp (OPEN_EXISTING)
Create File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: cmd.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\cmd.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\cmd.exe Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags:

(SECURITY_ANONYMOUS)
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe
Delete File: c:\tmp.tmp

Creates Process - Filename (cmd.exe) CommandLine: (/c

"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe") As User: ()

Creation Flags: ()
Creates Process - Filename (cmd.exe) CommandLine: (/c

"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe") As User:

() Creation Flags: ()
Creates Process - Filename (cmd.exe) CommandLine: (/c

"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe") As

User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1808)

As User: () Creation Flags: ()

Process ID 1572
Filename C:\WINDOWS\System32\cmd.exe /c

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe
Filesize -1 bytes
MD5
Start Reason CreateProcess

Opened Files
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe
Chronological order
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe ()
Find File: myse009.exe

Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""

Creates Process - Filename

(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe) CommandLine:

(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe) As User: ()

Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1572)

As User: () Creation Flags: ()

Process ID 1884
Filename C:\WINDOWS\System32\cmd.exe /c

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe
Filesize -1 bytes
MD5
Start Reason CreateProcess

Opened Files
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe

Chronological order
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe ()
Find File: ha_80040.exe

Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""

Creates Process - Filename

(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe)

CommandLine:

(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe) As User: ()

Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1884)

As User: () Creation Flags: ()

Process ID 1900
Filename C:\WINDOWS\System32\cmd.exe /c

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe
Filesize -1 bytes
MD5
Start Reason CreateProcess

Opened Files
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe
Chronological order
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe

()
Find File: dodolook005.exe

Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""
HKEY_CURRENT_USER\Software\Microsoft\Command Processor ""

Creates Process - Filename

(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe)

CommandLine:

(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe) As User:

() Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1900)

As User: () Creation Flags: ()

Process ID 1972
Filename

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myse009.exe
Filesize 110764 bytes
MD5 f405dfe979feb8ad69f0c1b65521e243
Start Reason CreateProcess

COM Get Class Object: C:\WINDOWS\system32\urlmon.dll,

Interface ID: ({00000001-0000-0000-C000-000000000046})

New Files
C:\WINDOWS\System32\inf\svchosts.exe
C:\WINDOWS\System\sgcxcxxaspf080502.exe
C:\WINDOWS\System32\inf\sppdcrs080502.scr
C:\WINDOWS\System32\mdccasys32_080502.dll
C:\WINDOWS\System32\inf\scsys16_080502.dll
C:\WINDOWS\System32\lwfdfia16_080502.dll

Opened Files
\\.\PIPE\lsarpc
\\.\PIPE\wkssvc
\\.\PIPE\ntsvcs
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\System32\inf\svchosts.exe

Chronological order
Get File Attributes: C:\WINDOWS\System32\inf\ Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\inf\svchosts.exe

Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\rundll32.exe Flags:

(SECURITY_ANONYMOUS)
Copy File: C:\WINDOWS\System32\rundll32.exe to

C:\WINDOWS\System32\inf\svchosts.exe
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\System\sgcxcxxaspf080502.exe

Flags: (SECURITY_ANONYMOUS)
Get File Attributes:

c:\docume~1\admini~1\locals~1\temp\myse009.exe Flags:

(SECURITY_ANONYMOUS)
Copy File: c:\docume~1\admini~1\locals~1\temp\myse009.exe to

C:\WINDOWS\System\sgcxcxxaspf080502.exe
Get File Attributes:

C:\WINDOWS\System32\inf\sppdcrs080502.scr Flags:

(SECURITY_ANONYMOUS)
Copy File: c:\docume~1\admini~1\locals~1\temp\myse009.exe to

C:\WINDOWS\System32\inf\sppdcrs080502.scr
Get File Attributes:

C:\WINDOWS\System32\mdccasys32_080502.dll Flags:

(SECURITY_ANONYMOUS)
Create File: C:\WINDOWS\System32\mdccasys32_080502.dll
Get File Attributes:

C:\WINDOWS\System32\inf\scsys16_080502.dll Flags:

(SECURITY_ANONYMOUS)
Create File: C:\WINDOWS\System32\inf\scsys16_080502.dll
Get File Attributes: C:\WINDOWS\System32\lwfdfia16_080502.dll

Flags: (SECURITY_ANONYMOUS)
Create File: C:\WINDOWS\System32\lwfdfia16_080502.dll
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\Documents and

Settings\Administrator\My Documents\desktop.ini Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All

Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags:

(SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\System32\inf\svchosts.exe ()
Find File: svchosts.exe

Read INI File
pwisys.ini [temp] myf =
pwisys.ini [hitpop] ver =
pwisys.ini [hitpop] first =
pwisys.ini [dll_start] fn =
pwisys.ini [old] dll =
pwisys.ini [dll_start_bak] fn =
pwisys.ini [old] dll_bak =
pwisys.ini [exe] fn =
pwisys.ini [old] exe =
pwisys.ini [dll_hitpop] fn =
pwisys.ini [old] dll32 =
pwisys.ini [exe_bak] fn =
pwisys.ini [exe] fn_pif =
C:\Documents and Settings\Administrator\My

Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Administrator\My

Documents\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\Administrator\My

Documents\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\Administrator\My

Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\All Users\Documents\desktop.ini

[DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\desktop.ini

[.ShellClassInfo] LocalizedResourceName =
pwisys.ini [sys] bat =
pwisys.ini [delete] fn =

Read INI File
pwisys.ini [temp] myf = e
pwisys.ini [hitpop] first = 1
pwisys.ini [hitpop] ver = 080502
pwisys.ini [exe] fn = C:\WINDOWS\System\sgcxcxxaspf080502.exe
pwisys.ini [exe_bak] fn =

C:\WINDOWS\System32\inf\sppdcrs080502.scr
pwisys.ini [dll_hitpop] fn =

C:\WINDOWS\System32\mdccasys32_080502.dll
pwisys.ini [dll_start_bak] fn =

C:\WINDOWS\System32\inf\scsys16_080502.dll
pwisys.ini [dll_start] fn =

C:\WINDOWS\System32\lwfdfia16_080502.dll
pwisys.ini [sys] bat = c:\myDelm.bat
pwisys.ini [delete] fn =

c:\docume~1\admini~1\locals~1\temp\myse009.exe

Creates Process - Filename

(C:\WINDOWS\System32\inf\svchosts.exe) CommandLine:

(C:\WINDOWS\System32\lwfdfia16_080502.dll tanlt88) As User:

() Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1972)

As User: () Creation Flags: ()
Enum Processes
Enum Modules - Target PID: (1972)

Process ID 1996
Filename

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe
Filesize 24576 bytes
MD5 c79cbe0bd29aa80ae5d6398294a99fe4
Start Reason CreateProcess

New Files
\Device\RasAcd
C:\Documents and Settings\Administrator\Local

Settings\Temp\tempaq
C:\WINDOWS\tempaq

Opened Files
\\.\PIPE\svcctl
\\.\PIPE\lsarpc
c:\autoexec.bat
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe

Chronological order
Open File: \\.\PIPE\svcctl (OPEN_EXISTING)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags:

(SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Documents and Settings\All Users\Application

Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\System32\Ras\*.pbk
Find File: C:\Documents and

Settings\Administrator\Application

Data\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Create File: C:\Documents and Settings\Administrator\Local

Settings\Temp\tempaq
Get File Attributes: C:\WINDOWS\tempaq Flags:

(SECURITY_ANONYMOUS)
Move File: C:\Documents and Settings\Administrator\Local

Settings\Temp\tempaq to C:\WINDOWS\tempaq
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe ()
Find File: ha_80040.exe

Creates Mutex: RasPbFile
Opens Mutex: RasPbFile

Creates Process - Filename () CommandLine:

(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ha_80040.exe

"C:\WINDOWS\tempaq" 80040) As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (1996)

As User: () Creation Flags: ()

Network Activity
DNS Lookup
Host Name IP Address
travel.yahoo550.com 58.211.7.59
Download URLs
hxxp://58.211.7.59/image/logo.jpg?queryid=80040

(travel.yahoo550.com)
Outgoing connection to remote server: travel.yahoo550.com TCP

port 80

Process ID 2024
Filename

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe
Filesize 186003 bytes
MD5 e26c3c41839f8681997aba5684c10548
Start Reason CreateProcess

New Files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nssB.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\System.dll
Opened Files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe

Deleted Files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc9.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DoSSSetup.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\System.dll

Chronological order
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc9.tmp
Get File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe Flags:

(SECURITY_ANONYMOUS)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dodolook005.exe

(OPEN_EXISTING)
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nssB.tmp
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp
Find File: C:\DOCUME~1
Find File: C:\DOCUME~1\ADMINI~1
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
Get File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\System.dll Flags:

(SECURITY_ANONYMOUS)
Create File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\System.dll
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe

Flags: (SECURITY_ANONYMOUS)
Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe

Flags:

(FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIB

UTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_

ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPAR

SE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSE

D,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,F

ILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS)
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe
Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe ()
Find File: 7.exe
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe
Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe

Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe
Move File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe to
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys
Set File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys Flags:

(FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DoSSSetup.dll
Set File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DoSSSetup.dll Flags:

(FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DoSSSetup.dll
Create File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\System.dll
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\*.*
Set File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\System.dll Flags:

(FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Delete File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsxE.tmp\System.dll

Creates Mutex: 52D77ECE7B32424dB93B9A6EFBDDB0DF

Creates Process - Filename () CommandLine:

("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe" 7005) As User: ()

Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (2024)

As User: () Creation Flags: ()

Service Management Load Driver - Name:

(\Registry\Machine\System\CurrentControlSet\Services\acpidisk

) File Name: ()
Load Driver - Name:

(\Registry\Machine\System\CurrentControlSet\Services\ggx1u)

File Name: ()
Load Driver - Name:

(\Registry\Machine\System\CurrentControlSet\Services\vqg28mgh

r) File Name: ()

Process ID 1576
Filename C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe 7005

New Files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DoSSSetup.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys
C:\WINDOWS\System32\drivers\acpidisk.sys

Opened Files
\\.\PIPE\lsarpc
\\.\PIPE\ntsvcs
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe
\\.\Global\acpidisk
\\.\PIPE\svcctl

Deleted Files
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi18.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\System.dll

Chronological order
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi18.tmp
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe

Flags: (SECURITY_ANONYMOUS)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.exe

(OPEN_EXISTING)
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp
Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp
Get File Attributes: C:\DOCUME~1 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\ADMINI~1 Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1 Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

Flags: (SECURITY_ANONYMOUS)
Get File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\System.dll

Flags: (SECURITY_ANONYMOUS)
Create File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\System.dll
Create File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\System.dll
Get File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DoSSSetup.dll Flags:

(SECURITY_ANONYMOUS)
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DoSSSetup.dll
Set File Time:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DoSSSetup.dll
Get File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys Flags:

(SECURITY_ANONYMOUS)
Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys
Set File Time:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys
Open File: \\.\Global\acpidisk (OPEN_EXISTING)
Copy File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\acpidisk.sys to

C:\WINDOWS\System32\drivers\acpidisk.sys
Open File: \\.\PIPE\svcctl (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\System32\mscpx32r.det Flags:

(SECURITY_ANONYMOUS)
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1
Find File: C:\DOCUME~1\ADMINI~1
Find File: C:\DOCUME~1
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\*.*
Set File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\System.dll

Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS)
Delete File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\System.dll
Get File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\ Flags:

(SECURITY_ANONYMOUS)
Set File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy1A.tmp\ Flags:

(SECURITY_ANONYMOUS)

Creates Mutex: 91852000
Creates Mutex:
Opens Mutex

Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP "" = [REG_DWORD,

value: 00001B5D]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP "" = [REG_DWORD,

value: 7E0C45A0]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP "" = [REG_DWORD,

value: 00000000]

Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion ""

Open Service Manager - Name: "SCM"
Open Service - Name: "acpidisk"
Create Service - Name: (acpidisk) Display Name: (acpidisk)

File Name: (C:\WINDOWS\System32\drivers\acpidisk.sys)

Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (acpidisk) Display Name: () File Name:

() Control: () Start Type: ()

Process ID 440
Filename C:\WINDOWS\System32\inf\svchosts.exe

C:\WINDOWS\System32\lwfdfia16_080502.dll tanlt88

COM Get Class Object: C:\WINDOWS\system32\urlmon.dll,

Interface ID: ({00000001-0000-0000-C000-000000000046})

New Files
c:\mylstecj.bat
Opened Files
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
\\.\PIPE\ntsvcs

Deleted Files
c:\docume~1\admini~1\locals~1\temp\myse009.exe

Chronological order
Get File Attributes: C:\WINDOWS\System32\lwfdfia16_080502.dll

Flags: (SECURITY_ANONYMOUS)
Get File Attributes:

C:\WINDOWS\System32\lwfdfia16_080502.dll.manifest Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System\sgcxcxxaspf080502.exe

Flags: (SECURITY_ANONYMOUS)
Create File: c:\mylstecj.bat
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: cmd.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\cmd.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\cmd.exe Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags:

(SECURITY_ANONYMOUS)
Get File Attributes:

c:\docume~1\admini~1\locals~1\temp\myse009.exe Flags:

(SECURITY_ANONYMOUS)
Delete File: c:\docume~1\admini~1\locals~1\temp\myse009.exe

Read INI File
pwisys.ini [exe] fn =
pwisys.ini [exe_bak] fn =
pwisys.ini [sys] usertype =
pwisys.ini [delete] fn =
Read INI File
pwisys.ini [delete] fn =

Opened Files
c:\mylstecj.bat
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\System\sgcxcxxaspf080502.exe
Deleted Files
c:\mylstecj.bat
Chronological order
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Find File: C:\
Find File: c:\mylstecj.bat
Open File: c:\mylstecj.bat (OPEN_EXISTING)
Find File: C:\WINDOWS\System\sgcxcxxaspf080502.exe
Get File Attributes:

"C:\WINDOWS\System\sgcxcxxaspf080502.exe" Flags:

(SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\System\sgcxcxxaspf080502.exe ()
Find File: sgcxcxxaspf080502.exe
Get File Attributes: c:\mylstecj.bat Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Delete File: c:\mylstecj.bat

New Files
C:\WINDOWS\System32\mdccasys32_080502.dll
Opened Files
\\.\PIPE\lsarpc
\\.\PIPE\wkssvc
\\.\PIPE\ntsvcs
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Deleted Files
C:\WINDOWS\System32\mdccasys32_080502.dll
Chronological order
Get File Attributes: C:\WINDOWS\System32\inf\ Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\inf\svchosts.exe

Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\System\sgcxcxxaspf080502.exe

Flags: (SECURITY_ANONYMOUS)
Get File Attributes:

C:\WINDOWS\System32\inf\sppdcrs080502.scr Flags:

(SECURITY_ANONYMOUS)
Get File Attributes:

C:\WINDOWS\System32\mdccasys32_080502.dll Flags:

(SECURITY_ANONYMOUS)
Get File Attributes:

C:\WINDOWS\System32\inf\scsys16_080502.dll Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\lwfdfia16_080502.dll

Flags: (SECURITY_ANONYMOUS)
Delete File: C:\WINDOWS\System32\mdccasys32_080502.dll
Create File: C:\WINDOWS\System32\mdccasys32_080502.dll
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Program Files\Internet

Explorer\IEXPLORE.EXE Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\Documents and

Settings\Administrator\My Documents\desktop.ini Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All

Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags:

(SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\Program Files\Internet Explorer\IEXPLORE.EXE ()
Find File: IEXPLORE.EXE

Read INI File
pwisys.ini [hitpop] ver =
pwisys.ini [hitpop] first =
pwisys.ini [exe] fn =
pwisys.ini [exe_bak] fn =
pwisys.ini [dll_hitpop] fn =
pwisys.ini [dll_start_bak] fn =
pwisys.ini [register] reg =
pwisys.ini [hitpop] kv =
pwisys.ini [old] dll =
pwisys.ini [old] dll_bak =
pwisys.ini [old] exe =
pwisys.ini [old] dll32 =
pwisys.ini [ie] run =
pwisys.ini [ie] hwnd =
pwisys.ini [listion] run =
C:\Documents and Settings\Administrator\My

Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\Administrator\My

Documents\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\Administrator\My

Documents\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\Administrator\My

Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\All Users\Documents\desktop.ini

[DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\desktop.ini

[.ShellClassInfo] LocalizedResourceName =
pwisys.ini [ie] hwnd_ =
pwisys.ini [sys] bat =
Read INI File
pwisys.ini [register] reg = nyuserinit
pwisys.ini [hitpop] kv = 0
pwisys.ini [ie] run = no
pwisys.ini [listion] run = no
pwisys.ini [ie] hwnd_ = 393416
pwisys.ini [ie] hwnd = 393416
pwisys.ini [ie] run = ok

Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

policies\Explorer\run "" =

C:\WINDOWS\System32\inf\svchosts.exe

C:\WINDOWS\System32\lwfdfia16_080502.dll tanlt88
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

"" = no
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\I

nternet Settings "" = [REG_DWORD, value: 00000000]
Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

policies\Explorer\run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hxxp\shell\open\command

""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\I

nternet Settings ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\I

nternet Settings ""

New Files
C:\WINDOWS\System32\drivers\ggx1u.sys
C:\WINDOWS\System32\drivers\vqg28mghr.sys
C:\WINDOWS\System32\d7ik40.dll
Opened Files
\\.\Global\ClanAvb
\\.\Global\KabCleanner
C:\WINDOWS\System32\drivers\ggx1u.sys
\\.\PIPE\svcctl
C:\WINDOWS\System32\drivers\vqg28mghr.sys
C:\WINDOWS\System32\d7ik40.dll
Chronological order
Open File: \\.\Global\ClanAvb (OPEN_EXISTING)
Open File: \\.\Global\KabCleanner (OPEN_EXISTING)
Create File: C:\WINDOWS\System32\drivers\ggx1u.sys
Get File Attributes: C:\WINDOWS\System32\msvcrt.dll Flags:

(SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\drivers\ggx1u.sys

(OPEN_EXISTING)
Set File Time: C:\WINDOWS\system32\drivers\ggx1u.sys
Open File: \\.\PIPE\svcctl (OPEN_EXISTING)
Create File: C:\WINDOWS\System32\drivers\vqg28mghr.sys
Open File: C:\WINDOWS\System32\drivers\vqg28mghr.sys

(OPEN_EXISTING)
Set File Time: C:\WINDOWS\system32\drivers\vqg28mghr.sys
Find File: C:\Documents and

Settings\Administrator\Favorites\*.*
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\Desktop.ini Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\Links Flags:

(SECURITY_ANONYMOUS)
Find File: C:\Documents and

Settings\Administrator\Favorites\Links\*.*
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\Links\Customize Links.url

Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\Links\Free Hotmail.url

Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\Links\Windows Media.url

Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\Links\Windows.url Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\MSN.com.url Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\Radio Station Guide.url

Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags:

(SECURITY_ANONYMOUS)
Create File: C:\WINDOWS\System32\d7ik40.dll
Open File: C:\WINDOWS\System32\d7ik40.dll (OPEN_EXISTING)
Set File Time: C:\WINDOWS\system32\d7ik40.dll

Read INI File
C:\Documents and Settings\Administrator\Favorites\Desktop.ini

[InternetShortcut] URL =
C:\Documents and

Settings\Administrator\Favorites\Links\Customize Links.url

[InternetShortcut] URL =
C:\Documents and Settings\Administrator\Favorites\Links\Free

Hotmail.url [InternetShortcut] URL =
C:\Documents and

Settings\Administrator\Favorites\Links\Windows Media.url

[InternetShortcut] URL =
C:\Documents and

Settings\Administrator\Favorites\Links\Windows.url

[InternetShortcut] URL =
C:\Documents and Settings\Administrator\Favorites\MSN.com.url

[InternetShortcut] URL =
C:\Documents and Settings\Administrator\Favorites\Radio

Station Guide.url [InternetShortcut] URL =

Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{06926B30-424E-4f1c-8EE3-543CD96573DC} ""

= {1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{06926B30-424E-4f1c-8EE3-543CD96573DC} ""

= Yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{06926B30-424E-4f1c-8EE3-543CD96573DC} ""

= ֪ʶ¿â
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{06926B30-424E-4f1c-8EE3-543CD96573DC} ""

= C:\WINDOWS\System32\shell32.dll,14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{06926B30-424E-4f1c-8EE3-543CD96573DC} ""

= C:\WINDOWS\System32\shell32.dll,14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{06926B30-424E-4f1c-8EE3-543CD96573DC} ""

= hxxp://blank.la/?h
Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography ""

Open Service Manager - Name: "SCM"
Open Service - Name: "ggx1u"
Open Service - Name: "vqg28mghr"
Create Service - Name: (ggx1u) Display Name: (ggx1u) File

Name: (C:\WINDOWS\System32\drivers\ggx1u.sys) Control: ()

Start Type: (SERVICE_AUTO_START)
Create Service - Name: (vqg28mghr) Display Name: (vqg28mghr)

File Name: (C:\WINDOWS\System32\drivers\vqg28mghr.sys)

Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (ggx1u) Display Name: () File Name: ()

Control: () Start Type: ()
Start Service - Name: (vqg28mghr) Display Name: () File Name:

() Control: () Start Type: ()

Process ID 1304
Filename C:\Program Files\Internet

Explorer\IEXPLORE.EXE
Filesize 91136 bytes
MD5 418d301c3b1fa94b19584aeeb3d65166

COM Create Instance: %SystemRoot%\System32\shdocvw.dll,

ProgID: (), Interface ID:

({00000000-0000-0000-C000-000000000046})
COM Create Instance: %SystemRoot%\System32\shdocvw.dll,

ProgID: (), Interface ID:

({47851649-A2EF-4E67-BAEC-C6A153AC72EC})
COM Create Instance: %SystemRoot%\system32\SHELL32.dll,

ProgID: (), Interface ID:

({EE1F7637-E138-11D1-8379-00C04FD918D0})
COM Create Instance: %SystemRoot%\System32\cscui.dll, ProgID:

(), Interface ID: ({0C6C4200-C589-11D0-999A-00C04FD655E1})
COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID:

(), Interface ID: ({79EAC9EF-BAF9-11CE-8C82-00AA004BA90B})
COM Create Instance: %SystemRoot%\System32\shdocvw.dll,

ProgID: (), Interface ID:

({000214E6-0000-0000-C000-000000000046})
COM Create Instance: , ProgID: (), Interface ID:

({85CB6900-4D95-11CF-960C-0080C7F4EE85})
COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID:

(), Interface ID: ({79EAC9EE-BAF9-11CE-8C82-00AA004BA90B})
COM Create Instance: C:\WINDOWS\System32\msimtf.dll, ProgID:

(), Interface ID: ({08C0E040-62D1-11D1-9326-0060B067B86E})
COM Create Instance: C:\WINDOWS\System32\mlang.dll, ProgID:

(), Interface ID: ({275C23E1-3747-11D0-9FEA-00AA003F8646})
COM Create Instance: C:\WINDOWS\System32\jscript.dll, ProgID:

(JScript), Interface ID:

({BB1A2AE1-A4F9-11CF-8F20-00805F2CD064})
COM Create Instance: , ProgID: (), Interface ID:

({00000146-0000-0000-C000-000000000046})
COM Create Instance: , ProgID: (), Interface ID:

({6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8})
COM Create Instance: C:\WINDOWS\System32\iepeers.dll, ProgID:

(PeerFactory.PeerFactory.1), Interface ID:

({3050F429-98B5-11CF-BB82-00AA00BDCE0B})
COM Create Instance: OLE32.DLL, ProgID: (), Interface ID:

({0002E013-0000-0000-C000-000000000046})
COM Create Instance: C:\WINDOWS\System32\mshtmled.dll,

ProgID: (Trident.HTMLEditor.1), Interface ID:

({3050F7FA-98B5-11CF-BB82-00AA00BDCE0B})
COM Create Instance: C:\WINDOWS\System32\dxtrans.dll, ProgID:

(BehaviorFactory.Microsoft.DXTFilterFactory.1), Interface ID:

({3050F429-98B5-11CF-BB82-00AA00BDCE0B})
COM Create Instance: C:\WINDOWS\System32\dxtrans.dll, ProgID:

(), Interface ID: ({6A950B2B-A971-11D1-81C8-0000F87557DB})
COM Create Instance: C:\WINDOWS\System32\dxtrans.dll, ProgID:

(Object.Microsoft.DXTFilterCollection.1), Interface ID:

({22B07B33-8BFB-49D4-9B90-0938370C9019})
COM Create Instance: C:\WINDOWS\System32\ddrawex.dll, ProgID:

(), Interface ID: ({4FD2A833-86C8-11D0-8FCA-00C04FD9189D})
COM Create Instance: C:\WINDOWS\System32\vbscript.dll,

ProgID: (VBScript), Interface ID:

({BB1A2AE1-A4F9-11CF-8F20-00805F2CD064})
COM Get Class Object: oleaut32.dll, Interface ID:

({D5F569D0-593B-101A-B569-08002B2DBF7A})
COM Get Class Object: %SystemRoot%\System32\mshtml.dll,

Interface ID: ({00000001-0000-0000-C000-000000000046})
COM Get Class Object:

C:\WINDOWS\System32\macromed\flash\swflash.ocx, Interface ID:

({00000001-0000-0000-C000-000000000046})
COM Get Class Object: %SystemRoot%\System32\msxml3.dll,

Interface ID: ({00000001-0000-0000-C000-000000000046})

New Files
\Device\RasAcd
C:\Documents and Settings\Administrator\Local

Settings\Application Data\Microsoft\Internet

Explorer\MSIMGSIZ.DAT

Opened Files
C:\WINDOWS\System32\cscui.dll
\\.\shadow
\\.\PIPE\lsarpc
\\.\PIPE\ntsvcs
\\.\PIPE\svcctl
C:\WINDOWS\System32\shdocvw.dll
C:\WINDOWS\System32\stdole2.tlb
c:\autoexec.bat
C:\WINDOWS\System32\mshtml.tlb
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\6PZI1KUD\dap[2].js
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\ushpw[1].css
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\hp[2].js
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\7HI1KLM5\hptr[1].js
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\6PZI1KUD\ovrws1N[1].css
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\D5P8I2ZL\ieN[2].css
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\blu[1].css
C:\WINDOWS\System32\iepeers.dll
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\7HI1KLM5\ADSAdClient31[1].dll
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\ADSAdClient31[1].dll
C:\WINDOWS\System32\msxml3.dll\1
C:\WINDOWS\System32\msxml3.dll
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\6PZI1KUD\ADSAdClient31[1].dll
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\D5P8I2ZL\ieminwidth[1].js
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\ADSAdClient31[2].dll
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\7HI1KLM5\ADSAdClient31[2].dll
C:\WINDOWS\System32\macromed\flash\swflash.ocx

Chronological order
Get File Attributes: C:\WINDOWS\Registration Flags:

(SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\cscui.dll (OPEN_EXISTING)
Open File: \\.\shadow (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\desktop.ini Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Favorites\Links Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Local Settings\Temporary Internet

Files\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\svcctl (OPEN_EXISTING)
Open File: C:\WINDOWS\System32\shdocvw.dll (OPEN_EXISTING)
Open File: C:\WINDOWS\System32\stdole2.tlb (OPEN_EXISTING)
Get File Attributes: c:\autoexec.bat Flags:

(SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING)
Find File: C:\Documents and Settings\All Users\Application

Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\System32\Ras\*.pbk
Find File: C:\Documents and

Settings\Administrator\Application

Data\Microsoft\Network\Connections\Pbk\*.pbk
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Open File: C:\WINDOWS\System32\mshtml.tlb (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\6PZI1KUD\dap[2].js (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\ushpw[1].css (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\hp[2].js (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\7HI1KLM5\hptr[1].js (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\6PZI1KUD\ovrws1N[1].css (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\D5P8I2ZL\ieN[2].css (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\blu[1].css (OPEN_EXISTING)
Open File: C:\WINDOWS\System32\iepeers.dll (OPEN_EXISTING)
Get File Attributes: C:\Documents and

Settings\Administrator\Local Settings\Application

Data\Microsoft Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and

Settings\Administrator\Local Settings\Application

Data\Microsoft\Internet Explorer Flags: (SECURITY_ANONYMOUS)
Create/Open File: C:\Documents and

Settings\Administrator\Local Settings\Application

Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (OPEN_ALWAYS)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\7HI1KLM5\ADSAdClient31[1].dll

(OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\notepad.exe Flags:

(SECURITY_ANONYMOUS)
Open File: C:\Program Files\Internet Explorer\IEXPLORE.EXE

(OPEN_EXISTING)
Get File Attributes: c:\hitpop.txt Flags:

(SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\lwfdfia16_080502.dll

Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System\sgcxcxxaspf080502.exe

Flags: (SECURITY_ANONYMOUS)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\ADSAdClient31[1].dll

(OPEN_EXISTING)
Open File: C:\WINDOWS\System32\msxml3.dll\1 (OPEN_EXISTING)
Open File: C:\WINDOWS\System32\msxml3.dll (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\6PZI1KUD\ADSAdClient31[1].dll

(OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\D5P8I2ZL\ieminwidth[1].js (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\8XXZ6QK8\ADSAdClient31[2].dll

(OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet

Files\Content.IE5\7HI1KLM5\ADSAdClient31[2].dll

(OPEN_EXISTING)
Get File Attributes: c:\tan88.txt Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\macromed\flash\swflash.ocx

(OPEN_EXISTING)
Get File Attributes:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\list252626511.htm Flags:

(SECURITY_ANONYMOUS)

Read INI File
C:\Documents and Settings\Administrator\Favorites\desktop.ini

[DeleteOnCopy] Owner =
C:\Documents and Settings\Administrator\Favorites\desktop.ini

[.ShellClassInfo] LocalizedResourceName =
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet Files\desktop.ini [DeleteOnCopy]

Owner =
C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet Files\desktop.ini

[.ShellClassInfo] LocalizedResourceName =
WIN.INI [windows] DragScrollInset =
WIN.INI [windows] DragScrollDelay =
WIN.INI [windows] DragDelay =
WIN.INI [windows] DragScrollInterval =
pwisys.ini [register] reg =
C:\WINDOWS\System32\mywehit.ini [ie] ys =
pwisys.ini [sys] bat =
WIN.INI [ddrawex] realdll =
WIN.INI [DirectDraw] reloadreg =
pwisys.ini [dll_start] fn =
pwisys.ini [dll_start_bak] fn =
pwisys.ini [exe] fn =
pwisys.ini [exe_bak] fn =
pwisys.ini [old] dll32 =
pwisys.ini [hitpop] ver =

Creates Mutex: Shell.CMruPidlList
Creates Mutex: RasPbFile
Creates Mutex:

CTF.LBES.MutexDefaultS-1-5-21-1614895754-1303643608-682003330

-500
Creates Mutex:

CTF.Compart.MutexDefaultS-1-5-21-1614895754-1303643608-682003

330-500
Creates Mutex:

CTF.Asm.MutexDefaultS-1-5-21-1614895754-1303643608-682003330-

500
Creates Mutex:

CTF.Layouts.MutexDefaultS-1-5-21-1614895754-1303643608-682003

330-500
Creates Mutex:

CTF.TMD.MutexDefaultS-1-5-21-1614895754-1303643608-682003330-

500
Creates Mutex: MSIMGSIZECacheMutex
Creates Mutex: DDrawWindowListMutex
Creates Mutex: DDrawDriverObjectListMutex
Creates Mutex: __DDrawExclMode__
Creates Mutex: __DDrawCheckExclMode__
Opens Mutex: WininetStartupMutex
Opens Mutex: RasPbFile

Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentAp

plication "" = IEXPLORE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentAp

plication "" = [REG_DWORD, value: 3D6DD9C1]
Reads
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session

Manager\AppCompatibility ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5E46E3A-8849-11D1

-9D8C-00C04FC99D61}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5b4dae26-b807-11d0

-9815-00c04fd91972}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{750fdf0e-2a26-11d1

-a3ea-080036587f03}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069

-A2EA-08002B30309D}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Instal

ler ""
HKEY_CLASSES_ROOT ""
HKEY_CLASSES_ROOT ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{85CB6900-4D95-

11CF-960C-0080C7F4EE85}\TypeLib ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{85CB6900-4D95-

11CF-960C-0080C7F4EE85}\TypeLib ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11

CF-A7EB-0000C05BAE0B}\1.1\0\win32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-00

00-C000-000000000046}\2.0\0 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1

-896c-00c04Fb6bfc4}\InprocServer32 ""
HKEY_CURRENT_USER\Control Panel\International ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF ""
HKEY_CURRENT_USER\Software\Microsoft\CTF ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{7E8BC440-AEFF-11

D1-89C2-00C04FB6BFC4}\1.0\0 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Explorer\Shell Folders ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

policies\Explorer\run ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/cdf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/fractals ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/futuresplash ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/hta ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/mac-binhex40 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/pkcs10 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/pkcs7-mime ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/pkcs7-signature ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/pkix-cert ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/pkix-crl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/postscript ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/set-payment-initiation ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/set-registration-initiation ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/vnd.ms-pki.certstore ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/vnd.ms-pki.pko ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/vnd.ms-pki.seccat ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/vnd.ms-pki.stl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-cdf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-compress ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-compressed ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-gzip ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-internet-signup ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-iphone ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-latex ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-mix-transfer ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-mplayer2 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-ms-wmd ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-ms-wmz ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-pkcs12 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-pkcs7-certificates ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-pkcs7-certreqresp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-shockwave-flash ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-stuffit ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-tar ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-troff-man ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-x509-ca-cert ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/x-zip-compressed ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\application/xml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/aiff ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/basic ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/mid ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/midi ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/mp3 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/mpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/mpegurl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/mpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/wav ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-aiff ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-background ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-mid ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-midi ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-mp3 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-mpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-mpegurl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-mpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-ms-wax ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-ms-wma ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\audio/x-wav ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/bmp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/gif ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/jpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/pjpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/png ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/tiff ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/x-icon ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/x-jg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/x-png ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/x-wmf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/x-xbitmap ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/xbm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\message/rfc822 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\midi/mid ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/css ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/h323 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/iuls ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/plain ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/scriptlet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/webviewhtml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/x-component ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/x-scriptlet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/x-vcard ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\text/xml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/avi ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/mpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/mpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/msvideo ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-ivf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-mpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-mpeg2a ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-ms-asf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-ms-asf-plugin ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-ms-wm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-ms-wmp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-ms-wmv ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-ms-wmx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-ms-wvx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\video/x-msvideo ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/bmp\Bits ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/gif\Bits ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/jpeg\Bits ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/pjpeg\Bits ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/png\Bits ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/x-png\Bits ""
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content

Type\image/x-wmf\Bits ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Bug! ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Bug! ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Bug! ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\DemolitionDerby2 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\DemolitionDerby2 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\DemolitionDerby2 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\MortalKombat3 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\MortalKombat3 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\MortalKombat3 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\MsGolf98 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\MsGolf98 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\MsGolf98 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\NHLPowerPlay ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\NHLPowerPlay ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\NHLPowerPlay ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\NortonSystemInfo ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\NortonSystemInfo ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\NortonSystemInfo ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Rogue Squadron ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Rogue Squadron ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Rogue Squadron ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Savage ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Savage ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Savage ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ScorchedPlanet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ScorchedPlanet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ScorchedPlanet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\SilentThunder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\SilentThunder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\SilentThunder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Terracide ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Terracide ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\Terracide ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ThirdDimension ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ThirdDimension ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ThirdDimension ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ZiffDavisQualityBenchmark ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ZiffDavisQualityBenchmark ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibilit

y\ZiffDavisQualityBenchmark ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum