Trojan.Win32.FlyStudio_8ac4783a69

by malwarelabrobot on July 12th, 2014 in Malware Descriptions.

Trojan.Autoit.BCW (B) (Emsisoft), Trojan.Autoit.BCW (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR, PackedMoleBoxVS.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, Packed, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8ac4783a69ff381608ef075490eed7a3
SHA1: 2a5cd15bbec7e793403e9eef1701ac56fa5710f9
SHA256: 156c24680fc937eccab88b1b5b36a7f5667c9237677d33e381b52db6a9db3af8
SSDeep: 49152:m1vqjdPQAiADgQ YI90rO6dhYxjezp3hqPqJQTyn73X3Xak :m1vqjBiADgpYW09duEp3hwqJQT67n3KB
Size: 2723044 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-04-16 10:47:33
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

taskkill.exe:600
taskkill.exe:1056
taskkill.exe:1636
taskkill.exe:1252
taskkill.exe:828
taskkill.exe:372
wyhtray.exe:1944
%original file name%.exe:1504
wmsflxgrwdsx.ocx:796
wmsflxgrwdsx.ocx:1364
wsrchy.exe:1632
cacls.exe:1768

The Trojan injects its code into the following process(es):

taskkill.exe:2044
mssearch.exe:1800
smvscvc.exe:832
wk7b_update.exe:2044
ntvdm.exe:1752

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wyhtray.exe:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\msagent\msyzpys\wk7b.ini (124 bytes)
%WinDir%\msagent\msyzpys\wk7b_update.exe (2321 bytes)

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (17083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wsrchayst\wsrchy.exe (15116 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)

The process wk7b_update.exe:2044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\msagent\msyzpys\wyhtray.exe (4 bytes)

The Trojan deletes the following file(s):

%WinDir%\msagent\msyzpys\wyhtray.exe (0 bytes)

The process wmsflxgrwdsx.ocx:796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Cluster\clients\srchasy\smvscvc.exe (7816 bytes)

The process wmsflxgrwdsx.ocx:1364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\msagent\msyzpys\wyhtray.exe (6193 bytes)
%WinDir%\msagent\msyzpys\mssearch.exe (3825 bytes)

The process wsrchy.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\srchasst\rpcproxy\wydutyx.bat (1 bytes)
%WinDir%\srchasst\rpcproxy\wmsflxgrwdsx.ocx (1684 bytes)
%WinDir%\srchasst\rpcproxy\wyduyk.bat (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7ZSfx000.cmd (192 bytes)
%WinDir%\srchasst\rpcproxy\wntldrmp.exe (2 bytes)
%WinDir%\srchasst\rpcproxy\wysztksy.sdb (6427 bytes)
%WinDir%\srchasst\rpcproxy\wywzpxksy.sdb (3787 bytes)
%WinDir%\srchasst\rpcproxy\TNProxy.dll (401 bytes)

The process ntvdm.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir% (576 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\msagent (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%WinDir%\Temp\scs3.tmp (10145 bytes)
%System%\config (96 bytes)
C:\$Directory (968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
%WinDir%\Temp\scs2.tmp (33880 bytes)
%System% (1904 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\scs2.tmp (0 bytes)
%WinDir%\Temp\scs3.tmp (0 bytes)

Registry activity

The process taskkill.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 EC 81 E3 38 A9 1F 85 0D AE DA 4A 20 E9 D3 DF"

The process taskkill.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 AA 20 AA B5 F0 ED D1 87 01 39 80 00 6B CB A8"

The process taskkill.exe:1056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF DE 32 8D 5D 1B 22 33 2C 6D A8 32 B7 DD 2E F9"

The process taskkill.exe:1636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 13 3F 96 78 62 31 C2 92 FF 22 B4 1E AB 17 77"

The process taskkill.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD F9 B3 19 2A B3 02 DE A9 C6 A2 DB 8A 47 43 1C"

The process taskkill.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 C0 5F C2 14 0D 57 0C A4 EB 97 CA 3B AD 7A A7"

The process taskkill.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 EE 4E 16 10 0B 2C 74 9C 8C 49 AA 85 FC DE CF"

The process wyhtray.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 3B 57 00 E7 93 FD E7 1E 2F 7B F8 6C 61 9C 2D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process mssearch.exe:1800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 60 C3 1C 84 99 79 31 9B 74 B8 22 0E 86 69 33"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 34 7E D8 6A 78 66 4E C0 5D 9D 70 97 6D 9C 50"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process smvscvc.exe:832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 26 56 40 41 69 E0 69 3F 70 B7 06 BD 70 85 CF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\sitehelp\sys]
"AutoDial" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RavTrey"

The process wk7b_update.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 7F 0A AE 9C 11 34 75 4D 21 E1 FD 93 AC FE C8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wsrchy.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 91 FD 80 75 17 AD 02 EC C6 06 A4 3A 65 AA EA"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"7ZSfx000.cmd" = "7ZSfx000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\srchasst\rpcproxy]
"wntldrmp.exe" = "wntldrmp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process cacls.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 B2 22 5D 0E 58 0D 70 29 CE 15 0F CD CD 51 0C"

Dropped PE files

MD5 File path
3b2de24c4646adfd0fd02dd78848b53f c:\WINDOWS\Cluster\clients\srchasy\smvscvc.exe
bf6824ec166348bef6a190938c975917 c:\WINDOWS\msagent\msyzpys\mssearch.exe
8b68f5a1d9826bfd55cbeb07d61ddf1e c:\WINDOWS\msagent\msyzpys\wk7b_update.exe
9ef6c49343dbf9176fe849f8fb344a40 c:\WINDOWS\srchasst\rpcproxy\TNProxy.dll
b2dadab18c318443301d0087cd7200ba c:\WINDOWS\srchasst\rpcproxy\wntldrmp.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.3.6.1
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 524311 524800 4.59884 be1208f841dc92012d5f6bbdd832e6d9
.rdata 532480 55644 55808 3.38407 2ce2b06ea4a1b942216fdcfd4aba2686
.data 589824 107800 26624 1.52615 e5d77411f751d28c6eee48a743606795
.rsrc 700416 16384 13312 3.23165 ea752960336d7ee9a51b293a3882b52c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
sitehelp.zjfm.com 61.174.61.237
sys.rradmin.com 61.183.41.240
js.users.51.la 117.21.191.223


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

The Trojan connects to the servers at the folowing location(s):

smvscvc.exe_832:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
Uh.FA
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
comctl32.dll
USER32.DLL
uxtheme.dll
UrlMon
Uh
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown
OnKeyPressp,F
OnKeyUp
vsReport
TComboBoxExEnumerator
ole32.dll
PasswordCharDrG
ssHorizontal
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
Uh.eG
AutoHotkeysdhG
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewXoG
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
http://
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
%d.%d.%d.%d
PSAPI.dll
sitehelp.zjfm.com
122.224.56.230
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\hide.txt
iexplore.exe
%s...
Version 6.2.1
http://www.sitehelp.cn/
EditPassword
TFReportForm
TFReportForm
UcReportForm
CheckBoxAutoLoginClick
EditPasswordKeyDown
TFUcLoginForm
UcLoginForm
EditPassword1
EditUserNameKeyPress
ButtonMngReportd
SiteHelp 6.2.1
SiteHelp.Click.091023
olepro32.dll
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
IWebBrowser
IWebBrowserApp
IWebBrowser2(.K
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizableX4K
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidth 5K
OnWindowSetHeighth5K
Uh.IK
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPathtIK
OnTranslateUrl
OnCommandExec
'%s' is not supported.
WebocPopupManagement
ValidateNavigateUrl
HttpUsernamePasswordDisable
GetUrlDomFilePathUnencoded
XmlHttp
ftp://
https://
AppEvents\Schemes\Apps\Explorer\Navigating\.Current
.Current
\ieframe.dll
\shdocvw.dll
\StringFileInfo\%0.4x%0.4x\%s
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown,
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
EmbeddedWB http://bsalsa.com/
TFUpdateUrlHitForm
UcUpdateUrlHitForm
FormKeyDown
EditUrlStr
MemoRefurl@
EditUrlStrKeyDown
EditMinWeightKeyPress
TFEditUrlform
UcEditEUrlform
EditMinflowConKeyPress
EditTaskPageNoKeyPress
TFSelectUrlSrcForm
TFSelectUrlSrcForm IL
UcSelectUrlSrcForm
ToolButtonUrlNew
ToolButtonUrlEdit
ToolButtonUrl01
ToolButtonUrlCopyMove
ToolButtonUrl02
ToolButtonUrlDel
ToolButtonUrl06
ToolButtonUrlOn
ToolButtonUrlOff
ToolButtonUrl07
ToolButtonUrlTest
ToolButtonUrl08
ToolButtonUrlRefresh
EditUrlPageCount
ToolButtonUrlFirst
ToolButtonUrlPrev
EditUrlPageNo
ToolButtonUrlNext
ToolButtonUrlLast
EditDescribe_Sql
ToolButtonUrlFound
ListViewUrlData
ToolButtonUrlMoveFrom
ToolButtonUrlMoveTo
ToolButtonUrl05$
ToolButtonUrlCopyFrom(
ToolButtonUrlCopyTo,
ToolButtonUrl040
ToolButtonUrlTemplate4
ToolButtonUrl038
ComboBoxUrlMngState<
ComboBoxUrlOnOff
ListViewUrlDataDeletion
ToolButtonUrlFirstClick
ToolButtonUrlPrevClick
ToolButtonUrlNextClick
ToolButtonUrlLastClick
ToolButtonUrlFoundClick
ToolButtonUrlEditClick
ToolButtonUrlDelClick
ToolButtonUrlOnClick
ToolButtonUrlOffClick
ToolButtonUrlTestClick
ToolButtonUrlNewClick
EditUrlPageNoKeyPress!
ToolButtonUrlCopyFromClick!
ToolButtonUrlMoveFromClick
ToolButtonUrlCopyToClick
ToolButtonUrlMoveToClick!
ToolButtonUrlCopyMoveClick
EditPlanPageNoKeyPress
EditBankPageNoKeyPress
EditPayCurrenyKeyPress
EditHowKeyPress
EditSellNumKeyPress
EditPriceKeyPress
EditNumKeyPress
EdithowKeyPress
EditOldPassword
EditNewPassword
EditNewPassword1
TFEditPassWordForm
UcEditPassWordForm
EditUserNameKeyDown
TFMemberLoginForm
UcMemberLoginForm
-6.2.1
http://www.sitehelp.cn/?act=login
NEditPasswordp
NReLogin
ToolButtonTaskEditUrl
ToolButtonCertify
LabelAutoCertify1
LabelAutoCertify
LabelBeReportExp1
LabelBeReportExp
NEditPasswordClick
NReLoginClick
GotoTaskPanelActionExecute!
GotoAllyPanelActionExecute"
GotoGroupPanelActionExecute!
GotoFullPanelActionExecute#
GotoRedeemPanelActionExecute!
GotoTranPanelActionExecute"
GotoStatePanelActionExecute!
GotoBillPanelActionExecute!
GotoMainPanelActionExecute
ToolButtonTaskEditUrlClick
ToolButtonCertifyClick
EditTradePageNoKeyPress
6.2.1
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
ftpTransfer
ftpReady
ftpAborted
ClientPortMinT
ClientPortMax
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
PasswordT
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
TIdTCPClient
IdTCPClient
BoundPort
PortU
password
IdHTTPHeaderInfo
ProxyPasswordT
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFiled
OnGetPassword
EIdOSSLLoadingRootCertError0
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP0
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions,
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
V<.uQ
[*].txt
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
SetKeyboardState
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
wininet.dll
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ws2_32.dll
rasapi32.dll
.AXQBome
KWindows
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
.ScktComp
9ShExecSyses
tUcEditPassWordForm
TUcLoginForm
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Glyph.Data
OnKeyPress
Items.Strings
KeyPreview
(0,0)-(0,0)
FEditPassWordForm
PasswordChar
FEditUrlform
EditUrlStr
MemoRefurl
PrintOptions.Margins.Left
PrintOptions.Margins.Right
PrintOptions.Margins.Top
PrintOptions.Margins.Bottom
PrintOptions.HTMLHeader.Strings
PrintOptions.Orientation
FMemberLoginForm
Picture.Data
2011:04:13 16:36:43
urlTEXT
MsgeTEXT
Hhttp://ns.adobe.com/xap/1.0/
xmlns:xapMM='http://ns.adobe.com/xap/1.0/mm/'>
adobe:docid:photoshop:ee57afb0-65a8-11e0-8bb1-901c3079a64f
0.0.0.0
GotoAllyPanelActionExecute
GotoGroupPanelActionExecute
GotoTaskPanelActionExecute
GotoBillPanelActionExecute
GotoFullPanelActionExecute
GotoRedeemPanelActionExecute
GotoTranPanelActionExecute
GotoStatePanelActionExecute
Q.Upe
NEditPassword
FReportForm
FSelectUrlSrcForm
Q.UUS
v.UUS
Pen.Style
Brush.Color
Lines.Strings
ToolButtonUrl03
ToolButtonUrlTemplate
ToolButtonUrlCopyFrom
ToolButtonUrlCopyFromClick
ToolButtonUrlCopyTo
ToolButtonUrl04
ToolButtonUrlMoveTo
ToolButtonUrlMoveToClick
ToolButtonUrl05
EditUrlPageNoKeyPress
ComboBoxUrlMngState
FUcLoginForm
2009:09:01 11:40:02
#.HDHz=
adobe:docid:photoshop:67b8923a-96a8-11de-a27a-b73e1d04195a
ButtonMngReport
EditPassword1
FUpdateUrlHitForm
.idata
.rdata
P.reloc
P.rsrc
P.text
.data
20050518
66991aa.777.BOX
KERNEL32.dll
USER32.dll
1.1.4
WindowsNT(unknown)
Windows.NET
WindowsXP
Windows2000
WindowsNT(4.0)
WindowsNT(3.51)
Windows9x(unknown)
WindowsMe
Windows98
Windows95
:BOX:ReadCompressedSection: decompresion failed with code %d
The dynamic link library '%s' could not be found
oleaout32.dll
oleoaut32.dll
D:\Projects\My.SRC\MoleStudio\MoleBox\molebox2\bootup\mbx_DLL.cpp
MBX@%X@*.###
Error at %s:%d
-up1.txt
-up.txt
windows error %s
at %s(%d)
MBX@%X@%X.###
MBX@%X@%X@%X.###
HAS NO ACCESS TO EXECUTABLE
ESI:0xX EDI:0xX
ESP:0xX EBP:0xX EIP:0xX
EAX:0xX EDX:0xX ECX:0xX
ES :0xX FS :0xX GS :0xX
CS :0xX SS :0xX DS :0xX
__SEH__ 0x%x at 0x%x
{CC7574E4-5E39-4700-B286-269A82DD8E95}
_splashscreen.bmp
!broken!0xx:
0xx:[%s]:(x:x)
0xx:[unknown]:unknown
0xx: 0xx 0xx 0xx 0xx
ADVAPI32.DLL
CLSID\{x-x-x-xx-xxxxxx}\InprocServer32
errorUrl
TFEDITPASSWORDFORM
TFEDITURLFORM
TFMEMBERLOGINFORM
TFREPORTFORM
TFSELECTURLSRCFORM
TFUCLOGINFORM
TFUPDATEURLHITFORM
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
Operation would block.
Operation now in progress.
Operation already in progress.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
E%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL
Date exceeds maximum of %s
Date is less than minimum of %s4You must be in ShowCheckbox mode to set to this date#Failed to set calendar date or timeúiled to set maximum selection range$Failed to set calendar min/max rangeúiled to set calendar selected range
No help keyword specified.,Cannot Create System Shell Notification Icon,Cannot Remove System Shell Notification Icon&Cannot change the size of a JPEG image
JPEG error #%d
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Value must be between %d and %d
Invalid clipboard format Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
%s property out of range
$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)0Tab position incompatible with current tab style0Tab style incompatible with current tab position
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
I/O error %d
login_bk
3.3.6.1

smvscvc.exe_832_rwx_00401000_00135000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
Uh.FA
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
comctl32.dll
USER32.DLL
uxtheme.dll
UrlMon
Uh
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown
OnKeyPressp,F
OnKeyUp
vsReport
TComboBoxExEnumerator
ole32.dll
PasswordCharDrG
ssHorizontal
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
Uh.eG
AutoHotkeysdhG
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewXoG
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
http://
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
%d.%d.%d.%d
PSAPI.dll
sitehelp.zjfm.com
122.224.56.230
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\hide.txt
iexplore.exe
%s...
Version 6.2.1
http://www.sitehelp.cn/
EditPassword
TFReportForm
TFReportForm
UcReportForm
CheckBoxAutoLoginClick
EditPasswordKeyDown
TFUcLoginForm
UcLoginForm
EditPassword1
EditUserNameKeyPress
ButtonMngReportd
SiteHelp 6.2.1
SiteHelp.Click.091023
olepro32.dll
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
IWebBrowser
IWebBrowserApp
IWebBrowser2(.K
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizableX4K
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidth 5K
OnWindowSetHeighth5K
Uh.IK
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPathtIK
OnTranslateUrl
OnCommandExec
'%s' is not supported.
WebocPopupManagement
ValidateNavigateUrl
HttpUsernamePasswordDisable
GetUrlDomFilePathUnencoded
XmlHttp
ftp://
https://
AppEvents\Schemes\Apps\Explorer\Navigating\.Current
.Current
\ieframe.dll
\shdocvw.dll
\StringFileInfo\%0.4x%0.4x\%s
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown,
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
EmbeddedWB http://bsalsa.com/
TFUpdateUrlHitForm
UcUpdateUrlHitForm
FormKeyDown
EditUrlStr
MemoRefurl@
EditUrlStrKeyDown
EditMinWeightKeyPress
TFEditUrlform
UcEditEUrlform
EditMinflowConKeyPress
EditTaskPageNoKeyPress
TFSelectUrlSrcForm
TFSelectUrlSrcForm IL
UcSelectUrlSrcForm
ToolButtonUrlNew
ToolButtonUrlEdit
ToolButtonUrl01
ToolButtonUrlCopyMove
ToolButtonUrl02
ToolButtonUrlDel
ToolButtonUrl06
ToolButtonUrlOn
ToolButtonUrlOff
ToolButtonUrl07
ToolButtonUrlTest
ToolButtonUrl08
ToolButtonUrlRefresh
EditUrlPageCount
ToolButtonUrlFirst
ToolButtonUrlPrev
EditUrlPageNo
ToolButtonUrlNext
ToolButtonUrlLast
EditDescribe_Sql
ToolButtonUrlFound
ListViewUrlData
ToolButtonUrlMoveFrom
ToolButtonUrlMoveTo
ToolButtonUrl05$
ToolButtonUrlCopyFrom(
ToolButtonUrlCopyTo,
ToolButtonUrl040
ToolButtonUrlTemplate4
ToolButtonUrl038
ComboBoxUrlMngState<
ComboBoxUrlOnOff
ListViewUrlDataDeletion
ToolButtonUrlFirstClick
ToolButtonUrlPrevClick
ToolButtonUrlNextClick
ToolButtonUrlLastClick
ToolButtonUrlFoundClick
ToolButtonUrlEditClick
ToolButtonUrlDelClick
ToolButtonUrlOnClick
ToolButtonUrlOffClick
ToolButtonUrlTestClick
ToolButtonUrlNewClick
EditUrlPageNoKeyPress!
ToolButtonUrlCopyFromClick!
ToolButtonUrlMoveFromClick
ToolButtonUrlCopyToClick
ToolButtonUrlMoveToClick!
ToolButtonUrlCopyMoveClick
EditPlanPageNoKeyPress
EditBankPageNoKeyPress
EditPayCurrenyKeyPress
EditHowKeyPress
EditSellNumKeyPress
EditPriceKeyPress
EditNumKeyPress
EdithowKeyPress
EditOldPassword
EditNewPassword
EditNewPassword1
TFEditPassWordForm
UcEditPassWordForm
EditUserNameKeyDown
TFMemberLoginForm
UcMemberLoginForm
-6.2.1
http://www.sitehelp.cn/?act=login
NEditPasswordp
NReLogin
ToolButtonTaskEditUrl
ToolButtonCertify
LabelAutoCertify1
LabelAutoCertify
LabelBeReportExp1
LabelBeReportExp
NEditPasswordClick
NReLoginClick
GotoTaskPanelActionExecute!
GotoAllyPanelActionExecute"
GotoGroupPanelActionExecute!
GotoFullPanelActionExecute#
GotoRedeemPanelActionExecute!
GotoTranPanelActionExecute"
GotoStatePanelActionExecute!
GotoBillPanelActionExecute!
GotoMainPanelActionExecute
ToolButtonTaskEditUrlClick
ToolButtonCertifyClick
EditTradePageNoKeyPress
6.2.1
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
ftpTransfer
ftpReady
ftpAborted
ClientPortMinT
ClientPortMax
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
PasswordT
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
TIdTCPClient
IdTCPClient
BoundPort
PortU
password
IdHTTPHeaderInfo
ProxyPasswordT
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFiled
OnGetPassword
EIdOSSLLoadingRootCertError0
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP0
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions,
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
V<.uQ
[*].txt
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
SetKeyboardState
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
wininet.dll
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
ws2_32.dll
rasapi32.dll
errorUrl

smvscvc.exe_832_rwx_005B0000_0001A000:

.idata
.rdata
P.reloc
P.rsrc
P.text
.data
20050518
66991aa.777.BOX
kernel32.dll
gdi32.dll
user32.dll
ole32.dll
advapi32.dll
oleaut32.dll
KERNEL32.dll
USER32.dll
1.1.4
WindowsNT(unknown)
Windows.NET
WindowsXP
Windows2000
WindowsNT(4.0)
WindowsNT(3.51)
Windows9x(unknown)
WindowsMe
Windows98
Windows95
EnumWindows
:BOX:ReadCompressedSection: decompresion failed with code %d
The dynamic link library '%s' could not be found
oleaout32.dll
oleoaut32.dll
imm32.dll
D:\Projects\My.SRC\MoleStudio\MoleBox\molebox2\bootup\mbx_DLL.cpp
MBX@%X@*.###
Error at %s:%d
-up1.txt
-up.txt
windows error %s
at %s(%d)
MBX@%X@%X.###
MBX@%X@%X@%X.###
HAS NO ACCESS TO EXECUTABLE
ESI:0xX EDI:0xX
ESP:0xX EBP:0xX EIP:0xX
EAX:0xX EDX:0xX ECX:0xX
ES :0xX FS :0xX GS :0xX
CS :0xX SS :0xX DS :0xX
__SEH__ 0x%x at 0x%x
{CC7574E4-5E39-4700-B286-269A82DD8E95}
_splashscreen.bmp
!broken!0xx:
0xx:[%s]:(x:x)
0xx:[unknown]:unknown
0xx: 0xx 0xx 0xx 0xx
ADVAPI32.DLL
CLSID\{x-x-x-xx-xxxxxx}\InprocServer32

mssearch.exe_1800:

.nsp0
.nsp1
.nsp2
.rsrc
@.enigma1
.enigma2
t%SVh
t$(SSh
~%UVW
u$SShe
Wininet.dll
wininet.dll
WinINet.dll
kernel32.dll
NTDLL.DLL
psapi.dll
user32.dll
urlmon.dll
OLEACC.DLL
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntryA
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
URLDownloadToFileA
EnumWindows
{B6F7542F-B8FE-46a8-9605-98856A687097}
{EB5A8679-6C96-4465-A329-7911418F2582}
WebBrowser
2.2.9.9
web7b.ini
\web7b\web7b.ini
zexe=
[web7b]
password=
7bup.exe
\web7b.ini
web7b
http://
http://www.baidu.com
.web7b.net:85/data.asp
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
">web7b
KERNEL32.DLL
WINMM.DLL
WS2_32.DLL
RASAPI32.DLL
USER32.DLL
GDI32.DLL
MSIMG32.DLL
WINSPOOL.DRV
ADVAPI32.DLL
SHELL32.DLL
OLE32.DLL
OLEAUT32.DLL
OLEDLG.DLL
WININET.DLL
ATL.DLL
COMDLG32.DLL
RegCreateKeyExA
InternetCanonicalizeUrlA
FU%Dw
N.om;
u%x*Gn1
c%1XQ
ÍsF^
yo$).Oz
 f,.BqE\_I&
P.fDD
w.XQ*
%UqAte
jZj%F
%i'%D
.ZE^A:
^~T%S
kEy|D
kEYM
Mw%X;
|Fn-
/XH@%c#
Y.Nc8
|.PGXw2
-LU}G
?@.tB
I`.SvwB
.FZhnG/f
t.XuX
/.dMS
.kK2]
.PXP9
}sS%Xrc
password=edcd3e3ad2401457
.idat
P.reloAcE$g,
.idata
.edata
P.reloc
P.rsrc
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
!"#$%&*;<=>@[]^_`{|}
ZwOpenKey
ZwEnumerateValueKey
ZwQueryKey
ZwQueryValueKey
ZwCreateKey
ZwEnumerateKey
ZwSetValueKey
ZwDeleteKey
ZwDeleteValueKey
ZwFlushKey
ZwLoadKey
ZwLoadKey2
ZwNotifyChangeKey
ZwQueryMultipleValueKey
ZwReplaceKey
ZwRestoreKey
ZwSaveKey
ZwSetInformationKey
ZwUnloadKey
ZwOpenKeyEx
ntdll.dll
ZwQuerySection, Unsupported class %d
KeySetValue unsupported value type
ZwQueryValueKey, unsupported class %d
ZwQueryKey, unsupported class %d
ZwQueryObject with unsupported class
ZwReadFileInformation with unsupported class
ZwSetInformationFile with unsupported class
sxs.dll
THookWindowsAPI
Cannot find function %s in library %s
.section
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegOpenKeyA
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo
RtlFormatCurrentUserKeyPath
SHFolder.dll
shlwapi.dll
loaderx86.dll
KWindows
TntWindows
UrlMon
virtualboximportunit
(*.*)
3.3.6.1
ÞFAULT FOLDER%
debug.log
%SYSTEM FOLDER%
%WINDOWS FOLDER%
%Cookies FOLDER%
hh.exe
write.exe
attrib.exe
chkdsk.exe
compact.exe
find.exe
help.exe
winver.exe
regsvr32.exe
replace.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
Was not able to create virtual value at ImportCall_ZwSetValueKey
Was not able to create virtual key at ImportCall_ZwSetValueKey
ImportCall_ZwLoadKey
ImportCall_ZwLoadKey2
ImportCall_ZwNotifyChangeKey
ImportCall_ZwQueryMultipleValueKey
ImportCall_ZwReplaceKey
ImportCall_ZwRestoreKey
ImportCall_ZwSaveKey
ImportCall_ZwSetInformationKey
ImportCall_ZwUnloadKey
evb*.tmp
.manifest
Unsupported call of ZwSetVolumeInformationFile
7Dispatch methods do not support more than 64 parameters
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
%s.Seek not implemented$Operation not allowed on sorted list
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

wk7b_update.exe_2044:

`.rsrc
t$(SSh
~%UVW
u.hHqN
u$SShe
user32.dll
kernel32.dll
User32.dll
Wininet.dll
WinINet.dll
urlmon.dll
ComCtl32.dll
KERNEL32.DLL
OLEACC.DLL
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntryA
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumWindows
URLDownloadToFileA
UrlMkSetSessionOption
{B6F7542F-B8FE-46a8-9605-98856A687097}
{EB5A8679-6C96-4465-A329-7911418F2582}
WebBrowser
wk7b_update.exe
\wk7b.ini
rasphone.exe -d
2012-1-1
/wk-login.asp?banben=1.8&username=
http://
wk7b_update.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
:8090/data.asp
http://www.baidupcs.com/file/
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
sys.rradmin.com:8090
sys.wk7b.com:8090
/system.asp?baidu
\wk7b_update.exe
3598123.exe
https://
@http://sys.rradmin.com:8090/fafa6688.exe
http://sys.rradmin.com/tools.asp
Shell.Explorer.2
DSound.dll
Winmm.dll
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.2a1pre) Gecko/20110324 Firefox/4.2a1pre
Mozilla/5.0 (Windows; U; Windows NT 6.1; tr-TR) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; QQDownload 1.7; GTB6.6; TencentTraveler 4.0; SLCC1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.53 Safari/534.30
Mozilla/4.0 (compatible; MSIE 6.1; Windows XP; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)
Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SV1) ; 360SE)
Opera/9.80 (Android; Linux; Opera Mobi/ADR-1012211514; U; cn) Presto/2.6.35 Version/10.1
Mozilla/4.0 (compatible; Windows Mobile; WCE; Opera Mobi/WMD-50433; U; cn) Presto/2.4.13 Version/10.00
Mozilla/5.0 (Linux;U;Android 2.2.1;zh-cn;I7500 Build FRG83) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; zh-cn) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; zh-cn) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10
Mozilla/5.0 (Android 2.3.3; zh-cn; HTC_DesireS_S510e Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Android 2.2; zh-cn; HTC Desire)/GoBrowser
Opera/9.80 (Android; Linux; Opera Mobi/ADR-1012221546; U; cn) Presto/2.7.60 Version/10.5
Opera/9.80 (Android; Opera Mini/7.6.32764/28.3234; U; zh) Presto/2.8.119 Version/11.10
Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; SCH-I699 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Android 2.3.7; zh-cn; Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Linux; U; Android 2.3.6; zh-cn; MI-ONE Plus Build/GINGERBREAD) UC AppleWebKit/534.31 (KHTML, like Gecko) Mobile Safari/534.31
Mozilla/5.0 (Linux; U; Android 2.3.3; zh-cn; HTC_WildfireS_A510e Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
ieframe.dll
6=get 7.post 8.sina
Q%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
%d / %d
Bogus message code %d
(%d-%d):
%ld%c
ReleaseNamedPipe
DisConnectNamedPipe
WriteNamedPipe
ReadNamedPipe
ConnectNamedPipe
ListenNamedPipe
CreateNamedPipe
\\.\mailslot\
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
%d%d%d
rundll32.exe shell32.dll,
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
SERVER_PORT_SECURE
SERVER_PORT
REMOTE_PORT
HTTPS_SERVER_SUBJECT
HTTPS_SERVER_ISSUER
HTTPS_SECRETKEYSIZE
HTTPS_KEYSIZE
HTTPS
HTTP_HeaderName
CERT_SUBJECT
CERT_SERVER_SUBJECT
CERT_SERVER_ISSUER
CERT_SERIALNUMBER
CERT_SECRETKEYSIZE
CERT_KEYSIZE
CERT_ISSUER
CERT_FLAGS
CERT_COOKIE
AUTH_PASSWORD
ALL_HTTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
%WinDir%\msagent\msyzpys\wk7b_update.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
RegCreateKeyA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegOpenKeyA
GetViewportOrgEx
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
ShellExecuteA
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
UnregisterHotKey
RegisterHotKey
CreateDialogIndirectParamA
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
.text
`.rdata
@.data
.rsrc
@5.Jve 
G%D~v
UrlA3
ADVAPI32.dll
ATL.DLL
COMCTL32.dll
comdlg32.dll
GDI32.dll
MSIMG32.dll
OLEAUT32.dll
oledlg.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

mssearch.exe_1800_rwx_004E6000_0005F000:

.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
www.dywt.com.cn
msctls_hotkey32
%d%d%d
rundll32.exe shell32.dll,
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
imagehlp.dll
.detour
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
.net:85
%WinDir%\msagent\msyzpys\mssearch.exe
GetOEMCPGetCPInfoGetProcessVersionSetErrorModeGetCurrentThreadGetFileTimeTlsGetValueLocalReAllocTlsSetValueTlsFreeGlobalHandleTlsAllocLocalAlloclstrcmpAGlobalGetAtomNameAGlobalAddAtomAGlobalFindAtomAGlobalDeleteAtomGetThreadLocaleSetEndOfFileUnlockFileLockFileFlushFileBuffersDuplicateHandlelstrcpynAFileTimeToLocalFileTimeFormatMessageALocalFreeInterlockedDecrementInterlockedIncrementFlushInstructionCacheVirtualProtectWideCharToMultiByteFileTimeToSystemTimelstrcmpiAGetVersionGetTimeZoneInformationSetLastErrorMultiByteToWideCharOpenProcessTerminateProcessGetCurrentProcessGetFileSizeSetFilePointerCreateToolhelp32SnapshotProcess32FirstProcess32NextCreateSemaphoreAResumeThreadReleaseSemaphoreEnterCriticalSectionLeaveCriticalSectionGetProfileStringAWriteFileReadFileGetLastErrorWaitForMultipleObjectsCreateFileASetEventFindResourceALoadResourceLockResourceGetModuleFileNameAGetCurrentThreadIdExitProcessGlobalSizeGlobalFreeDeleteCriticalSectionInitializeCriticalSectionlstrcatAWinExeclstrcpyAFindNextFileAGlobalReAllocHeapFreeHeapReAllocGetProcessHeapHeapAllocGetUserDefaultLCIDGetFullPathNameAFreeLibraryLoadLibraryAlstrlenAlstrlenWGetVersionExAWritePrivateProfileStringAGetPrivateProfileStringACreateThreadCreateEventASleepGlobalAllocGlobalLockGlobalUnlockFindFirstFileAFindCloseGetFileAttributesADeleteFileACopyFileASetCurrentDirectoryAGetVolumeInformationAGetModuleHandleAGetProcAddressMulDivInterlockedExchangeGetCommandLineAGetTickCountCreateProcessAWaitForSingleObjectCloseHandleGetStartupInfoARtlUnwindGetSystemTimeGetLocalTimeRaiseExceptionHeapSizeGetACPSetStdHandleGetFileTypeUnhandledExceptionFilterFreeEnvironmentStringsAFreeEnvironmentStringsWGetEnvironmentStringsGetEnvironmentStringsWSetHandleCountGetStdHandleGetEnvironmentVariableAHeapDestroyHeapCreateVirtualFreeSetEnvironmentVariableALCMapStringALCMapStringWVirtualAllocIsBadWritePtrSetUnhandledExceptionFilterGetStringTypeAGetStringTypeWCompareStringACompareStringWIsBadReadPtrIsBadCodePtrGlobalFlagsmidiStreamOutmidiOutPrepareHeadermidiStreamPropertymidiStreamOpenmidiOutUnprepareHeaderwaveOutOpenwaveOutGetNumDevswaveOutClosewaveOutResetwaveOutUnprepareHeaderwaveOutPrepareHeaderwaveOutWritewaveOutPausemidiStreamStopmidiOutResetmidiStreamClosemidiStreamRestart
RasGetConnectStatusARasEnumConnectionsARasEnumEntriesARasGetEntryDialParamsARasHangUpAPostQuitMessageIsZoomedGetSystemMenuDeleteMenuGetClassInfoADefWindowProcAGetMenuSetMenuPeekMessageACopyAcceleratorTableAGetKeyStateTranslateAcceleratorAIsWindowEnabledShowWindowLoadImageAEnumDisplaySettingsAClientToScreenEnableMenuItemIsIconicSetFocusGetActiveWindowPostThreadMessageAGetNextDlgGroupItemGetSubMenuGetDlgCtrlIDCreateAcceleratorTableACreateMenuModifyMenuAAppendMenuACreatePopupMenuDrawIconExCreateIconFromResourceCreateIconFromResourceExRegisterClipboardFormatASetRectEmptyDispatchMessageAGetMessageAWindowFromPointDrawFocusRectDrawEdgeDrawFrameControlLoadIconATranslateMessageSystemParametersInfoAGetDesktopWindowGetWindowDestroyAcceleratorTableSetWindowRgnGetMessagePosScreenToClientChildWindowFromPointExCopyRectLoadBitmapAWinHelpAKillTimerSetTimerReleaseCaptureGetCaptureSetCaptureGetScrollRangeSetScrollRangeGetClassNameAInflateRectSetRectIntersectRectDestroyIconPtInRectOffsetRectIsWindowVisibleEnableWindowRedrawWindowGetWindowLongAMapDialogRectSetWindowContextHelpIdCharNextALoadStringAGetMenuCheckMarkDimensionsSetMenuItemBitmapsCheckMenuItemIsDialogMessageAScrollWindowExSendDlgItemMessageAMapWindowPointsAdjustWindowRectExScrollWindowGetScrollInfoSetScrollInfoShowScrollBarGetScrollPosRegisterClassAGetClassLongARemovePropAGetMessageTimeGetLastActivePopupGetForegroundWindowRegisterWindowMessageAGetWindowPlacementGetNextDlgTabItemEndDialogCreateDialogIndirectParamADestroyWindowEndPaintBeginPaintSetWindowLongAGetSysColorSetActiveWindowSetCursorPosLoadCursorASetCursorGetDCFillRectIsRectEmptyReleaseDCIsChildTrackPopupMenuDestroyMenuSetForegroundWindowGetWindowRectEqualRectUpdateWindowValidateRectInvalidateRectGetClientRectGetFocusGetParentGetTopWindowPostMessageAIsWindowSetParentDestroyCursorSendMessageASetWindowPosMessageBeepMessageBoxAGetCursorPosGetSystemMetricsEmptyClipboardSetClipboardDataOpenClipboardGetClipboardDataCloseClipboardwsprintfAWaitForInputIdleGetWindowThreadProcessIdFindWindowAGetDlgItemFindWindowExAGetWindowTextADrawTextAUnregisterClassASetWindowsHookExAUnhookWindowsHookExEnumThreadWindowsGetWindowTextLengthAEnumChildWindowsCallNextHookExCallWindowProcAGetWindowDCGetSysColorBrushFrameRectCreateWindowExARegisterHotKeyUnregisterHotKeySetWindowTextAGetCursorSetPropAMoveWindowGetPropAWindowFromDCTabbedTextOutAGrayStringADrawStateAGetTabbedTextExtentAGetMenuStringAGetMenuItemIDGetMenuItemCountSetScrollPosGetMenuStateCharUpperADPtoLPGetCurrentObjectRoundRectArcGetTextExtentPoint32AGetDeviceCapsGetWindowExtExGetDIBitsRealizePaletteSelectPaletteStretchBltCreatePaletteGetSystemPaletteEntriesCreateDIBitmapDeleteObjectSelectClipRgnCreatePolygonRgnGetClipRgnSetStretchBltModeSetPixelCreateRectRgnIndirectSetBkColorDeleteDCSetBkModeLineToSetTextColorCreateEllipticRgnIndirectGetTextMetricsACreateFontATranslateCharsetInfoSetWindowOrgExSaveDCRestoreDCPtVisibleRectVisibleTextOutAExtTextOutAEscapeExcludeClipRectGetClipBoxScaleWindowExtExSetWindowExtExScaleViewportExtExSetViewportExtExOffsetViewportOrgExSetViewportOrgExEndDocEndPageGetObjectAGetStockObjectCreateFontIndirectACreateSolidBrushCombineRgnCreateRectRgnFillRgnPatBltCreatePenSelectObjectCreateBitmapCreateBrushIndirectCreateDCACreateCompatibleBitmapGetPolyFillModeGetStretchBltModeGetROP2GetBkColorGetBkModeGetTextColorCreateRoundRectRgnCreateEllipticRgnPathToRegionEndPathBeginPathSetMapModeSetROP2SetPolyFillModeExtSelectClipRgnGetViewportExtExGetMapModeStartDocAStartPageBitBltLPtoDPRectangleEllipseSetPixelVCreateCompatibleDCCreatePenIndirectGetPixelGetWindowOrgExMoveToExGetViewportOrgExGradientFillDocumentPropertiesAOpenPrinterAClosePrinterRegCreateKeyExARegQueryValueARegDeleteKeyARegDeleteValueARegCreateKeyARegSetValueExARegOpenKeyExARegQueryValueExARegCloseKeyShell_NotifyIconAShellExecuteADragQueryFileADragFinishDragAcceptFilesCreateILockBytesOnHGlobalCoFreeUnusedLibrariesCoRegisterMessageFilterCoRevokeClassObjectOleFlushClipboardOleIsCurrentClipboardStgCreateDocfileOnILockBytesStgOpenStorageOnILockBytesCoGetClassObjectCoDisconnectObjectCLSIDFromStringOleUninitializeOleInitializeCLSIDFromProgIDCoTaskMemFreeCoTaskMemAlloc
InternetCanonicalizeUrlAInternetCrackUrlAHttpOpenRequestAHttpSendRequestAHttpQueryInfoAInternetConnectAInternetSetOptionAInternetOpenAInternetCloseHandleInternetReadFile
#include "l.chs\afxres.rc" // Standard components
(*.*)

mssearch.exe_1800_rwx_00548000_00001000:

KERNEL32.DLL
WINMM.DLL
WS2_32.DLL
RASAPI32.DLL
USER32.DLL
GDI32.DLL
MSIMG32.DLL
WINSPOOL.DRV
ADVAPI32.DLL
SHELL32.DLL
OLE32.DLL
OLEAUT32.DLL
COMCTL32.DLL
OLEDLG.DLL
WININET.DLL
ATL.DLL
COMDLG32.DLL
RegCreateKeyExA
InternetCanonicalizeUrlA

mssearch.exe_1800_rwx_005A7000_00001000:

[web7b]
password=edcd3e3ad2401457
.idat
P.reloAcE$g,
ÞFAULT FOLDER%
web7b.ini

mssearch.exe_1800_rwx_005D9000_00002000:

ntdll.dll
.section

mssearch.exe_1800_rwx_005DC000_00002000:

kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyA
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo

wk7b_update.exe_2044_rwx_00401000_00157000:

t$(SSh
~%UVW
u.hHqN
u$SShe
user32.dll
kernel32.dll
User32.dll
Wininet.dll
WinINet.dll
urlmon.dll
ComCtl32.dll
KERNEL32.DLL
OLEACC.DLL
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntryA
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumWindows
URLDownloadToFileA
UrlMkSetSessionOption
{B6F7542F-B8FE-46a8-9605-98856A687097}
{EB5A8679-6C96-4465-A329-7911418F2582}
WebBrowser
wk7b_update.exe
\wk7b.ini
rasphone.exe -d
2012-1-1
/wk-login.asp?banben=1.8&username=
http://
wk7b_update.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
:8090/data.asp
http://www.baidupcs.com/file/
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
sys.rradmin.com:8090
sys.wk7b.com:8090
/system.asp?baidu
\wk7b_update.exe
3598123.exe
https://
@http://sys.rradmin.com:8090/fafa6688.exe
http://sys.rradmin.com/tools.asp
Shell.Explorer.2
DSound.dll
Winmm.dll
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.2a1pre) Gecko/20110324 Firefox/4.2a1pre
Mozilla/5.0 (Windows; U; Windows NT 6.1; tr-TR) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; QQDownload 1.7; GTB6.6; TencentTraveler 4.0; SLCC1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.53 Safari/534.30
Mozilla/4.0 (compatible; MSIE 6.1; Windows XP; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)
Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SV1) ; 360SE)
Opera/9.80 (Android; Linux; Opera Mobi/ADR-1012211514; U; cn) Presto/2.6.35 Version/10.1
Mozilla/4.0 (compatible; Windows Mobile; WCE; Opera Mobi/WMD-50433; U; cn) Presto/2.4.13 Version/10.00
Mozilla/5.0 (Linux;U;Android 2.2.1;zh-cn;I7500 Build FRG83) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; zh-cn) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; zh-cn) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10
Mozilla/5.0 (Android 2.3.3; zh-cn; HTC_DesireS_S510e Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Android 2.2; zh-cn; HTC Desire)/GoBrowser
Opera/9.80 (Android; Linux; Opera Mobi/ADR-1012221546; U; cn) Presto/2.7.60 Version/10.5
Opera/9.80 (Android; Opera Mini/7.6.32764/28.3234; U; zh) Presto/2.8.119 Version/11.10
Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; SCH-I699 Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Android 2.3.7; zh-cn; Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Linux; U; Android 2.3.6; zh-cn; MI-ONE Plus Build/GINGERBREAD) UC AppleWebKit/534.31 (KHTML, like Gecko) Mobile Safari/534.31
Mozilla/5.0 (Linux; U; Android 2.3.3; zh-cn; HTC_WildfireS_A510e Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
ieframe.dll
6=get 7.post 8.sina
Q%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
%d / %d
Bogus message code %d
(%d-%d):
%ld%c
ReleaseNamedPipe
DisConnectNamedPipe
WriteNamedPipe
ReadNamedPipe
ConnectNamedPipe
ListenNamedPipe
CreateNamedPipe
\\.\mailslot\
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
%d%d%d
rundll32.exe shell32.dll,
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
SERVER_PORT_SECURE
SERVER_PORT
REMOTE_PORT
HTTPS_SERVER_SUBJECT
HTTPS_SERVER_ISSUER
HTTPS_SECRETKEYSIZE
HTTPS_KEYSIZE
HTTPS
HTTP_HeaderName
CERT_SUBJECT
CERT_SERVER_SUBJECT
CERT_SERVER_ISSUER
CERT_SERIALNUMBER
CERT_SECRETKEYSIZE
CERT_KEYSIZE
CERT_ISSUER
CERT_FLAGS
CERT_COOKIE
AUTH_PASSWORD
ALL_HTTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
%WinDir%\msagent\msyzpys\wk7b_update.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
RegCreateKeyA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegOpenKeyA
GetViewportOrgEx
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
ShellExecuteA
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExA
UnregisterHotKey
RegisterHotKey
CreateDialogIndirectParamA
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
.text
`.rdata
@.data
.rsrc
@5.Jve 
G%D~v
UrlA3
(*.*)

ntvdm.exe_1752:

.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
ADVAPI32.dll
GDI32.dll
USER32.dll
SoftPC
mscoree.dll
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
BIOS keyboard buffer overflow
hardware keyboard buffer overflow
%s Mouse %d.01 already installed
%s Mouse %d.01 installed
d:\xpsp\base\mvdm\softpc.new\host\src\nt_timer.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_eoi.c
C:\IBMBIO.SYS
C:\IO.SYS
C:\IBMDOS.SYS
C:\MSDOS.SYS
\ntio404.sys
\ntio411.sys
\ntio412.sys
\ntio804.sys
\ntio.sys
VJOY.DLL
%s %lxh
d:\xpsp\base\mvdm\softpc.new\host\src\nt_com.c
d:\xpsp\base\mvdm\softpc.new\host\src\config.c
Software\Microsoft\Windows NT\CurrentVersion\WOW\Console
\\.\$VDMLPT2
\\.\$VDMLPT3
\\.\$VDMLPT1
FONT.NT
\ega.cpi
d:\xpsp\base\mvdm\softpc.new\host\src\nt_fulsc.c
Drive %c:
Incompatible DOS diskette, C H R N = %d %d %d %d
\\.\A:
\\.\?:
d:\xpsp\base\mvdm\softpc.new\host\src\nt_event.c
WINDOWS VMM 4.0
WINDOWS NT 3.1
WINDOWS 386 3.0
WINDOWS 286 3.0
\_default.pif
d:\xpsp\base\mvdm\softpc.new\host\src\nt_det.c
VrRemoveOpenNamedPipeInfo
VrConvertLocalNtPipeName
VrAddOpenNamedPipeInfo
VrIsNamedPipeHandle
VrIsNamedPipeName
VrWriteNamedPipe
VrReadNamedPipe
midiOutShortMsg
midiOutLongMsg
WINMM.DLL
d:\xpsp\base\mvdm\softpc.new\host\src\nt_hosts.c
NtDeviceIoControlFile failed %x
d:\xpsp\base\mvdm\softpc.new\host\src\nt_sec.c
SoftPc: NtDeCommitVirtualMemory failed !!!! Status = %lx
NTVDMD.DLL
Check Keyboard Status
\ntdos404.sys
\ntdos411.sys
\ntdos412.sys
\ntdos804.sys
\ntdos.sys
demDosDispCall %s
config.nt
PIPE
%c:%sNUL
Software\Microsoft\Windows\CurrentVersion\Setup
Unimplemented SVC %d
Software\Microsoft\Windows NT\CurrentVersion\WOW\CmdLine
%s=%s%s /p %s\system32
%s=%3.3u,%3.3u,%s\system32\%s.sys%s
KEYB
\KEYBOARD.SYS
\KEYJ31.SYS
\KEY02.SYS
\KEY01.SYS
\KEYAX.SYS
%s,%d,%s
\KB16.COM
DosKeybIDs
System\CurrentControlSet\Control\Keyboard Layout\
DosKeybCodes
00000409
Software\Microsoft\Windows NT\CurrentVersion\WOW\Compatibility
Broken pipe
Inappropriate I/O control operation
Operation not permitted
ega.rom
vga.rom
v7vga.rom
bios4.rom
bios1.rom
profile.spc
.spcprofile
d:\xpsp\base\mvdm\softpc.new\host\src\x86_emm.c
CS:x IP:x OP:x x x x x
ntvdm.pdb
Ut.Ht$Ht
ItKIt9It.IIt
tK<%uAj
HHt7Ht.Ht
YYt%F
SSSSSh
s*f;O%s$
V<%ue
t.HtHHt(Ht
GetCPInfo
NtEnumerateValueKey
NtOpenKey
ntdll.dll
RegCloseKey
RegQueryInfoKeyA
RegOpenKeyExA
GetConsoleOutputCP
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
SetConsoleKeyShortcuts
VDMConsoleOperation
GetConsoleKeyboardLayoutNameA
EnumWindows
GetKeyState
VkKeyScanW
MapVirtualKeyA
GetKeyboardType
NtQueryValueKey
GetProcessHeap
ntvdm.exe
SoftPcEoi
cmdCheckTemp
cmdCheckTempInit
demIsShortPathName
'?--?1-?6-?:-??-??-:?-6?-1?--?1-?6-?:-??-:?-6?-1?--?--?1-?6-?:-??-:?-6?-1?
$$$(((---222888???
!"#$%&'( 
SoftPC-AT Version 3
89:;<=>?
autoexec.nt
00030<0?0
30333<3?3
<0<3<<
?0?3?
!"#$%&'()
Userenv.dll
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
%SystemRoot%
\System32\command.com
%System%\ntvdm.exe
\\.\B:
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%
NTVDM.EXE
5.1.2600.5512 (xpsp.080413-2111)
Windows
Operating System
5.1.2600.5512
5The NTVDM CPU has encountered an illegal instruction."Internal error in NTVDM procedure.#NTVDM does not support a ROM BASIC.BFailure to allocate the requested number of Expanded Memory pages.*A continuous RESET state has been entered.,The CMOS file cmos.ram could not be created.,The CMOS file cmos.ram could not be updated.
LAn installation file required by NTVDM is missing, execution must terminate.
Insufficient memory resources.=The NTVDM CPU has encountered an unsupported 386 instruction.TThe EMM command line in your config.nt contains invalid parameters or syntax errors.5The NTVDM CPU has encountered an unhandled exception.t
MS-DOS program files must end with the extension .EXE, .COM, or .BAT.
vAn application has attempted to %s, which cannot be supported. This may cause the application to function incorrectly./directly access an incompatible diskette format
16 bit Windows Subsystem
VThe system file is not suitable for running MS-DOS and Microsoft Windows applications."Memory error during intialization.
Unable to lock for exclusive access. Another application may be using the drive. When the other application has finished using the drive you may retry the operation.
Drive %c: ZThe Application attempted to enable DOS graphics mode. DOS graphics mode is not supported.
Function failed$NTVDM has encountered a System Error*Driver does not support selected Baud Rate

ntvdm.exe_1752_rwx_00000000_00010000:

%WinDir%\MSAGENT\MSYZPYS\WYHTRAY.EXE
WYHTRAY EXE
."/\[]:|<> =;,
c:\wina20.386
%WinDir%\SYSTEM32\COUNTRY.SYS
89:;<=>?
1234567890-=
!@#$%^&*()_ 
789-456 1230.
!"#$%&,-./012
%WinDir%\msagent\msyzpys
%WinDir%\SYSTEM32\COMMAND.COM
%File allocation table bad, drive %1
Invalid COMMAND.COM
!Press any key to continue . . .
Cannot execute %1
Error in EXE file
%WinDir%\TEMP\scs3.tmp
arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
7ZSFXFOLDER20=%WinDir%\Fonts
7ZSFXFOLDER36=%WinDir%
7ZSFXFOLDER37=%System%
7ZSFXFOLDER41=%System%
7ZSFXFOLDER56=%WinDir%\resources
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
$B | (pipe)
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32
[]|<> =;"

ntvdm.exe_1752_rwx_00010000_00090000:

89:;<=>?
0WINDOWS MS-DOS STARTUP FILE
0CONFIG.SYS VS CONFIG.NT
0CONFIG.SYS IS NOT USED TO INITIALIZE THE MS-DOS ENVIRONMENT.
0CONFIG.NT IS USED TO INITIALIZE THE MS-DOS ENVIRONMENT UNLESS A
0IS INITIALIZED. TO DISPLAY CONFIG.NT/AUTOEXEC.NT INFORMATION, ADD
0THE COMMAND ECHOCONFIG TO CONFIG.NT OR OTHER STARTUP FILE.
0NTCMDPROMPT
0MS-DOS-BASED APPLICATION, WINDOWS RUNS COMMAND.COM. THIS ALLOWS THE
0TSR TO REMAIN ACTIVE. TO RUN CMD.EXE, THE WINDOWS COMMAND PROMPT,
0RATHER THAN COMMAND.COM, ADD THE COMMAND NTCMDPROMPT TO CONFIG.NT OR
0COMMAND.COM. IF YOU START AN APPLICATION OTHER THAN AN MS-DOS-BASED
0CONFIG.NT OR OTHER STARTUP FILE.
0WANT THE SYSTEM TO SUPPORT. 1 <= ALTREGSETS <= 255. THE
0AND LEAVE THE RESTS(IF AVAILABLE) TO BE USED BY DOS TO SUPPORT
0WITH YOUR APPLICATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
D%WinDir%\SYSTEM32\HIMEM.SYS
Q001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
S%WinDir%\SYSTEM32\COMMAND.COM
/P %WinDir%\SYSTEM32
ATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
DEVICE=%WinDir%\SYSTEM32\HIMEM.SYS
COUNTRY=001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
SHELL=%WinDir%\SYSTEM32\COMMAND.COM /P %WinDir%\SYSTEM32
%WinDir%\SYSTEM32\COUNTRY.SYS
[]|<> =;"
%WinDir%\TEMP\scs2.tmp
%WinDir%\SYSTEM32\COMMAND.COM
NTCMDPROMPTT
Unrecognized command in CONFIG.SYS
Insufficient memory for COUNTRY.SYS file
Incorrect order in CONFIG.SYS line $Error in CONFIG.SYS line $WARNING! Logical drives past Z: exist and will be ignored
1234567890-=
!@#$%^&*()_ 
789-456 1230.
!"#$%&,-./012
00030<0?0
30333<3?3
<0<3<<
?0?3?
Windows NT MS-DOS subsystem Mouse Driver
/)()(00)(
/@%}-{.Nb#b
!Press any key to continue . . .
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
$B | (pipe)
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32\DOSX
NT.EXE
%WinDir%\MSAGENT\MSYZPYS\WYHTRAY.EXE
nt.exe
DOSX.EXE

ntvdm.exe_1752_rwx_000A0000_00020000:

66666666
6666666
6666666666666666
6666666676666666
6666667076666666

ntvdm.exe_1752_rwx_000C9000_00013000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
7ZSFXFOLDER20=%WinDir%\Fonts
7ZSFXFOLDER36=%WinDir%
7ZSFXFOLDER37=%System%
7ZSFXFOLDER41=%System%
7ZSFXFOLDER56=%WinDir%\resources
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
%System%\DOSX.EXE
%System%\mscdexnt.exe
VCDEX.DLL
%System%\redir
(load before dosx.exe)
C:\LANMAN.DOS
%System%\dosx
%System%\krnl386.exe
krnl386.exe
SYSTEM.INI

ntvdm.exe_1752_rwx_000E8000_00008000:

00030<0?0
30333<3?3
<0<3<<
?0?3?
Windows NT MS-DOS subsystem Mouse Driver

ntvdm.exe_1752_rwx_00100000_00010000:

/)()(00)(
/@%}-{.Nb#b
to run Windows in Enhanced Mode
69797:6%7'6
C%D%DGDGD8EyD


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    taskkill.exe:600
    taskkill.exe:1056
    taskkill.exe:1636
    taskkill.exe:1252
    taskkill.exe:828
    taskkill.exe:372
    wyhtray.exe:1944
    %original file name%.exe:1504
    wmsflxgrwdsx.ocx:796
    wmsflxgrwdsx.ocx:1364
    wsrchy.exe:1632
    cacls.exe:1768

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\msagent\msyzpys\wk7b.ini (124 bytes)
    %WinDir%\msagent\msyzpys\wk7b_update.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (17083 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wsrchayst\wsrchy.exe (15116 bytes)
    %WinDir%\msagent\msyzpys\wyhtray.exe (4 bytes)
    %WinDir%\Cluster\clients\srchasy\smvscvc.exe (7816 bytes)
    %WinDir%\msagent\msyzpys\mssearch.exe (3825 bytes)
    %WinDir%\srchasst\rpcproxy\wydutyx.bat (1 bytes)
    %WinDir%\srchasst\rpcproxy\wmsflxgrwdsx.ocx (1684 bytes)
    %WinDir%\srchasst\rpcproxy\wyduyk.bat (608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7ZSfx000.cmd (192 bytes)
    %WinDir%\srchasst\rpcproxy\wntldrmp.exe (2 bytes)
    %WinDir%\srchasst\rpcproxy\wysztksy.sdb (6427 bytes)
    %WinDir%\srchasst\rpcproxy\wywzpxksy.sdb (3787 bytes)
    %WinDir%\srchasst\rpcproxy\TNProxy.dll (401 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    %WinDir%\Temp\scs3.tmp (10145 bytes)
    %System%\config (96 bytes)
    C:\$Directory (968 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
    %WinDir%\Temp\scs2.tmp (33880 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.