Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Virus:Worm/Esfury.A.354
Date discovered:21/10/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:55.296 Bytes
MD5 checksum:edd7d51ffe2581410536940a542e5648
VDF version:7.10.05.227
IVDF version:7.10.13.12 - Thursday, October 21, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Rontokbro@mm
   •  Kaspersky: P2P-Worm.Win32.Palevo.bqgg
   •  F-Secure: P2P-Worm.Win32.Palevo.ayda
     Microsoft: Worm:Win32/Esfury
   •  Eset: Win32/AutoRun.VB.UG
     DrWeb: Win32.HLLW.Autoruner.33906


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\%random numbers%\winlogon.exe

 Registry The following registry keys are added in order to run the processes after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA Media Center Library"="%HOME%\%random numbers%\winlogon.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA Media Center Library"="%HOME%\%random numbers%\winlogon.exe"



The following registry keys are added:

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2servic.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antigen.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoupdate.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwcl9.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpexec.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpinst.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmon.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccshtdwn.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdp.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ChromeSetup.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamauto.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consent.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpdclnt.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashreporter.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinject.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinsm32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\css1631.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defscangui.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Diskmon.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\doors.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95_o.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\earthagent.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecengine.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efinet32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esafe.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanh95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ewido.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exit.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expert.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fact.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fix-it.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\flowprotector.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServer.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frw.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fslaunch.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwenc.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenericRenosFix.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gibe.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iface.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iris.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isrv95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\licmgr.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\localnet.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmnhdlr.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcuimgr.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdll.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monitor.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsys32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsysnt.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfservice.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msn.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspatch.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mxtask.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scan.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nai_vs_stat.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav80try.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navap.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navauto-protect.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navdx.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navengnavex15.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2k_76_1436.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccclient.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prckiller.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\proport.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rapapp.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2Fix.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsbgate.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xscan.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutorzauinst.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zauinst.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlh.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe]
     "Debugger"="%HOME%\%random numbers%\winlogon.exe"




The following registry keys are changed:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   Old value:
   • "Local Page"="%user defined settings%"
   • "Default_Page_URL"="%user defined settings%"
   • "Default_Search_URL"="%user defined settings%"
   • "Search Page"="%user defined settings%"
   • "Start Page"="%user defined settings%"
   New value:
   • "Local Page"="http://6-a-i-r-3-l-x-5-z**********.info"
   • "Default_Page_URL"="http://0-7-q-5-0-g-g**********.info"
   • "Default_Search_URL"="http://i-g-h-3-6-q-5-p**********.info"
   • "Search Page"="http://4-s-4-k-q-7-6-v**********.info"
   • "Start Page"="http://i-j-p-8-s-j-5-k-h**********.info"

[HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Local Page"="%user defined settings%"
     "Start Page"="%user defined settings%"
     "Search Page"="%user defined settings%"
     "Default_Search_URL"="%user defined settings%"
     "Default_Page_URL"="%user defined settings%"
   New value:
   • "Local Page"="http://1-a-t-2-7-y-4-y**********.info"
     "Start Page"="http://j-4-3-.a-l-v-d-z**********.info"
     "Search Page"="http://0-u-3-0-z-2-h**********-0.info"
     "Default_Search_URL"="http://s-1-n-4-j-1-y-d-5-s**********.info"
     "Default_Page_URL"="http://p-.j-z-0-3-0-u-u-x**********.info"

[HKLM\SOFTWARE\Microsoft\Security Center]
   New value:
   • "UacDisableNotify"=dword:00000001

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
   New value:
   • "AntiVirusDisableNotify"=dword:00000001
     "AntiVirusOverride"=dword:00000001
     "FirewallDisableNotify"=dword:00000001
     "FirewallOverride"=dword:00000001
     "FirstRunDisabled"=dword:00000001
     "UpdatesDisableNotify"=dword:00000001
     "UacDisableNotify"=dword:00000001

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   New value:
   • "ConsentPromptBehaviorAdmin"=dword:00000000
     "EnableLUA"=dword:00000000
     "PromptOnSecureDesktop"=dword:00000001

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   New value:
   • "NoFolderOptions"=dword:00000001

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
   New value:
   • "NoAutoRebootWithLoggedOnUsers"=dword:00000001

[HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
   Old value:
   • "EnableFirewall"="%user defined settings%"
   New value:
   • "EnableFirewall"=dword:00000000

[HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
   Old value:
   • "EnableFirewall"="%user defined settings%"
   New value:
   • "EnableFirewall"=dword:00000000

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   New value:
   • "%HOME%\%random numbers%\winlogon.exe"="%HOME%\%random numbers%\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   New value:
   • "%HOME%\%random numbers%\winlogon.exe"="%HOME%\%random numbers%\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NoRun"=dword:00000001
     "NoFile"=dword:00000001
     "NoFolderOptions"=dword:00000001

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • "DisableRegistryTools"=dword:00000001
     "DisableTaskMgr"=dword:00000001

[HKCU\Software\Policies\Microsoft\Windows\System]
   New value:
   • "DisableCMD"=dword:00000001

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   New value:
   • "DisableSR"=dword:00000001

[HKLM\SYSTEM\ControlSet001\Services\sr]
   New value:
   • "Start"=dword:00000004

[HKLM\SYSTEM\ControlSet001\Services\wscsvc]
   New value:
   • "Start"=dword:00000004

[HKLM\SYSTEM\CurrentControlSet\Services\sr]
   New value:
   • "Start"=dword:00000004

[HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   New value:
   • "Start"=dword:00000004

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:00000002
     "HideFileExt"=dword:00000003
     "SuperHidden"=dword:00000001

 Hosts The host file is modified as explained:

In this case existing entries are deleted.

Access to the following domains is effectively blocked:
   • 208.109.220.95 viabcp.com
   • 208.109.220.95 www.viabcp.com
   • 208.109.220.95 bcpzonasegura.viabcp.com
   • 173.236.65.132 www.produbanco.com
   • 173.236.65.132 produbanco.com
   • 173.236.65.132 www.pichincha.com
   • 173.236.65.132 pichincha.com
   • 173.236.65.132 wwwp1.pichincha.com
   • 173.236.65.132 wwwp2.pichincha.com
   • 173.236.65.132 wwwp3.pichincha.com
   • 173.236.65.132 wwwp4.pichincha.com
   • 173.236.65.132 wwww01.pichincha.com
   • 173.236.65.132 wwww02.pichincha.com
   • 173.236.65.132 wwww03.pichincha.com
   • 173.236.65.132 wwww04.pichincha.com
   • 69.162.96.136 bn.com.pe
   • 69.162.96.136 www.bn.com.pe
   • 69.162.96.136 zonasegura1.bn.com.pe
   • 69.162.96.136 www.zonasegura1.bn.com.pe
   • 173.236.69.68 www.interbank.com.pe
   • 173.236.69.68 interbank.com.pe
   • 247.129.38.123 iniciorapido.info
   • 54.74.202.75 www.iniciorapido.info
   • 131.101.191.176 buscalo.in
   • 32.140.5.222 www.buscalo.in
   • 203.4.88.161 buscafacil.com
   • 10.205.252.113 www.buscafacil.com
   • 87.232.241.145 emsisoft.com
   • 244.15.55.3 ahnlab.com
   • 159.203.206.198 antivir.es
   • 223.81.114.150 antiy.net
   • 43.107.103.183 authentium.com
   • 201.214.173.40 avast.com
   • 115.79.0.167 avg.com
   • 179.24.164.187 bitdefender.com
   • 255.238.154.220 quickheal.com
   • 89.90.224.10 clamav.net
   • 71.210.51.204 comodo.com
   • 67.155.27.156 drweb.com
   • 212.182.16.189 aladdin.com
   • 45.221.18.47 ca.com
   • 28.85.169.242 f-prot.com
   • 23.30.77.194 f-secure.com
   • 168.57.66.226 fortinet.com
   • 1.96.136.84 gdata.es
   • 240.216.219.211 ikarus.at
   • 236.162.195.231 jiangmin.com
   • 56.188.184.8 kaspersky.com
   • 214.227.186.53 mcafee.com
   • 196.92.81.248 microsoft.com
   • 192.37.245.200 eset.es
   • 12.63.235.233 norman.com
   • 170.171.49.91 nprotect.com
   • 152.35.132.29 pandasecurity.com
   • 148.236.40.237 pctools.com
   • 225.195.29.14 prevx.com
   • 126.46.99.128 rising-global.com
   • 109.166.250.255 sophos.com
   • 104.111.158.19 sunbeltsoftware.com
   • 181.70.147.51 symantec.com
   • 82.177.217.165 hacksoft.com.pe
   • 65.41.44.36 trendmicro.com
   • 61.243.208.244 anti-virus.by
   • 137.13.197.21 hauri.net
   • 39.52.11.134 virusbuster.hu
   • 21.173.94.73 www.emsisoft.com
   • 17.118.70.25 www.ahnlab.com
   • 93.144.60.58 www.antivir.es
   • 251.184.62.172 www.antiy.net
   • 233.48.213.42 www.authentium.com
   • 229.249.121.62 www.avast.com
   • 50.20.110.95 www.avg.com
   • 207.59.180.209 www.bitdefender.com
   • 190.247.7.80 www.quickheal.com
   • 185.192.239.32 www.clamav.net
   • 6.151.228.64 www.comodo.com
   • 163.2.230.178 www.drweb.com
   • 78.122.125.117 www.aladdin.com
   • 142.68.33.69 www.ca.com
   • 218.26.22.102 www.f-prot.com
   • 120.133.92.215 www.f-secure.com
   • 34.254.175.86 www.fortinet.com
   • 98.199.83.106 www.gdata.es
   • 174.225.73.139 www.ikarus.at
   • 76.9.143.253 www.jiangmin.com
   • 247.129.38.123 www.kaspersky.com
   • 54.74.202.75 www.mcafee.com
   • 131.101.191.176 www.microsoft.com
   • 32.140.5.222 www.eset.es
   • 203.4.88.161 www.norman.com
   • 10.205.252.113 www.nprotect.com
   • 87.232.241.145 www.pandasecurity.com
   • 244.15.55.3 www.pctools.com
   • 159.203.206.198 www.prevx.com
   • 223.81.114.150 www.rising-global.com
   • 43.107.103.183 www.sophos.com
   • 201.214.173.40 www.sunbeltsoftware.com
   • 115.79.0.167 www.symantec.com
   • 179.24.164.187 www.hacksoft.com.pe
   • 255.238.154.220 www.trendmicro.com
   • 89.90.224.10 www.anti-virus.by
   • 71.210.51.204 www.hauri.net
   • 67.155.27.156 www.virusbuster.hu
   • 212.182.16.189 www.emsisoft.com
   • 45.221.18.47 www.anti-trojan.net
   • 28.85.169.242 malwarescan.emsisoft.com
   • 23.30.77.194 forum.emsisoft.com
   • 168.57.66.226 www.emsisoft.net
   • 1.96.136.84 www.emsisoft.it
   • 240.216.219.211 www.emsisoft.de
   • 236.162.195.231 www.anti-trojan-software.net
   • 56.188.184.8 mamutu.com
   • 214.227.186.53 www.emsisoft.es
   • 196.92.81.248 malwarescan.emsisoft.de
   • 192.37.245.200 ww.emsisoft.com
   • 12.63.235.233 www.emsisoft.fr
   • 170.171.49.91 www.emsisoft.nl
   • 152.35.132.29 onlinecheck.emsisoft.com
   • 148.236.40.237 onlinecheck.emsisoft.de
   • 225.195.29.14 www.emsisoft.org
   • 126.46.99.128 scan.anti-trojan.net
   • 109.166.250.255 www.trojaner.info
   • 104.111.158.19 onlinecheck.emsisoft.org
   • 181.70.147.51 onlinecheck.emsisoft.net
   • 82.177.217.165 blitzblank.com
   • 65.41.44.36 www.emsisoft.at
   • 61.243.208.244 www.emsisoft.jp
   • 137.13.197.21 www.mamutu.com
   • 39.52.11.134 malwarescan.emsisoft.es
   • 21.173.94.73 www.mamutu.de
   • 17.118.70.25 download5.emsisoft.com
   • 93.144.60.58 download1.emsisoft.com
   • 251.184.62.172 download4.emsisoft.com
   • 233.48.213.42 global.ahnlab.com
   • 229.249.121.62 www.hackshields.com
   • 50.20.110.95 www.internationalservicecheck.com
   • 207.59.180.209 www.irangoals.com
   • 190.247.7.80 ixomodels.com
   • 185.192.239.32 www.indielisboa.com
   • 6.151.228.64 www.latin-mass-society.org
   • 163.2.230.178 www.arpia.be
   • 78.122.125.117 www.owen.org
   • 142.68.33.69 www.prdouglas.co.uk
   • 218.26.22.102 www.zarya.info
   • 120.133.92.215 www.willsee.com
   • 34.254.175.86 halmapr.com
   • 98.199.83.106 karuna-shechen.org
   • 174.225.73.139 www.barder.com
   • 76.9.143.253 www.antivir.es
   • 247.129.38.123 www.buraka.tv
   • 54.74.202.75 www.dr-bull.com
   • 131.101.191.176 www.manchester-offices.co.uk
   • 32.140.5.222 saverssite.com
   • 203.4.88.161 canada.karuna-shechen.org
   • 10.205.252.113 developmentdrums.org
   • 87.232.241.145 www.imddomains.co.uk
   • 244.15.55.3 cutlines.org
   • 159.203.206.198 elblogdemanu.com
   • 223.81.114.150 ruben.bzin.net
   • 43.107.103.183 welkam.co.jp
   • 201.214.173.40 www.cambridge-steiner-school.co.uk
   • 115.79.0.167 naturesimages.net
   • 179.24.164.187 www.1stavenuelimousines.co.uk
   • 255.238.154.220 www.mtr-design.com
   • 89.90.224.10 dev.depeuter.org
   • 139.22.119.16 www.emeraldclassic.co.uk
   • 135.223.95.224 www.peterhearnwaste.co.uk
   • 24.250.84.1 etrr.co.uk
   • 113.33.86.115 www.avoncourt.com
   • 96.153.237.54 sarahmcconnellphotography.net
   • 91.98.145.5 www.ixomodels.com
   • 236.125.134.38 natsko.com
   • 69.164.204.152 www.nottinghampoetryseries.com
   • 52.28.31.23 www.sheffieldmind.co.uk
   • 48.230.7.43 ixostore.ixomodels.com
   • 124.0.252.76 www.flairweddings.co.uk
   • 26.39.254.121 www.fimasys.com
   • 8.160.149.60 cohartuk.com
   • 4.105.57.12 qqjkw.net
   • 80.131.47.45 vivo-austin.com
   • 238.239.117.159 www.freeality.com
   • 220.103.200.97 bestofewan.com
   • 216.48.108.49 www.handwritingforkids.com
   • 37.7.97.82 cowsmo.com
   • 194.114.167.196 www.2xlgames.com
   • 177.234.62.67 kimzimmer.net
   • 172.179.226.86 basetendencies.com
   • 249.138.215.119 trackingtheworld.com
   • 150.245.29.233 www.reviewsofbooks.com
   • 133.109.112.104 www.collectedcurios.com
   • 129.55.20.56 www.renningers.com
   • 205.81.9.89 ccslaughterspdx.com
   • 107.120.79.202 www.briarhurst.com
   • 89.241.162.141 www.smf.org
   • 85.186.138.93 ribbonwarehouse.com
   • 161.212.128.126 www.garryowen.com
   • 63.252.130.240 45pounds.com
   • 45.116.25.110 isotopecomics.com
   • 41.61.189.130 roysephotos.com
   • 118.88.178.163 www.stadiumpage.com
   • 19.127.248.21 www.elvis-express.com
   • 2.59.75.148 www.tomorrowsedge.net
   • 253.4.51.100 www.beautybar.com
   • 74.219.40.132 pineleafboys.com
   • 231.70.42.246 www.mountainlakeslodge.com
   • 146.190.193.185 pvtc.org
   • 210.136.101.137 bhsbees.com
   • 30.94.90.170 baristamagazine.com
   • 188.201.160.27 www.gokidding.com
   • 102.66.243.154 defalcos.com
   • 166.11.151.174 www.celticmerchant.com
   • 242.37.141.207 www.hxproduction.com
   • 144.77.211.65 www.wellgousa.com
   • 58.197.106.191 blog.titanium-jewelry.com
   • 122.142.14.143 www.brightoctober.com
   • 199.169.3.244 hishomeforchildren.com
   • 100.208.73.34 www.phoenixtrikeworks.com
   • 15.72.156.229 www.professorbeyer.com
   • 78.17.64.181 www.secondchanceboxer.com
   • 155.44.53.213 www.residentphotography.com
   • 56.83.123.71 woottonfootball.com
   • 227.15.18.10 www.deborahshelton.net
   • 35.149.182.218 bobbondart.com
   • 111.175.171.251 www.authentium.com
   • 13.26.241.108 asap.authentium.com
   • 183.147.68.235 www.authentium.com.au
   • 247.92.232.255 avast.com
   • 67.50.222.32 www.avast.com
   • 157.158.36.78 files.avast.com
   • 139.22.119.16 download535.avast.com
   • 135.223.95.224 avg.com
   • 24.250.84.1 www.avg.com
   • 113.33.86.115 grisoft.com
   • 96.153.237.54 www.grisoft.com
   • 91.98.145.5 antivirus-tools.com
   • 236.125.134.38 archive.bitdefender.com
   • 69.164.204.152 avx.rob-have.net
   • 52.28.31.23 b-have.orgbitdefender-ar.com
   • 48.230.7.43 bitdefender.com
   • 124.0.252.76 bitdefender.org
   • 26.39.254.121 bitdefenderchina.com
   • 8.160.149.60 bitdefenderguatemala.com
   • 4.105.57.12 bitdefendermalaysia.com
   • 80.131.47.45 bitdefendertaiwan.com
   • 238.239.117.159 bitdefenderuruguay.com
   • 220.103.200.97 bitdefenderusa.com
   • 216.48.108.49 buy.bitdefender-es.com
   • 37.7.97.82 buy.bitdefender.com
   • 194.114.167.196 buy.bitdefender.de
   • 177.234.62.67 de.bitdefender.com
   • 172.179.226.86 fr.bitdefender.com
   • 249.138.215.119 futurenow.bitdefender.com
   • 150.245.29.233 it.bitdefender.com
   • 133.109.112.104 jobs.bitdefender.com
   • 129.55.20.56 kb.bitdefender.com
   • 205.81.9.89 kb.bitdefender.de
   • 107.120.79.202 kb.bitdefender.us
   • 89.241.162.141 latin.bitdefender.com
   • 85.186.138.93 linux.bitdefender.com
   • 161.212.128.126 malwarecity.com
   • 63.252.130.240 malwarecity.netmalwarecity.org
   • 45.116.25.110 malwarepedia.com
   • 41.61.189.130 neunet.orgnews.bitdefender.com
   • 118.88.178.163 nl.bitdefender.com
   • 19.127.248.21 renewals.bitdefender.com
   • 2.59.75.148 sales.bitdefender.com
   • 253.4.51.100 square.bitdefender.com
   • 74.219.40.132 store.bitdefender.com
   • 231.70.42.246 store.de.bitdefender.com
   • 146.190.193.185 us.bitdefender.com
   • 210.136.101.137 virusscanonline.net
   • 30.94.90.170 wedoantivirus.com
   • 188.201.160.27 www.antivirus-tools.com
   • 102.66.243.154 www.avx.ro
   • 166.11.151.174 www.bit-defender.de
   • 242.37.141.207 www.bitdefende.de
   • 144.77.211.65 www.bitdefender-es.com
   • 58.197.106.191 www.bitdefender.be
   • 122.142.14.143 www.bitdefender.cl
   • 199.169.3.244 www.bitdefender.co.uk
   • 100.208.73.34 www.bitdefender.com
   • 15.72.156.229 www.bitdefender.com.au
   • 78.17.64.181 www.bitdefender.com.sg
   • 155.44.53.213 www.bitdefender.com.tw
   • 56.83.123.71 www.bitdefender.com.vn
   • 227.15.18.10 www.bitdefender.de
   • 35.149.182.218 www.bitdefender.es
   • 163.227.223.47 www.bitdefender.fr
   • 65.78.37.160 www.bitdefender.hk
   • 235.199.120.31 www.bitdefender.us
   • 43.144.28.51 www.bitdefenderme.com
   • 119.102.18.84 www.malwarecity.com
   • 209.210.88.130 www.malwarecity.fr
   • 192.74.171.68 quickheal.com
   • 187.19.147.20 www.quickheal.com
   • 76.46.136.53 www.clamav.net
   • 165.85.138.167 cgi.clamav.net
   • 148.205.33.106 lurker.clamav.net
   • 143.151.197.58 wwws.clamav.net
   • 32.177.186.90 lists.clamav.net
   • 121.216.0.204 bugs.clamav.net
   • 104.80.83.75 system-cleaner.comodo.com
   • 100.26.59.95 backup.comodo.com
   • 176.52.48.128 www.comodoantispam.com
   • 78.91.50.173 easy-vpn.comodo.com
   • 60.212.201.112 www.trustlogo.com
   • 56.157.109.64 ztl.comodo.com
   • 132.183.99.97 www.livepcsupport.com
   • 34.35.169.211 www.whichssl.com
   • 17.155.252.149 www.trustix.com
   • 12.100.160.101 disk-encryption.comodo.com
   • 89.59.149.134 speedtest.comodo.com
   • 246.166.219.248 www.contentverification.com
   • 229.30.114.119 idauthority.com
   • 224.232.22.139 www.comodo.tv
   • 45.190.11.171 online-backup.comodo.com
   • 202.41.81.29 www.testmypcsecurity.com
   • 185.161.164.156 www.ccssforum.org
   • 181.107.72.108 i-vault.comodo.com
   • 1.133.61.141 internetsecurity.comodo.com
   • 159.172.131.254 www.comodopartners.com
   • 141.37.214.193 timestamp.comodoca.com
   • 137.238.190.145 secure-email.comodo.com
   • 213.8.180.178 timestamp.wosign.com
   • 115.48.182.36 rover800.gaima.co.uk
   • 98.168.77.162 www.nsclean.com
   • 93.113.241.182 www.contentverification.com
   • 170.140.230.215 new-estore.drweb.com
   • 71.179.44.73 support.drweb.com
   • 54.111.127.200 pda.drweb.com
   • 49.56.103.152 updates.drweb.com
   • 126.15.92.184 drweb.com
   • 27.122.94.42 vms.drweb.com
   • 198.242.245.237 solutions.drweb.com
   • 6.188.153.189 news.drweb.com
   • 82.146.142.222 my.drweb.com
   • 240.253.212.79 buy.drweb.com
   • 154.118.39.206 products.drweb.com
   • 218.63.203.226 new-support.drweb.com
   • 38.89.193.3 promotions.drweb.com
   • 196.129.7.117 network.drweb.com
   • 111.249.158.243 customers.drweb.com
   • 174.194.66.195 store.drweb.com
   • 251.221.55.40 company.drweb.com
   • 152.4.125.86 training.drweb.com
   • 67.124.208.25 license.drweb.com
   • 130.70.116.233 cureit.ru
   • 207.96.105.9 free.drweb.com
   • 108.135.175.123 info.drweb.com
   • 23.67.70.62 new-partners.drweb.com
   • 87.201.234.14 drweb.net
   • 163.227.223.47 new-company.drweb.com
   • 65.78.37.160 new-beta.drweb.com
   • 235.199.120.31 new-forum.drweb.com
   • 43.144.28.51 secure.av-desk.com
   • 119.102.18.84 www.av-desk.com
   • 209.210.88.130 new-solutions.drweb.com
   • 192.74.171.68 new-www.drweb.com
   • 187.19.147.20 www.freedrweb.ru
   • 76.46.136.53 daniloff.net
   • 165.85.138.167 drweb-inside.com
   • 148.205.33.106 drwebinside.com
   • 211.218.9.126 aladdin.com
   • 100.245.254.158 alladdin.ru
   • 189.28.68.16 chickensroamfree.com
   • 172.148.151.143 ealaddin.net
   • 168.94.127.163 ealaddin.orgeshop.aladdin.com
   • 244.120.116.196 secureme.com
   • 146.159.118.241 www.aks.com
   • 128.24.13.180 www.aladdin.com
   • 124.225.177.132 www.ealaddin.com
   • 200.251.167.165 www.ealaddin.com
   • 102.103.237.23 auwww.ealaddin.nl
   • 85.223.64.217 www.esafe.com
   • 80.168.228.169 www.hasp.se
   • 157.127.217.202 www.safenet-inc.com
   • 58.234.31.60 www3.safenet-inc.com
   • 41.98.182.187 www.ca.com
   • 36.43.90.207 cacomvip.ca.com
   • 113.2.79.239 www.netegrity.com
   • 14.109.149.97 search.ca.com
   • 253.229.232.224 cai.com
   • 249.175.140.176 www.f-prot.com
   • 69.201.129.209 frisk-software.com
   • 227.240.199.66 www.frisk.is
   • 209.105.26.5 www.frisk-software.com
   • 205.50.2.213 f-secure.com
   • 25.76.248.246 f-secure.frf-secure.hk
   • 183.116.250.104 f-secure.nlfsecure.com
   • 166.236.145.230 fsecure.nlwebyard.com
   • 161.181.53.250 www.f-secure.com
   • 97.67.158.143 www.fsecure.com
   • 255.107.228.1 www.virus.fi
   • 238.39.55.128 fortihero.com
   • 233.240.31.79 fortilog.com
   • 54.199.20.112 fortinet.co.at
   • 211.50.22.226 fortinet.com
   • 126.170.173.165 fortiprotect.com
   • 189.116.81.117 fortiwifi.com
   • 10.74.70.149 www.apsecure.com
   • 168.181.140.7 www.fortifed.com
   • 82.46.223.134 www.fortiid.com
   • 146.247.131.154 www.fortimail.com
   • 222.17.120.187 www.fortinet-apac.com
   • 124.56.190.44 www.fortinet.ch
   • 38.177.86.171 www.fortinet.co.il
   • 102.122.250.123 www.fortinet.com
   • 178.148.239.224 www.fortinet.com
   • 80.188.53.14 arwww.fortinet.cz
   • 251.52.136.209 www.fortinet.net
   • 58.253.44.160 www.fortinet.nl
   • 135.24.33.193 www.fortinet.sg
   • 36.63.103.51 www.fortinetuk.com
   • 207.251.254.246 www.secure-elements.com
   • 14.129.162.198 gdata.es
   • 91.155.151.230 www.gdata.es
   • 249.6.221.88 ikarus.at
   • 163.127.48.215 www.ikarus.at
   • 227.72.212.235 global.jiangmin.com
   • 47.30.201.80 jiangmin.com.cn
   • 205.205.83.125 jiangmin.com
   • 187.70.167.64 www.jiangmin.com.cn
   • 183.15.143.16 www.kaspersky.com
   • 71.41.132.49 forum.kaspersky.com
   • 161.81.134.163 support.kaspersky.co
   • 144.201.29.102 usa.kaspersky.com
   • 139.146.193.53 brazil.kaspersky.com
   • 28.173.182.86 latam.kaspersky.com
   • 117.212.252.200 kaspersky.com
   • 100.76.79.71 me.kaspersky.com
   • 95.22.55.91 images.kaspersky.com
   • 172.48.44.123 www.mcafee.com
   • 74.87.46.169 support.mcafee.com
   • 56.208.197.108 msr.mcafee.com
   • 52.153.105.60 home.mcafee.com
   • 128.179.94.93 networkassociates.com
   • 30.30.164.206 us.mcafee.com
   • 12.151.248.145 tr.mcafee.com
   • 8.96.156.97 au.mcafee.com
   • 84.54.145.130 mx.mcafee.com
   • 242.162.215.244 networkassociates.nai.com
   • 225.26.110.115 go.mcafee.com
   • 220.227.18.134 fr.mcafee.com
   • 41.186.59.219 uk.mcafee.com
   • 250.89.129.77 de.mcafee.com
   • 233.209.212.204 obscgi.mcafee.com
   • 228.155.120.156 nai.com
   • 49.181.109.188 www.entercept.com
   • 207.220.179.46 jp.mcafee.com
   • 189.85.6.241 mcafeeb2b.com
   • 185.30.238.193 cn.mcafee.com
   • 5.56.227.226 service.mcafee.com
   • 163.95.229.84 br.mcafee.com
   • 145.216.125.210 www.mcafee.at
   • 141.161.33.230 mcafeeretail.com
   • 218.187.22.7 it.mcafee.com
   • 119.227.92.121 tw.mcafee.com
   • 102.159.175.248 privacy.microsoft.com
   • 97.104.151.199 tempuri.org
   • 174.63.140.232 schemas.xmlsoap.org
   • 75.170.142.90 www.microsoft.com
   • 246.34.37.29 specs.xmlsoap.org
   • 53.236.201.237 www.eugrantsadvisor.ie
   • 130.194.190.13 schemas.microsoft.com
   • 32.45.4.127 encarta.msn.com
   • 202.166.87.254 www.sysinternals.com
   • 10.111.251.18 grv.microsoft.com
   • 86.137.240.51 www.xmlsoap.org
   • 244.176.54.165 www.eugrantsadvisor.se
   • 158.41.206.35 www.eugrantsadvisor.com
   • 34.54.182.55 research.microsoft.com
   • 110.80.171.156 www.engyro.com
   • 12.120.241.202 www.exchangeyourcareer.com
   • 183.240.68.141 www.eugrantsadvisor.de
   • 246.185.232.92 exchangeyourcareer.net
   • 67.212.221.125 eugrantsadvisor.de
   • 224.251.35.239 eugrantsadvisor.cz
   • 139.183.186.178 www.eset.es
   • 202.61.94.130 demos.eset.es
   • 23.87.83.162 descargas.eset.es
   • 181.194.153.20 blogs.protegerse.com
   • 95.59.236.147 eos.eset.es
   • 159.4.144.167 pedidos.protegerse.com
   • 235.218.133.200 reg-int.nod32-es.com
   • 69.69.203.246 reg.eset.es
   • 51.190.31.184 vicentevirtual.com
   • 47.135.7.136 cou85.com
   • 191.161.252.169 www.norman.com
   • 25.201.254.27 fsc.norman.com
   • 8.65.149.222 nprobeta.norman.com
   • 3.10.57.173 register.norman.com
   • 148.37.46.206 webadmin.norman.no
   • 237.76.116.64 sandbox.norman.com
   • 220.196.199.191 www.nprotect.com
   • 215.142.175.211 global.nprotect.com
   • 36.220.216.39 www.nprotect.co.kr
   • 246.3.218.85 www.npin.co.kr
   • 228.124.113.24 siren24.nprotect.com
   • 224.69.21.232 15660808.co.kr
   • 44.95.10.9 biz.nprotect.com
   • 202.203.80.123 nprotect.net
   • 184.67.164.61 www.nprotect.com.br
   • 180.12.72.13 liveprotect.net
   • 1.226.61.46 nprotect.seoul.go.kr
   • 158.78.131.160 chollian.nprotect.co.kr
   • 141.198.26.31 www.pandasecurity.com
   • 136.143.190.50 research.pandasecurity.com
   • 213.102.179.83 support.pandasecurity.com
   • 114.209.249.197 pandalabs.pandasecurity.com
   • 97.73.76.68 pandasecurity.com
   • 92.19.240.20 mop.pandasecurity.com
   • 169.45.229.52 timeforyourbusi.pandasecurity.com
   • 71.84.43.166 cybercrime.pandasecurity.com
   • 53.205.126.105 free.pandasecurity.com
   • 49.150.102.57 cloudprotection.pandasecurity.com
   • 125.176.91.90 shop.pandasecurity.com
   • 27.216.94.204 soporte.pandasecurity.com
   • 9.80.245.74 together.pctools.com
   • 5.25.153.94 www.prevx.com
   • 150.119.210.195 info.prevx.com
   • 51.159.24.53 free.prevx.com
   • 34.91.107.180 spywarefiles.prevx.com
   • 29.36.83.131 spywaredlls.prevx.com
   • 106.251.72.164 shield.prevx.com
   • 7.102.74.22 www.prevx1.com
   • 178.222.225.217 howsafeismypc.com
   • 241.168.133.169 www.retento.com
   • 62.126.122.201 www.freerav.com
   • 220.233.192.59 www.rising-global.com
   • 134.98.19.186 www.risingav.com.au
   • 198.43.183.206 support.rising-global.com
   • 18.69.172.239 superboy2010.com.au
   • 176.109.242.97 www.sophos.com
   • 90.229.138.223 feeds.sophos.com
   • 206.226.98.227 esp.sophos.com
   • 27.252.87.72 cn.sophos.com
   • 184.36.157.118 tw.sophos.com
   • 99.156.240.57 kr.sophos.com
   • 162.101.148.8 sophos.com
   • 239.128.137.41 podcasts.sophos.com
   • 140.167.207.155 www.sunbeltsoftware.com
   • 55.99.102.94 go.sunbeltsoftware.com
   • 118.233.10.46 oem.sunbeltsoftware.com
   • 195.3.255.79 antispam.sunbeltsoftware.com
   • 97.110.69.192 antispyware.sunbeltsoftware.com
   • 11.231.152.63 antivirus.sunbeltsoftware.com
   • 75.176.60.83 sunbeltsoftware.com
   • 151.134.49.116 shop.sunbeltsoftware.com
   • 241.242.120.162 live.sunbeltsoftware.com
   • 223.106.203.100 firewall.sunbeltsoftware.com
   • 219.51.179.52 www.symantec.com
   • 108.145.236.153 security.symantec.com
   • 9.185.238.11 securityrespons.symantec.com
   • 248.49.133.206 service1.symantec.com
   • 243.250.41.157 enterprisesecur.symantec.com
   • 132.21.30.190 eval.symantec.com
   • 221.60.100.48 symantec.com
   • 204.180.183.175 definitions.symantec.com
   • 199.126.159.195 investor.symantec.com
   • 20.152.148.227 et.symantec.com
   • 178.191.150.17 sfdoccentral.symantec.com
   • 160.56.45.212 servicenews.symantec.com
   • 156.1.209.164 securityrespons.symantec.com
   • 232.27.198.197 sea.symantec.com
   • 134.135.13.55 go.symantec.com
   • 116.255.96.249 dell.symantec.com
   • 112.200.4.201 sun.symantec.com
   • 189.158.249.234 marian.symantec.com
   • 90.10.63.92 tms.symantec.com
   • 189.247.74.79 securitycheck.symantec.com
   • 185.192.238.99 smallbiz.symantec.com
   • 5.150.228.132 www.symantec.com
   • 163.2.42.246 visualtracking.symantec.com
   • 146.122.125.116 search.symantec.com
   • 141.67.33.68 liveupdate.symantec.com
   • 218.94.22.101 sitedirector.symantec.com
   • 119.133.92.215 edm.symantec.com
   • 102.253.175.154 hostedmailsecur.symantec.com
   • 97.198.151.106 www4.symantec.com
   • 174.225.140.138 education.symantec.com
   • 75.8.142.252 vos.symantec.com
   • 58.128.37.123 www.hacksoft.com.pe
   • 54.74.201.143 hacksoft.pe
   • 130.100.190.176 www.hacksoft.pe
   • 32.139.4.33 housecall.trendmicro.com
   • 14.72.87.160 www.trendmicro.com
   • 10.17.63.112 housecall65.trendmicro.com
   • 86.231.53.145 us.trendmicro.com
   • 56.151.123.71 blog.trendmicro.com
   • 227.15.18.9 emea.trendmicro.com
   • 34.216.182.217 housecall60.trendmicro.com
   • 111.175.171.250 jp.trendmicro.com
   • 12.26.241.108 de.trendmicro.com
   • 183.146.68.235 it.trendmicro.com
   • 246.91.232.255 itw.trendmicro.com
   • 67.118.221.31 esupport.trendmicro.com
   • 224.157.35.145 es.trendmicro.com
   • 139.21.186.16 br.trendmicro.com
   • 203.223.94.224 tw.trendmicro.com
   • 23.249.83.69 la.trendmicro.com
   • 181.32.153.114 uk.trendmicro.com
   • 95.153.236.53 ru.trendmicro.com
   • 159.98.144.5 smbstore.trendmicro.com
   • 235.124.134.38 apac.trendmicro.com
   • 137.164.204.152 store.trendmicro.com
   • 52.96.99.90 training.trendmicro.com
   • 115.229.7.42 trial.trendmicro.com
   • 192.0.252.75 ushousecall02.trendmicro.com
   • 93.107.66.189 subwiz.trendmicro.com
   • 8.227.149.60 go.trendmicro.com
   • 71.172.57.80 feeds.trendmicro.com
   • 148.131.98.164 channelpartner.trendmicro.com
   • 33.34.168.210 wtc.trendmicro.com
   • 16.154.251.149 shop.trendmicro.com
   • 12.100.227.101 fr.trendmicro.com
   • 156.126.216.134 threatinfo.trendmicro.com
   • 246.165.218.247 newsletters.trendmicro.com
   • 228.30.113.186 www.anti-virus.by
   • 224.231.22.138 bg.virusblokada.com
   • 112.1.11.171 www.vba.com.by
   • 202.41.81.29 beta.anti-virus.by
   • 185.161.164.155 www.bg.virusblokada.com
   • 180.106.140.175 www.hauri.net
   • 1.133.129.208 www.hauri.co.kr
   • 158.172.131.254 company.hauri.net
   • 141.36.26.193 www.globalhauri.com
   • 136.238.190.145 shop.hauri.co.kr
   • 213.8.179.177 hauri.co.kr
   • 114.115.249.35 pg.hauri.net
   • 97.235.76.230 esecurity.livecall.co.kr
   • 93.181.240.182 mall.hauri.co.kr
   • 169.139.229.215 company.hauri.co.kr
   • 71.246.43.72 haurijapan.com
   • 53.111.194.199 virobot.co.kr
   • 49.56.170.31 www.virusbuster.hu
   • 193.82.160.64 virusbuster.hu
   • 95.190.230.178 scanner.novirusthanks.org
   • 78.54.57.48 scanner2.novirusthanks.or
   • 73.255.221.0 novirusthanks.org
   • 150.26.210.33 www.novirusthanks.org
   • 51.65.24.147 virustotal.com
   • 34.185.107.86 www.virustotal.com
   • 29.131.83.38 virscan.org
   • 106.157.72.70 www.virscan.org
   • 7.196.74.184 virusscan.jotti.org
   • 246.60.225.55 jotti.org
   • 242.6.133.75 www.jotti.org
   • 62.32.122.108 viruschief.com
   • 220.71.192.221 www.viruschief.com
   • 202.4.19.92 scanner.virus.org
   • 198.205.251.44 virus.org
   • 18.163.241.77 www.virus.org
   • 176.15.243.191 scan4you.net
   • 91.135.138.129 www.scan4you.net
   • 154.80.46.81 avhide.com
   • 231.39.35.114 www.avhide.com
   • 132.146.105.228 anubis.iseclab.org
   • 99.62.240.151 iseclab.org
   • 162.8.148.171 www.iseclab.org
   • 239.34.137.203 threatexpert.com
   • 140.73.207.61 www.threatexpert.com


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • www.whatismyip.org
Accesses internet resources:
   • http://e-i-4-m-8-t-5-3-n-0-7-3-5-k**********.info

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description insérée par Ana Maria Niculescu le vendredi 4 mars 2011
Description mise à jour par Ana Maria Niculescu le vendredi 4 mars 2011

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.