Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Virus:Worm/Esfury.A.357
Date discovered:08/11/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:55.296 Bytes
MD5 checksum:FDA15A56FF33BC0F4A27B415E8019FD9
VDF version:7.10.06.53
IVDF version:7.10.13.167 - Monday, November 8, 2010

 General Method of propagation:
    Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.g
   •  Kaspersky: Trojan.Win32.VBKrypt.wuh
     Avast: Win32:AutoRun-BPN
   •  Panda: W32/Esfury.R.worm
   •  VirusBuster: Worm.Esfury!awyz/BCBGro
   •  Eset: Win32/AutoRun.VB.UG
AhnLab: Win32/Esfury.worm.55296


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Downloads malicious files
   • Drops a file
   • Lowers security settings
   • Registry modification
    Opens website in web browser

 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\winlogon.exe
   • C:\winlogon.exe
   • %HOME%\%hex values%\winlogon.exe




It tries to download a file: It is saved on the local hard drive under: %TEMPDIR%\wlo.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.58880.4

 Registry The following registry keys are added in order to run the processes after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "13032325543555"="%HOME%\%hex values%\winlogon.exe

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "13032325543555"="%HOME%\%hex values%\winlogon.exe



It creates the following entries in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • ""13032325543555"="%HOME%\%hex
      values%
\winlogon.exe"=""13032325543555"="%HOME%\%hex
      values%
\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • ""13032325543555"="%HOME%\%hex
      values%
\winlogon.exe"=""13032325543555"="%HOME%\%hex
      values%
\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"



The following registry keys are added:

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2servic.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antigen.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoupdate.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwcl9.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpexec.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpinst.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmon.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccshtdwn.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdp.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ChromeSetup.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamauto.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consent.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpdclnt.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashreporter.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinject.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinsm32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\css1631.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defscangui.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Diskmon.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\doors.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95_o.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\earthagent.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecengine.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efinet32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esafe.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanh95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ewido.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exit.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expert.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fact.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fix-it.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\flowprotector.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServer.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frw.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fslaunch.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwenc.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenericRenosFix.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gibe.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iface.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iris.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isrv95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\licmgr.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\localnet.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmnhdlr.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcuimgr.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdll.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monitor.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsys32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsysnt.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfservice.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msn.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspatch.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mxtask.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scan.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nai_vs_stat.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav80try.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navap.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navauto-protect.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navdx.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navengnavex15.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2k_76_1436.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccclient.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prckiller.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\proport.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rapapp.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2Fix.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsbgate.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xscan.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutorzauinst.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zauinst.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlh.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"

   • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe]
     "Debugger"="%HOME%\%hex values%\winlogon.exe"




The following registry keys are changed:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
   New value:
   • "Local Page"="http://no24a2kw**********rio-w.com"

[HKLM\SOFTWARE\Microsoft\Security Center]
   New value:
   • "UacDisableNotify"=dword:00000001

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   New value:
   • "NoFolderOptions"=dword:00000001

[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
   New value:
   • "NoAutoRebootWithLoggedOnUsers"=dword:00000001

Deactivate Windows Firewall:

[HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
   New value:
   • "EnableFirewall"=dword:00000000

Deactivate Windows Firewall:

[HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
   New value:
   • "EnableFirewall"=dword:00000000

[HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Default_Search_URL"="http://0vlf31z9**********io-w.com"
   • "Default_Page_URL"="http://90219v**********io-w.com"

Various Explorer settings:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NoRun"=dword:00000001
   • "NoFile"=dword:00000001
   • "NoFolderOptions"=dword:00000001

Disable Regedit and Task Manager:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • "DisableRegistryTools"=dword:00000001
   • "DisableTaskMgr"=dword:00000001

[HKCU\Software\Policies\Microsoft\Windows\System]
   New value:
   • "DisableCMD"=dword:00000001

Internet Explorer's start page:

[HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Local Page"="http://ub01cl40**********io-w.com"
   • "Start Page"="http://z263m4**********io-w.com"
   • "Search Page"="http://k7d6t**********io-w.com"

Various Explorer settings:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:00000002
   • "HideFileExt"=dword:00000003
   • "SuperHidden"=dword:00000001

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
   New value:
   • "AntiVirusDisableNotify"=dword:00000001
     "AntiVirusOverride"=dword:00000001
     "FirewallDisableNotify"=dword:00000001
     "FirewallOverride"=dword:00000001
     "FirstRunDisabled"=dword:00000001
     "UpdatesDisableNotify"=dword:00000001
     "UacDisableNotify"=dword:00000001

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   New value:
   • "ConsentPromptBehaviorAdmin"=dword:00000000
     "EnableLUA"=dword:00000000
     "PromptOnSecureDesktop"=dword:00000001

 Hosts The host file is modified as explained:

In this case existing entries are deleted.

Access to the following domains is effectively blocked:
   • 208.109.220.97 viabcp.com
   • 208.109.220.97 www.viabcp.com
   • 208.109.220.97 bcpzonasegura.viabcp.com
   • 173.236.65.144 www.produbanco.com
   • 173.236.65.144 produbanco.com
   • 173.236.65.144 www.pichincha.com
   • 173.236.65.144 pichincha.com
   • 173.236.65.144 wwwp1.pichincha.com
   • 173.236.65.144 wwwp2.pichincha.com
   • 173.236.65.144 wwwp3.pichincha.com
   • 173.236.65.144 wwwp4.pichincha.com
   • 173.236.65.144 wwww01.pichincha.com
   • 173.236.65.144 wwww02.pichincha.com
   • 173.236.65.144 wwww03.pichincha.com
   • 173.236.65.144 wwww04.pichincha.com
   • 173.236.65.144 www.bancoguayaquil.com
   • 173.236.65.144 bancoguayaquil.com
   • 216.245.208.36 bn.com.pe
   • 216.245.208.36 www.bn.com.pe
   • 216.245.208.36 zonasegura1.bn.com.pe
   • 216.245.208.36 www.zonasegura1.bn.com.pe
   • 97.209.60.181 iniciorapido.info
   • 142.123.181.8 www.iniciorapido.info
   • 81.187.126.173 buscalo.in
   • 33.7.152.162 www.buscalo.in
   • 66.165.192.232 buscafacil.com
   • 180.80.124.127 www.buscafacil.com
   • 119.143.1.35 emsisoft.com
   • 70.220.28.24 ahnlab.com
   • 103.121.135.94 antivir.es
   • 217.36.255.177 antiy.net
   • 88.99.201.85 authentium.com
   • 108.176.159.74 avast.com
   • 140.10.10.144 avg.com
   • 186.248.130.227 bitdefender.com
   • 125.244.76.203 quickheal.com
   • 77.132.102.192 clamav.net
   • 110.222.141.194 comodo.com
   • 223.204.6.89 drweb.com
   • 162.200.207.254 aladdin.com
   • 114.88.233.243 ca.com
   • 147.178.17.57 f-prot.com
   • 5.161.137.140 f-secure.com
   • 132.156.82.116 fortinet.com
   • 151.233.109.105 gdata.es
   • 184.134.148.107 ikarus.at
   • 230.117.12.2 jiangmin.com
   • 169.112.214.166 kaspersky.com
   • 121.189.240.155 mcafee.com
   • 153.91.91.225 microsoft.com
   • 11.73.211.52 eset.es
   • 206.69.157.216 norman.com
   • 158.145.115.205 nprotect.com
   • 191.47.222.19 pandasecurity.com
   • 48.29.87.170 pctools.com
   • 175.25.32.79 prevx.com
   • 195.101.246.68 rising-global.com
   • 228.3.98.138 sophos.com
   • 86.242.218.221 sunbeltsoftware.com
   • 213.237.163.129 symantec.com
   • 164.58.190.118 hacksoft.com.pe
   • 197.215.229.188 trendmicro.com
   • 55.198.93.15 anti-virus.by
   • 250.193.39.247 hauri.net
   • 202.14.65.236 virusbuster.hu
   • 234.172.104.238 www.emsisoft.com
   • 92.154.225.133 www.ahnlab.com
   • 219.150.170.41 www.antivir.es
   • 239.226.196.30 www.antiy.net
   • 16.128.235.100 www.authentium.com
   • 129.110.168.183 www.avast.com
   • 0.106.113.160 www.avg.com
   • 208.182.71.149 www.bitdefender.com
   • 241.84.179.151 www.quickheal.com
   • 99.255.43.46 www.clamav.net
   • 38.62.244.210 www.comodo.com
   • 245.139.203.199 www.drweb.com
   • 22.40.54.13 www.aladdin.com
   • 136.211.174.96 www.ca.com
   • 7.18.120.4 www.f-prot.com
   • 27.95.146.249 www.f-secure.com
   • 59.253.185.63 www.fortinet.com
   • 173.167.49.214 www.gdata.es
   • 44.231.251.122 www.ikarus.at
   • 252.51.21.111 www.jiangmin.com
   • 97.209.60.181 www.kaspersky.com
   • 142.123.181.8 www.mcafee.com
   • 81.187.126.173 www.microsoft.com
   • 33.7.152.162 www.eset.es
   • 66.165.192.232 www.norman.com
   • 180.80.124.127 www.nprotect.com
   • 119.143.1.35 www.pandasecurity.com
   • 70.220.28.24 www.pctools.com
   • 103.121.135.94 www.prevx.com
   • 217.36.255.177 www.rising-global.com
   • 88.99.201.85 www.sophos.com
   • 108.176.159.74 www.sunbeltsoftware.com
   • 140.10.10.144 www.symantec.com
   • 186.248.130.227 www.hacksoft.com.pe
   • 125.244.76.203 www.trendmicro.com
   • 77.132.102.192 www.anti-virus.by
   • 110.222.141.194 www.hauri.net
   • 223.204.6.89 www.virusbuster.hu
   • 162.200.207.254 www.emsisoft.com
   • 114.88.233.243 www.anti-trojan.net
   • 147.178.17.57 malwarescan.emsisoft.com
   • 5.161.137.140 forum.emsisoft.com
   • 132.156.82.116 www.emsisoft.net
   • 151.233.109.105 www.emsisoft.it
   • 184.134.148.107 www.emsisoft.de
   • 230.117.12.2 www.anti-trojan-software.net
   • 169.112.214.166 mamutu.com
   • 121.189.240.155 www.emsisoft.es
   • 153.91.91.225 malwarescan.emsisoft.de
   • 11.73.211.52 ww.emsisoft.com
   • 206.69.157.216 www.emsisoft.fr
   • 158.145.115.205 www.emsisoft.nl
   • 191.47.222.19 onlinecheck.emsisoft.com
   • 48.29.87.170 onlinecheck.emsisoft.de
   • 175.25.32.79 www.emsisoft.org
   • 195.101.246.68 scan.anti-trojan.net
   • 228.3.98.138 www.trojaner.info
   • 86.242.218.221 onlinecheck.emsisoft.org
   • 213.237.163.129 onlinecheck.emsisoft.net
   • 164.58.190.118 blitzblank.com
   • 197.215.229.188 www.emsisoft.at
   • 55.198.93.15 www.emsisoft.jp
   • 250.193.39.247 www.mamutu.com
   • 202.14.65.236 malwarescan.emsisoft.es
   • 234.172.104.238 www.mamutu.de
   • 92.154.225.133 download5.emsisoft.com
   • 219.150.170.41 download1.emsisoft.com
   • 239.226.196.30 download4.emsisoft.com
   • 16.128.235.100 global.ahnlab.com
   • 129.110.168.183 www.hackshields.com
   • 0.106.113.160 www.internationalservicecheck.com
   • 208.182.71.149 www.irangoals.com
   • 241.84.179.151 ixomodels.com
   • 99.255.43.46 www.indielisboa.com
   • 38.62.244.210 www.latin-mass-society.org
   • 245.139.203.199 www.arpia.be
   • 22.40.54.13 www.owen.org
   • 136.211.174.96 www.prdouglas.co.uk
   • 7.18.120.4 www.zarya.info
   • 27.95.146.249 www.willsee.com
   • 59.253.185.63 halmapr.com
   • 173.167.49.214 karuna-shechen.org
   • 44.231.251.122 www.barder.com
   • 252.51.21.111 www.antivir.es
   • 97.209.60.181 www.buraka.tv
   • 142.123.181.8 www.dr-bull.com
   • 81.187.126.173 www.manchester-offices.co.uk
   • 33.7.152.162 saverssite.com
   • 66.165.192.232 canada.karuna-shechen.org
   • 180.80.124.127 developmentdrums.org
   • 119.143.1.35 www.imddomains.co.uk
   • 70.220.28.24 cutlines.org
   • 103.121.135.94 elblogdemanu.com
   • 217.36.255.177 ruben.bzin.net
   • 88.99.201.85 welkam.co.jp
   • 108.176.159.74 www.cambridge-steiner-school.co.uk
   • 140.10.10.144 naturesimages.net
   • 186.248.130.227 www.1stavenuelimousines.co.uk
   • 125.244.76.203 www.mtr-design.com
   • 77.132.102.192 dev.depeuter.org
   • 110.222.141.194 www.emeraldclassic.co.uk
   • 223.204.6.89 www.peterhearnwaste.co.uk
   • 162.200.207.254 etrr.co.uk
   • 114.88.233.243 www.avoncourt.com
   • 147.178.17.57 sarahmcconnellphotography.net
   • 5.161.137.140 www.ixomodels.com
   • 200.224.150.184 natsko.com
   • 219.45.177.173 www.nottinghampoetryseries.com
   • 252.202.216.175 www.sheffieldmind.co.uk
   • 42.185.80.70 ixostore.ixomodels.com
   • 237.180.26.234 www.flairweddings.co.uk
   • 189.1.52.223 www.fimasys.com
   • 221.159.159.37 cohartuk.com
   • 79.141.23.120 qqjkw.net
   • 18.137.225.28 vivo-austin.com
   • 226.213.183.17 www.freeality.com
   • 3.115.34.87 bestofewan.com
   • 116.97.155.238 www.handwritingforkids.com
   • 243.93.100.147 cowsmo.com
   • 7.169.58.136 www.2xlgames.com
   • 40.71.166.206 kimzimmer.net
   • 154.54.30.33 basetendencies.com
   • 25.49.231.197 trackingtheworld.com
   • 232.126.2.186 www.reviewsofbooks.com
   • 9.27.41.0 www.collectedcurios.com
   • 123.10.161.83 www.renningers.com
   • 62.5.107.59 ccslaughterspdx.com
   • 14.82.133.48 www.briarhurst.com
   • 46.240.172.50 www.smf.org
   • 160.222.36.201 ribbonwarehouse.com
   • 31.218.238.109 www.garryowen.com
   • 51.38.8.98 45pounds.com
   • 84.196.47.168 isotopecomics.com
   • 197.178.236.251 roysephotos.com
   • 68.174.181.228 www.stadiumpage.com
   • 20.250.139.217 www.elvis-express.com
   • 53.152.247.219 www.tomorrowsedge.net
   • 167.67.111.114 www.beautybar.com
   • 106.130.56.22 pineleafboys.com
   • 57.207.15.11 www.mountainlakeslodge.com
   • 90.108.122.81 pvtc.org
   • 204.23.242.164 bhsbees.com
   • 75.86.188.72 baristamagazine.com
   • 95.163.214.61 www.gokidding.com
   • 127.64.253.131 defalcos.com
   • 241.235.117.26 www.celticmerchant.com
   • 112.43.63.190 www.hxproduction.com
   • 64.119.89.179 www.wellgousa.com
   • 165.21.128.249 blog.titanium-jewelry.com
   • 210.191.249.76 www.brightoctober.com
   • 149.255.194.241 hishomeforchildren.com
   • 101.75.220.230 www.phoenixtrikeworks.com
   • 134.233.4.44 www.professorbeyer.com
   • 248.148.192.195 www.secondchanceboxer.com
   • 187.211.69.103 www.residentphotography.com
   • 138.32.96.92 woottonfootball.com
   • 171.189.203.162 www.deborahshelton.net
   • 29.104.67.245 bobbondart.com
   • 156.167.13.153 www.authentium.com
   • 176.244.227.142 asap.authentium.com
   • 208.78.78.212 www.authentium.com.au
   • 254.60.198.39 avast.com
   • 193.56.144.15 www.avast.com
   • 145.200.170.4 files.avast.com
   • 178.34.209.6 download535.avast.com
   • 35.16.74.157 avg.com
   • 230.12.19.66 www.avg.com
   • 182.156.45.55 grisoft.com
   • 215.246.85.125 www.grisoft.com
   • 73.229.205.208 antivirus-tools.com
   • 200.224.150.184 archive.bitdefender.com
   • 219.45.177.173 avx.rob-have.net
   • 252.202.216.175 b-have.orgbitdefender-ar.com
   • 42.185.80.70 bitdefender.com
   • 237.180.26.234 bitdefender.org
   • 189.1.52.223 bitdefenderchina.com
   • 221.159.159.37 bitdefenderguatemala.com
   • 79.141.23.120 bitdefendermalaysia.com
   • 18.137.225.28 bitdefendertaiwan.com
   • 226.213.183.17 bitdefenderuruguay.com
   • 3.115.34.87 bitdefenderusa.com
   • 116.97.155.238 buy.bitdefender-es.com
   • 243.93.100.147 buy.bitdefender.com
   • 7.169.58.136 buy.bitdefender.de
   • 40.71.166.206 de.bitdefender.com
   • 154.54.30.33 fr.bitdefender.com
   • 25.49.231.197 futurenow.bitdefender.com
   • 232.126.2.186 it.bitdefender.com
   • 9.27.41.0 jobs.bitdefender.com
   • 123.10.161.83 kb.bitdefender.com
   • 62.5.107.59 kb.bitdefender.de
   • 14.82.133.48 kb.bitdefender.us
   • 46.240.172.50 latin.bitdefender.com
   • 160.222.36.201 linux.bitdefender.com
   • 31.218.238.109 malwarecity.com
   • 51.38.8.98 malwarecity.netmalwarecity.org
   • 84.196.47.168 malwarepedia.com
   • 197.178.236.251 neunet.orgnews.bitdefender.com
   • 68.174.181.228 nl.bitdefender.com
   • 20.250.139.217 renewals.bitdefender.com
   • 53.152.247.219 sales.bitdefender.com
   • 167.67.111.114 square.bitdefender.com
   • 106.130.56.22 store.bitdefender.com
   • 57.207.15.11 store.de.bitdefender.com
   • 90.108.122.81 us.bitdefender.com
   • 204.23.242.164 virusscanonline.net
   • 127.138.240.124 wedoantivirus.com
   • 147.215.10.113 www.antivirus-tools.com
   • 179.117.49.183 www.avx.ro
   • 37.31.170.78 www.bit-defender.de
   • 164.95.115.242 www.bitdefende.de
   • 116.171.141.231 www.bitdefender-es.com
   • 217.73.180.45 www.bitdefender.be
   • 6.243.45.129 www.bitdefender.cl
   • 201.51.246.37 www.bitdefender.co.uk
   • 153.127.16.26 www.bitdefender.com
   • 186.29.56.96 www.bitdefender.com.au
   • 44.200.244.247 www.bitdefender.com.sg
   • 239.7.121.155 www.bitdefender.com.tw
   • 190.84.148.144 www.bitdefender.com.vn
   • 223.241.255.214 www.bitdefender.de
   • 81.156.119.41 www.bitdefender.es
   • 208.219.65.205 www.bitdefender.fr
   • 228.40.23.194 www.bitdefender.hk
   • 4.130.130.8 www.bitdefender.us
   • 50.112.251.91 www.bitdefenderme.com
   • 245.108.196.67 www.malwarecity.com
   • 197.252.222.56 www.malwarecity.fr
   • 230.86.5.58 quickheal.com
   • 87.68.126.210 www.quickheal.com
   • 26.64.71.118 www.clamav.net
   • 234.208.97.107 cgi.clamav.net
   • 11.42.137.177 lurker.clamav.net
   • 125.25.1.4 wwws.clamav.net
   • 252.20.202.236 lists.clamav.net
   • 15.97.229.225 bugs.clamav.net
   • 48.254.12.227 system-cleaner.comodo.com
   • 94.237.132.122 backup.comodo.com
   • 33.232.78.30 www.comodoantispam.com
   • 241.53.104.19 easy-vpn.comodo.com
   • 17.211.211.89 www.trustlogo.com
   • 131.193.76.172 ztl.comodo.com
   • 70.189.21.80 www.livepcsupport.com
   • 22.9.235.69 www.whichssl.com
   • 55.167.86.139 www.trustix.com
   • 168.149.207.35 disk-encryption.comodo.com
   • 39.145.152.199 speedtest.comodo.com
   • 59.221.110.188 www.contentverification.com
   • 92.123.218.2 idauthority.com
   • 206.106.82.85 www.comodo.tv
   • 77.101.27.249 online-backup.comodo.com
   • 28.178.54.238 www.testmypcsecurity.com
   • 61.79.93.52 www.ccssforum.org
   • 175.62.213.135 i-vault.comodo.com
   • 114.57.159.111 internetsecurity.comodo.com
   • 66.134.185.100 www.comodopartners.com
   • 98.36.224.102 timestamp.comodoca.com
   • 212.18.89.253 secure-email.comodo.com
   • 83.14.34.161 timestamp.wosign.com
   • 103.90.60.150 rover800.gaima.co.uk
   • 136.248.99.220 www.nsclean.com
   • 249.230.32.48 www.contentverification.com
   • 120.226.233.24 new-estore.drweb.com
   • 72.46.191.13 support.drweb.com
   • 105.204.43.15 pda.drweb.com
   • 219.119.163.166 updates.drweb.com
   • 158.182.108.74 drweb.com
   • 109.3.67.63 vms.drweb.com
   • 142.160.174.133 solutions.drweb.com
   • 0.75.38.216 news.drweb.com
   • 127.138.240.124 my.drweb.com
   • 147.215.10.113 buy.drweb.com
   • 179.117.49.183 products.drweb.com
   • 37.31.170.78 new-support.drweb.com
   • 164.95.115.242 promotions.drweb.com
   • 184.239.209.43 network.drweb.com
   • 29.141.248.113 customers.drweb.com
   • 74.55.113.196 store.drweb.com
   • 13.119.58.105 company.drweb.com
   • 221.195.84.94 training.drweb.com
   • 254.97.124.164 license.drweb.com
   • 112.12.56.59 cureit.ru
   • 51.75.189.223 free.drweb.com
   • 2.152.216.212 info.drweb.com
   • 35.53.67.26 new-partners.drweb.com
   • 149.224.187.109 drweb.net
   • 20.31.133.17 new-company.drweb.com
   • 40.108.91.6 new-beta.drweb.com
   • 72.198.198.76 new-forum.drweb.com
   • 118.180.63.159 secure.av-desk.com
   • 57.176.8.135 www.av-desk.com
   • 9.64.34.124 new-solutions.drweb.com
   • 42.154.73.126 new-www.drweb.com
   • 155.136.194.21 www.freedrweb.ru
   • 94.132.139.186 daniloff.net
   • 46.20.165.175 drweb-inside.com
   • 79.110.205.245 drwebinside.com
   • 193.93.69.72 aladdin.com
   • 64.88.14.48 alladdin.ru
   • 83.165.41.37 chickensroamfree.com
   • 116.66.80.39 ealaddin.net
   • 162.49.200.190 ealaddin.orgeshop.aladdin.com
   • 101.44.146.98 secureme.com
   • 53.121.172.87 www.aks.com
   • 85.23.23.157 www.aladdin.com
   • 199.5.144.240 www.ealaddin.com
   • 138.1.89.148 www.ealaddin.com
   • 90.77.47.137 auwww.ealaddin.nl
   • 123.235.154.207 www.esafe.com
   • 236.217.19.102 www.hasp.se
   • 107.213.220.11 www.safenet-inc.com
   • 127.33.178.0 www3.safenet-inc.com
   • 160.191.30.70 www.ca.com
   • 18.174.150.153 cacomvip.ca.com
   • 145.169.95.61 www.netegrity.com
   • 96.246.122.50 search.ca.com
   • 129.147.161.120 cai.com
   • 135.22.174.96 www.f-prot.com
   • 74.18.119.72 frisk-software.com
   • 26.94.145.61 www.frisk.is
   • 59.252.185.63 www.frisk-software.com
   • 173.235.49.214 f-secure.com
   • 44.230.250.122 f-secure.frf-secure.hk
   • 63.51.21.111 f-secure.nlfsecure.com
   • 96.208.60.181 fsecure.nlwebyard.com
   • 210.191.248.8 www.f-secure.com
   • 81.186.194.240 www.fsecure.com
   • 33.7.152.229 www.virus.fi
   • 65.165.3.231 fortihero.com
   • 179.79.124.126 fortilog.com
   • 118.143.69.34 fortinet.co.at
   • 70.219.27.23 fortinet.com
   • 103.121.134.93 fortiprotect.com
   • 216.35.255.177 fortiwifi.com
   • 87.99.200.85 www.apsecure.com
   • 107.175.226.74 www.fortifed.com
   • 140.77.10.144 www.fortiid.com
   • 254.248.130.39 www.fortimail.com
   • 125.55.75.203 www.fortinet-apac.com
   • 76.132.102.192 www.fortinet.ch
   • 177.33.141.6 www.fortinet.co.il
   • 223.204.5.89 www.fortinet.com
   • 162.11.207.253 www.fortinet.com
   • 114.88.233.242 arwww.fortinet.cz
   • 146.246.16.56 www.fortinet.net
   • 4.160.205.207 www.fortinet.nl
   • 199.224.82.115 www.fortinet.sg
   • 151.44.108.104 www.fortinetuk.com
   • 252.14.27.242 www.secure-elements.com
   • 109.184.148.69 gdata.es
   • 236.248.93.234 www.gdata.es
   • 0.68.51.223 ikarus.at
   • 33.158.159.37 www.ikarus.at
   • 79.141.23.120 global.jiangmin.com
   • 18.136.224.96 jiangmin.com.cn
   • 225.25.251.85 jiangmin.com
   • 2.114.34.87 www.jiangmin.com.cn
   • 116.97.154.238 www.kaspersky.com
   • 55.92.100.146 forum.kaspersky.com
   • 7.237.126.135 support.kaspersky.co
   • 39.71.165.205 usa.kaspersky.com
   • 153.53.30.32 brazil.kaspersky.com
   • 24.49.231.8 latam.kaspersky.com
   • 44.125.1.253 kaspersky.com
   • 77.27.40.255 me.kaspersky.com
   • 122.9.161.150 images.kaspersky.com
   • 61.5.106.59 www.mcafee.com
   • 13.81.132.48 support.mcafee.com
   • 46.239.240.118 msr.mcafee.com
   • 160.222.104.201 home.mcafee.com
   • 99.217.49.109 networkassociates.com
   • 50.38.8.98 us.mcafee.com
   • 83.195.115.168 tr.mcafee.com
   • 197.178.235.63 au.mcafee.com
   • 68.173.181.227 mx.mcafee.com
   • 88.250.139.216 networkassociates.nai.com
   • 120.152.246.30 go.mcafee.com
   • 30.186.163.165 fr.mcafee.com
   • 157.182.108.73 uk.mcafee.com
   • 109.2.134.62 de.mcafee.com
   • 142.160.173.132 obscgi.mcafee.com
   • 0.142.38.216 nai.com
   • 194.138.239.192 www.entercept.com
   • 146.214.9.181 jp.mcafee.com
   • 179.116.49.183 mcafeeb2b.com
   • 37.99.169.78 cn.mcafee.com
   • 164.94.114.242 service.mcafee.com
   • 183.171.141.231 br.mcafee.com
   • 216.72.180.45 www.mcafee.at
   • 74.55.112.128 mcafeeretail.com
   • 201.50.58.104 it.mcafee.com
   • 153.127.16.93 tw.mcafee.com
   • 185.29.123.95 privacy.microsoft.com
   • 43.199.244.246 tempuri.org
   • 238.7.189.154 schemas.xmlsoap.org
   • 190.83.147.143 www.microsoft.com
   • 223.241.254.213 specs.xmlsoap.org
   • 81.155.119.41 www.eugrantsadvisor.ie
   • 207.219.64.205 schemas.microsoft.com
   • 227.39.90.6 encarta.msn.com
   • 72.9.198.76 www.sysinternals.com
   • 186.180.62.227 grv.microsoft.com
   • 57.243.7.135 www.xmlsoap.org
   • 8.64.34.124 www.eugrantsadvisor.se
   • 109.221.73.194 www.eugrantsadvisor.com
   • 155.136.193.21 research.microsoft.com
   • 94.199.139.185 www.engyro.com
   • 46.20.165.174 www.exchangeyourcareer.com
   • 78.178.204.244 www.eugrantsadvisor.de
   • 192.92.137.139 exchangeyourcareer.net
   • 131.156.14.47 eugrantsadvisor.de
   • 83.232.40.36 eugrantsadvisor.cz
   • 116.134.147.106 www.eset.es
   • 229.48.12.190 demos.eset.es
   • 100.112.213.98 descargas.eset.es
   • 120.188.171.87 blogs.protegerse.com
   • 153.22.23.157 eos.eset.es
   • 199.5.143.240 pedidos.protegerse.com
   • 138.0.88.216 reg-int.nod32-es.com
   • 89.145.115.205 reg.eset.es
   • 122.234.154.207 vicentevirtual.com
   • 236.217.18.102 cou85.com
   • 175.212.220.10 www.norman.com
   • 127.101.246.83 fsc.norman.com
   • 243.18.113.153 nprobeta.norman.com
   • 101.1.233.236 register.norman.com
   • 228.253.179.212 webadmin.norman.no
   • 248.73.205.201 sandbox.norman.com
   • 25.231.244.203 www.nprotect.com
   • 70.213.109.98 global.nprotect.com
   • 9.209.54.7 www.nprotect.co.kr
   • 217.29.80.252 www.npin.co.kr
   • 250.187.188.66 siren24.nprotect.com
   • 108.170.52.149 15660808.co.kr
   • 46.165.253.57 biz.nprotect.com
   • 254.242.212.46 nprotect.net
   • 31.143.63.116 www.nprotect.com.br
   • 145.126.183.11 liveprotect.net
   • 16.121.129.175 nprotect.seoul.go.kr
   • 36.198.87.164 chollian.nprotect.co.kr
   • 68.99.194.234 www.pandasecurity.com
   • 182.82.58.61 research.pandasecurity.com
   • 53.78.4.225 support.pandasecurity.com
   • 5.154.30.214 pandalabs.pandasecurity.com
   • 38.56.69.96 pandasecurity.com
   • 219.106.2.179 mop.pandasecurity.com
   • 158.102.203.155 timeforyourbusi.pandasecurity.com
   • 110.178.229.145 cybercrime.pandasecurity.com
   • 143.80.13.147 free.pandasecurity.com
   • 1.63.133.42 cloudprotection.pandasecurity.com
   • 127.58.78.206 shop.pandasecurity.com
   • 147.135.105.195 soporte.pandasecurity.com
   • 180.36.144.9 together.pctools.com
   • 38.19.76.92 www.prevx.com
   • 165.14.22.68 info.prevx.com
   • 117.91.236.57 free.prevx.com
   • 149.248.87.59 spywarefiles.prevx.com
   • 7.163.207.210 spywaredlls.prevx.com
   • 202.227.153.118 shield.prevx.com
   • 154.47.111.107 www.prevx1.com
   • 187.205.218.177 howsafeismypc.com
   • 44.119.83.4 www.retento.com
   • 171.183.28.169 www.freerav.com
   • 191.3.54.158 www.rising-global.com
   • 224.161.94.228 www.risingav.com.au
   • 82.76.214.123 support.rising-global.com
   • 208.139.159.31 superboy2010.com.au
   • 160.216.186.20 www.sophos.com
   • 5.117.225.90 feeds.sophos.com
   • 51.32.89.173 esp.sophos.com
   • 246.95.35.81 cn.sophos.com
   • 198.172.61.70 tw.sophos.com
   • 230.73.100.140 kr.sophos.com
   • 88.244.32.35 sophos.com
   • 27.52.166.199 podcasts.sophos.com
   • 235.128.192.188 www.sunbeltsoftware.com
   • 12.30.43.2 go.sunbeltsoftware.com
   • 125.200.164.137 oem.sunbeltsoftware.com
   • 48.60.161.46 antispam.sunbeltsoftware.com
   • 68.136.119.35 antispyware.sunbeltsoftware.com
   • 101.226.227.105 antivirus.sunbeltsoftware.com
   • 147.209.91.188 sunbeltsoftware.com
   • 86.204.36.164 shop.sunbeltsoftware.com
   • 37.93.63.153 live.sunbeltsoftware.com
   • 70.182.102.155 firewall.sunbeltsoftware.com
   • 184.165.222.50 www.symantec.com
   • 123.160.168.214 security.symantec.com
   • 75.49.194.203 securityrespons.symantec.com
   • 107.139.233.17 service1.symantec.com
   • 221.121.97.100 enterprisesecur.symantec.com
   • 92.117.43.76 eval.symantec.com
   • 112.193.69.65 symantec.com
   • 145.95.108.67 definitions.symantec.com
   • 190.77.229.218 investor.symantec.com
   • 129.73.174.127 et.symantec.com
   • 81.149.200.116 sfdoccentral.symantec.com
   • 114.51.52.186 servicenews.symantec.com
   • 228.34.172.13 securityrespons.symantec.com
   • 167.29.117.177 sea.symantec.com
   • 118.106.76.166 go.symantec.com
   • 151.7.183.236 dell.symantec.com
   • 9.246.47.131 sun.symantec.com
   • 136.241.249.39 marian.symantec.com
   • 156.62.207.28 tms.symantec.com
   • 188.220.58.98 securitycheck.symantec.com
   • 46.202.178.181 smallbiz.symantec.com
   • 173.198.124.89 www.symantec.com
   • 125.18.150.78 visualtracking.symantec.com
   • 158.176.189.148 search.symantec.com
   • 15.158.54.231 liveupdate.symantec.com
   • 210.154.255.208 sitedirector.symantec.com
   • 162.230.25.197 edm.symantec.com
   • 195.132.65.199 hostedmailsecur.symantec.com
   • 53.115.185.94 www4.symantec.com
   • 180.110.130.2 education.symantec.com
   • 199.187.157.247 vos.symantec.com
   • 232.88.196.61 www.hacksoft.com.pe
   • 90.139.196.212 hacksoft.pe
   • 29.134.142.188 www.hacksoft.pe
   • 237.211.100.177 housecall.trendmicro.com
   • 13.112.207.179 www.trendmicro.com
   • 127.27.71.74 housecall65.trendmicro.com
   • 66.91.17.238 us.trendmicro.com
   • 18.167.231.227 blog.trendmicro.com
   • 51.69.82.41 emea.trendmicro.com
   • 164.239.203.124 housecall60.trendmicro.com
   • 35.47.148.33 jp.trendmicro.com
   • 55.123.174.22 de.trendmicro.com
   • 88.25.214.92 it.trendmicro.com
   • 202.196.78.243 itw.trendmicro.com
   • 73.3.23.151 esupport.trendmicro.com
   • 24.80.50.140 es.trendmicro.com
   • 125.237.89.210 br.trendmicro.com
   • 171.152.209.37 tw.trendmicro.com
   • 110.215.155.201 la.trendmicro.com
   • 62.36.181.190 uk.trendmicro.com
   • 94.193.220.4 ru.trendmicro.com
   • 208.108.152.155 smbstore.trendmicro.com
   • 147.172.30.63 apac.trendmicro.com
   • 99.248.56.52 store.trendmicro.com
   • 132.150.163.122 training.trendmicro.com
   • 245.64.28.205 trial.trendmicro.com
   • 116.128.229.114 ushousecall02.trendmicro.com
   • 136.204.187.103 subwiz.trendmicro.com
   • 169.38.39.173 go.trendmicro.com
   • 215.21.159.0 feeds.trendmicro.com
   • 154.16.104.232 channelpartner.trendmicro.com
   • 105.161.131.221 wtc.trendmicro.com
   • 138.250.170.223 shop.trendmicro.com
   • 252.233.34.118 fr.trendmicro.com
   • 191.228.236.26 threatinfo.trendmicro.com
   • 143.117.6.15 newsletters.trendmicro.com
   • 175.206.45.85 www.anti-virus.by
   • 33.189.165.168 bg.virusblokada.com
   • 160.185.111.144 www.vba.com.by
   • 180.5.137.133 beta.anti-virus.by
   • 213.163.176.135 www.bg.virusblokada.com
   • 2.145.41.30 www.hauri.net
   • 197.141.242.195 www.hauri.co.kr
   • 149.217.12.184 company.hauri.net
   • 182.119.120.254 www.globalhauri.com
   • 40.102.240.81 shop.hauri.co.kr
   • 235.97.185.245 hauri.co.kr
   • 186.174.144.234 pg.hauri.net
   • 219.75.251.48 esecurity.livecall.co.kr
   • 77.58.115.199 mall.hauri.co.kr
   • 204.53.61.107 company.hauri.co.kr
   • 224.130.19.96 haurijapan.com
   • 21.52.146.186 virobot.co.kr
   • 134.34.11.13 www.virusbuster.hu
   • 5.30.212.177 virusbuster.hu
   • 213.106.238.166 scanner.novirusthanks.org
   • 246.8.22.237 scanner2.novirusthanks.or
   • 104.246.142.64 novirusthanks.org
   • 42.242.87.40 www.novirusthanks.org
   • 250.63.113.29 virustotal.com
   • 27.220.153.31 www.virustotal.com
   • 141.203.17.182 virscan.org
   • 12.198.218.90 www.virscan.org
   • 31.19.245.79 virusscan.jotti.org
   • 64.176.28.149 jotti.org
   • 178.159.216.232 www.jotti.org
   • 49.154.162.208 viruschief.com
   • 1.231.120.197 www.viruschief.com
   • 34.133.227.199 scanner.virus.org
   • 147.47.92.94 virus.org
   • 86.111.37.2 www.virus.org
   • 38.187.251.247 scan4you.net
   • 71.89.103.62 www.scan4you.net
   • 185.3.223.145 avhide.com
   • 55.67.168.53 www.avhide.com
   • 75.144.194.42 anubis.iseclab.org
   • 108.45.234.112 iseclab.org
   • 222.216.98.7 www.iseclab.org
   • 93.23.43.171 threatexpert.com
   • 44.100.70.160 www.threatexpert.com
   • 145.1.109.230 forospyware.com
   • 191.172.229.57 www.forospyware.com
   • 130.235.175.221 in.answers.yahoo.com
   • 82.56.201.210 es.answers.yahoo.com
   • 115.214.240.24 kioskea.net
   • 228.128.173.175 www.kioskea.net
   • 167.192.50.83 es.kioskea.net
   • 119.12.76.72 mygeekside.com
   • 152.170.184.143 www.mygeekside.com
   • 10.84.48.226 www.tecniservicioslys.com
   • 136.148.249.134 tecniservicioslys.com
   • 156.225.207.123 virusfreezone.info
   • 189.58.59.193 www.virusfreezone.info
   • 235.41.179.20 intranet.cidiroax.ipn.mx
   • 174.36.124.252 spycheck.es
   • 125.181.151.241 www.spycheck.es
   • 158.14.190.243 antivirus.hispavista.com
   • 16.253.54.138 computing.net
   • 211.249.0.46 www.computing.net
   • 163.137.26.35 spycheck.co.uk
   • 196.227.65.105 www.spycheck.co.uk
   • 53.209.186.188 midescargas.com
   • 180.205.131.164 www.midescargas.com
   • 200.25.157.153 static.yoreparo.com
   • 233.183.197.156 softfaq.com
   • 23.165.61.51 www.softfaq.com
   • 217.161.6.215 configurarequipos.com
   • 169.238.32.204 www.configurarequipos.com
   • 202.139.140.18 seasonsecurity.com
   • 60.122.4.101 www.seasonsecurity.com
   • 255.117.205.9 removetrojanvirus.org
   • 18.6.232.66 www.removetrojanvirus.org
   • 51.163.83.136 ibusca.me
   • 165.146.203.31 www.ibusca.me


 Injection – It injects itself into a process.

    Process name:
   • svchost.exe


 Miscellaneous Accesses internet resources:
   • http://whos.am**********1vh6r
   • http://widgets.am**********9.png

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Descrizione inserita da Alexandru Dinu su martedì 8 marzo 2011
Descrizione aggiornata da Alexandru Dinu su martedì 8 marzo 2011

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.