ThreatExpert Report: Downloader, Net-Worm.Win32.Piloyd.n, TrojanDownloader:Win32/Jadtre.A..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 18 November 2009, 23:48:10
Processing time: 8 min 50 sec
Submitted sample:

File MD5: 0x0878B4EEC59C783CF494196AC392CC3D
File SHA-1: 0x9B0D304D7AE00D10D7630727F2799E2FAA37600F
Filesize: 43,520 bytes
Alias:

Downloader [Symantec]
Net-Worm.Win32.Piloyd.n [Kaspersky Lab]
TrojanDownloader:Win32/Jadtre.A [Microsoft]
Trojan-Downloader.Win32.Jadtre [Ikarus]
Win32/Piloyd.worm.43520 [AhnLab]

Summary of the findings:

What's been found	Severity Level
Replication across networks by exploiting weakly restricted shares (common for Randex family of worms).
Stealth-mode characteristics common to Rootkits.
Hosts file modification that may block access to the security web sites.
Downloads/requests other files from Internet.
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-Dropper.Agent	Trojan-Dropper.Agent attempts to drop a malicious file and run it on the compromised computer.
Trojan-Downloader.Agent.NZW	Trojan-Downloader.Agent.NZW is a program that downloads files to the local computer that may represent security risk
Rootkit.Farfli.GEN	Rootkit.Farfli.GEN is a rootkit that hides presence in infected machine in order to perform malicious actions without the users knowledge.

Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A program that downloads files to the local computer that may represent security risk
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\pctools.tmp	36 bytes	MD5: 0x860A36AE31BA81C77248ADA5E134D6FD SHA-1: 0x4BC122A8B358C6B56E8C470F36536408609CF44F	(not available)
2	%Temp%\tmp.tmp	2,986 bytes	MD5: 0x07E32319DC161756B87093D071B30149 SHA-1: 0x9772997199370C9DC699EEC09A339615DC12B10F	Trojan Horse [Symantec] Trojan-GameThief.Win32.OnLineGames.abrf.a [Kaspersky Lab] Generic.dx [McAfee] Mal/Packer, Mal/EncPk-BW [Sophos] Trojan-PWS.Win32.Small [Ikarus] Packed/Upack [AhnLab]
3	%DownloadedProgramFiles%\RBKptn7pQADdaYVFW.Ttf	212 bytes	MD5: 0x6E94D4E34FD477A5FF33AC7A08D1F0BB SHA-1: 0x9FB46D01B3337D4CCCB0FFA1ED74CB35C5418C0E	(not available)
4	%DownloadedProgramFiles%\WQKrDGnXQQb3Mgjk.Ttf	170 bytes	MD5: 0x11FF41FA92A9586347E9614D8591F74A SHA-1: 0x092C58526A99827055AB805409B8C19EA42FBC9F	(not available)
5	%DownloadedProgramFiles%\WUstNjhyfQfpv8PQbC.cur	20,480 bytes	MD5: 0x939C1BA010B6E784A542D90551E36DE9 SHA-1: 0xA666986B1D2CA41FEF41F68F8305EB38B889A821	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.cedk [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Troj/PWS-BCC [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] Win-Trojan/Magania.20480.P [AhnLab]
6	%DownloadedProgramFiles%\XKeqABjFyGFjak9G9UKFE.Ttf	176 bytes	MD5: 0xDC08F1A922D714347F3EF09C5FC643ED SHA-1: 0xC53DF2DF9E5AC2F3E59B1989C76D62F3D57B847F	(not available)
7	%DownloadedProgramFiles%\zU2bVwKpTwHD84n.Ttf	172 bytes	MD5: 0x75088C3A797CFC2066568A59142C6336 SHA-1: 0x8C6C45B38A11522B723B7773C8FE632F92573839	(not available)
8	%FontsDir%\AeioFs.dat	83 bytes	MD5: 0x9A70C494A66FE47982C2C4655078AF69 SHA-1: 0x54FCCB870C057389D76B5AEBF6FE96031D5BED10	(not available)
9	%FontsDir%\cFDPmh3MDPjcHMPd.Ttf	156 bytes	MD5: 0xD6D6FE3A0211C52598BA07579D988BF8 SHA-1: 0xAC2AB42B79BF0C63E79164C6D4FA12CDA2CBF4B2	(not available)
10	%FontsDir%\kb218234933.dll	11,720 bytes	MD5: 0xFEA413117798BD66A209217A3234CE41 SHA-1: 0x1CF6F341155259859374FF6DDE6B96C2BC5FD564	Infostealer.Gampass [Symantec] Trojan.Win32.Scar.alef [Kaspersky Lab] Troj/Virtum-Gen [Sophos] Trojan-PWS.Win32.Small [Ikarus] Packed/Upack [AhnLab] packed with UPack [Kaspersky Lab]
11	%FontsDir%\Winwtopi.dat	174 bytes	MD5: 0x9993D82B74CDF8968C3B337D936CBFCF SHA-1: 0x39805109B276A002AC87A67718741A41CFA62079	(not available)
12	%System%\122B901E.dll	18,512 bytes	MD5: 0x5EF271FC82624B7C74CB00071A7DF9BB SHA-1: 0x397B16276D2E8157C3D8234A923A2B0BA7F5061E	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.bfsl [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Troj/PWS-BCC [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] Win-Trojan/Magania.18521 [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
13	%System%\AwrctXwdeJxquap6bRhj4Cd6z4PDyT.dll	792,064 bytes	MD5: 0x6728270CB7DBB776ED086F5AC4C82310 SHA-1: 0xE913CC86F68627541DAE2A92509AB230F427E980	(not available)
14	%System%\drivers\pcidump.sys	11,904 bytes	MD5: 0x601B3F2466BFA6989B9C7586B5BA54AA SHA-1: 0x454949E35BB28B8C2BF6B05DC27E8B30795A3AD6	Hacktool.Rootkit [Symantec] Trojan-Downloader.Win32.Geral.ad [Kaspersky Lab] Generic.dx [McAfee] Troj/RKProc-Fam [Sophos] VirTool:WinNT/Rootkitdrv.DH [Microsoft] Rootkit.Win32.Agent [Ikarus] Win-Trojan/Agent.11904.C [AhnLab]
15	%System%\EX6yHpM6akhMMh4bDbXPAWssHcE.inf	24,154 bytes	MD5: 0x95CC99F9A4CFE98CA73A37C1477DA83F SHA-1: 0xEB436EB125635EDE82085002A36F3442FC648F04	Infostealer.Gampass [Symantec] PWS-OnlineGames.ek [McAfee] Mal/Emogen-R [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
16	[file and pathname of the sample #1]	43,520 bytes	MD5: 0x0878B4EEC59C783CF494196AC392CC3D SHA-1: 0x9B0D304D7AE00D10D7630727F2799E2FAA37600F	Downloader [Symantec] Net-Worm.Win32.Piloyd.n [Kaspersky Lab] TrojanDownloader:Win32/Jadtre.A [Microsoft] Trojan-Downloader.Win32.Jadtre [Ikarus] Win32/Piloyd.worm.43520 [AhnLab]
17	%System%\UadN5xYYC8FXprkCdzyMewN.inf	22,124 bytes	MD5: 0x44960E07A0CF864769FE5A401F0CE156 SHA-1: 0xC4665302127F3CA766031268CE197622C377A06C	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.chop [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Mal/Emogen-R [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
18	%System%\ujMhyGsS7tRV9gU2HHMkJcu7DPU.inf	20,568 bytes	MD5: 0x313A93EC9A14962F262F7723DC18553D SHA-1: 0x608C6473AF723CC84757B3BD24262B399094A003	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.clyi [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Mal_OLGM-6 [Trend Micro] Mal/Emogen-R [Sophos] Trojan-GameThief.Win32.Magania [Ikarus]
19	%System%\z6FVkEF47huPzgaXee.inf	18,519 bytes	MD5: 0xCDAFAD0AC704145F719F73B229538B2B SHA-1: 0xE205E836FB0C1379F980CA69E3D8C95B609A0B5F	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.cces [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Mal/Emogen-R [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] Win-Trojan/Magania.18533 [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
20	%Windir%\Tasks\bQduFebhDm3Gxtunb.ico	1,750 bytes	MD5: 0xF888504343943F2E1F68B2B8A20C51C4 SHA-1: 0xD61E6F7F3640B4B104FB5515C9B61701CF40A8A8	(not available)
21	%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf	22,528 bytes	MD5: 0xB894D5CD1738629FF2BE73248FF26A17 SHA-1: 0x1A4EF07133A54E77FA76B1414133D55804EE3064	Infostealer.Gampass [Symantec] Troj/PWS-BCC [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
22	%Windir%\Tasks\dEAXUPxQWEyAvpH4Pd3brcyYSHV.inf	24,576 bytes	MD5: 0xE34E3E8172514F3E122CBD106611E3DB SHA-1: 0x2BDB8F020F4252279459C984D70744B4AD383B48	Infostealer.Gampass [Symantec] Troj/PWS-BCC [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
23	%Windir%\Tasks\NSk5AtYYEPKtaSgzknZvW.ico	1,750 bytes	MD5: 0xE7EE6BB5EB0BD2AF930839444DC14C85 SHA-1: 0x42320466CF28509101D7AA0339437772DAE4F47B	(not available)
24	%Windir%\Tasks\pPuSpm4tUTwyj3JpjJV.ico	1,750 bytes	MD5: 0xCB51BDB81B636A9F26A7A59838E1AD92 SHA-1: 0x8F746AC74CC1EC40E463B4C62D5A926ADCE5D39C	(not available)
25	%Windir%\Tasks\vC6ykXbjUGCVeCJa.ico	1,750 bytes	MD5: 0x440D0D560DA8756FF9803450BC5837B3 SHA-1: 0x3962EDDF7856EF846AB70FD341E96D6FF333F64B	(not available)
26	%Windir%\Tasks\Wfayv6njQnCsg.inf	23,552 bytes	MD5: 0xA7950170C925E596F909190791F434DC SHA-1: 0x8AF4367529B346064125CA8CC482AB3CC37A4DBA	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.cmoa [Kaspersky Lab] Troj/PWS-BCC [Sophos] Trojan-GameThief.Win32.Magania [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%DownloadedProgramFiles% is a variable that refers to the file system directory containing downloaded program files. A typical path is C:\Windows\Downloaded Program Files.
%FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Attention! The following hidden files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\cqsjTT1315.exe	26,739 bytes	MD5: 0xEBBF17CC2B3266E2AE844BFD450FF5F7 SHA-1: 0x712FE24D04FEB99CB2E95569A3A556F19DFDD1BF	(not available)
2	%DownloadedProgramFiles%\BcHCMJEEXFxaCm3q.Ttf	216 bytes	MD5: 0x21709145F54556527F5E261ADF054ADB SHA-1: 0xCEE29F548731E82EDA4C06916F1431678DBD9192	(not available)
3	%DownloadedProgramFiles%\SURk9eZHgnrJjPxmC.Ttf	208 bytes	MD5: 0x7DC6E21FC2ABFC24375937FCC5B25D0C SHA-1: 0xAE1A618B8EE3DF49EF2E9423D232A31A6B394FD6	(not available)
4	%FontsDir%\HXxfduw9KeQTCeP6Z.Ttf	212 bytes	MD5: 0xFA6971A7D02B189CA9062AF8120911E0 SHA-1: 0xC2E7014276676A7D2833409CDBD71F12B9058142	(not available)
5	%System%\2exJW3dsaTgWrf5uAPadmHN.dll	225,900 bytes	MD5: 0x00737020B15A2D3F58506325F79B3B44 SHA-1: 0xF2C87D5ABB8A8E219F7FD509BF0A2946E016F59A	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.bvsg [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Troj/PWS-BCC [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] Win-Trojan/OnlineGameHack.225901 [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
6	%System%\FsmBY3kmWnAG5gRbwGgU.inf	21,102 bytes	MD5: 0x960549032BDCA94E16F61FF90A71F42B SHA-1: 0xB1E794B7FED4AAC59E197A6C5CAF9597BA518A4D	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.clvc [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Mal/Emogen-R [Sophos] Trojan-GameThief.Win32.Magania [Ikarus]
7	%System%\RXNK8eR3xW8KTCWBCGTbqm.inf	19,562 bytes	MD5: 0xCB38D8C58429D1B54FC99DA2D872E775 SHA-1: 0xF85E2BA0181164A1C119BED5DBF25E6FF219185A	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.clvg [Kaspersky Lab] PWS-OnlineGames.ek [McAfee] Mal/Generic-A [Sophos] Generic.Onlinegames [Ikarus] Win-Trojan/OnlineGameHack.19562.O [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]

The following file was deleted:

%System%\drivers\asyncmac.sys

The following files were modified:

%System%\comres.dll
%System%\drivers\etc\hosts

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[generic host process]	[generic host process filename]	20,480 bytes
updater.exe	%System%\updater.exe	176,128 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

Attention! The following process was intentionally hidden from the user:

Process Name	Main Module Size
qqtt.exe293.exe	176,128 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
Wfayv6njQnCsg.inf	%Windir%\Tasks\Wfayv6njQnCsg.inf	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1E80000 - 0x1E96000
Wfayv6njQnCsg.inf	%Windir%\Tasks\Wfayv6njQnCsg.inf	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0x10000000 - 0x10016000
Ces5WqX3ApQMPmMbYZUxPYh.inf	%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x10000000 - 0x10016000
EX6yHpM6akhMMh4bDbXPAWssHcE.inf	%System%\EX6yHpM6akhMMh4bDbXPAWssHcE.inf	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2520000 - 0x2536000
ujMhyGsS7tRV9gU2HHMkJcu7DPU.inf	%System%\ujMhyGsS7tRV9gU2HHMkJcu7DPU.inf	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2540000 - 0x2553000
dEAXUPxQWEyAvpH4Pd3brcyYSHV.inf	%Windir%\Tasks\dEAXUPxQWEyAvpH4Pd3brcyYSHV.inf	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2560000 - 0x2576000
WUstNjhyfQfpv8PQbC.cur	%DownloadedProgramFiles%\WUstNjhyfQfpv8PQbC.cur	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2890000 - 0x28A4000
kb218234933.dll	%FontsDir%\kb218234933.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x28B0000 - 0x28C4000
122B901E.dll	%System%\122B901E.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x28D0000 - 0x28E1000
z6FVkEF47huPzgaXee.inf	%System%\z6FVkEF47huPzgaXee.inf	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x28F0000 - 0x2901000
Wfayv6njQnCsg.inf	%Windir%\Tasks\Wfayv6njQnCsg.inf	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1620000 - 0x1636000
[filename of the sample #1]	[file and pathname of the sample #1]	Process name: [generic host process] Process filename: [generic host process filename] Address space: 0x10000000 - 0x1000E000
kb218234933.dll	%FontsDir%\kb218234933.dll	Process name: updater.exe Process filename: %System%\updater.exe Address space: 0x850000 - 0x864000
kb218234933.dll	%FontsDir%\kb218234933.dll	Process name: cmd.exe Process filename: %System%\cmd.exe Address space: 0x840000 - 0x854000

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

There were new kernel-mode drivers installed in the system:

Driver Name	Driver Filename
NtHid.sys	%Temp%\nthid.sys
pcidump.sys	%System%\drivers\pcidump.sys

Attention! The following Major I/O Request Packet (IRP) function was hooked in the kernel-mode driver:

IRP_MJ_CREATE

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{012AA32F-36E6-405F-9F3F-588E0AA73FBB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{012AA32F-36E6-405F-9F3F-588E0AA73FBB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05FF273B-258B-432D-96B8-E3FE79CEEFB7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05FF273B-258B-432D-96B8-E3FE79CEEFB7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2F5E182E-4BF4-4EEE-A124-F64E74A379DA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2F5E182E-4BF4-4EEE-A124-F64E74A379DA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32D1A17C-A0E9-4B05-AD83-A292B98CD824}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32D1A17C-A0E9-4B05-AD83-A292B98CD824}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{526EB425-7F56-4773-8D70-B8E45AA8E2B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{526EB425-7F56-4773-8D70-B8E45AA8E2B6}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74DA2FEC-F68F-4DC7-9A45-9174AC044427}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74DA2FEC-F68F-4DC7-9A45-9174AC044427}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7CC109E5-B2FC-4FEE-AF04-74B2DCBD2540}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7CC109E5-B2FC-4FEE-AF04-74B2DCBD2540}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87DE8A1A-96C5-4420-B222-EF998F697CE7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87DE8A1A-96C5-4420-B222-EF998F697CE7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3BDE61A-DB4C-4a68-8A01-CD4A29B88974}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3BDE61A-DB4C-4a68-8A01-CD4A29B88974}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F42FCDA4-76C1-4827-9BC3-1C95ADBD6035}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F42FCDA4-76C1-4827-9BC3-1C95ADBD6035}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\142Qcdg`mz,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\142vpc{,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aacrr,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAglvgp,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aaGtvOep,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aaQgvOep,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CeglvQtp,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clvkcpr,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctr,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fgducvaj,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gewk,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gipl,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IctQvcpv,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IKQQta,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iocknoml,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IRDU10,GZG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ITOmlZR,IZR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ITQptZR,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC3.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nktgqpt,gzg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaceglv,gzg

The following Registry Keys were deleted:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AFD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Base
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot file system
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Browser
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmadmin
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmboot.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmio.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmload.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\dmserver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\DnsCache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\File system
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Filter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\HelpSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ip6fw.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipnat.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LanmanWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\LmHosts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Messenger
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS Wrapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{012AA32F-36E6-405F-9F3F-588E0AA73FBB}\InprocServer32]

(Default) = "%Windir%\Tasks\Wfayv6njQnCsg.inf"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05FF273B-258B-432D-96B8-E3FE79CEEFB7}\InprocServer32]

(Default) = "%System%\UadN5xYYC8FXprkCdzyMewN.inf"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32]

(Default) = "%System%\122B901E.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2F5E182E-4BF4-4EEE-A124-F64E74A379DA}\InprocServer32]

(Default) = "%System%\EX6yHpM6akhMMh4bDbXPAWssHcE.inf"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32D1A17C-A0E9-4B05-AD83-A292B98CD824}\InprocServer32]

(Default) = "%Windir%\Tasks\dEAXUPxQWEyAvpH4Pd3brcyYSHV.inf"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{526EB425-7F56-4773-8D70-B8E45AA8E2B6}\InprocServer32]

(Default) = "%DownloadedProgramFiles%\WUstNjhyfQfpv8PQbC.cur"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74DA2FEC-F68F-4DC7-9A45-9174AC044427}\InprocServer32]

(Default) = "%System%\z6FVkEF47huPzgaXee.inf"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7CC109E5-B2FC-4FEE-AF04-74B2DCBD2540}\InprocServer32]

(Default) = "%System%\ujMhyGsS7tRV9gU2HHMkJcu7DPU.inf"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87DE8A1A-96C5-4420-B222-EF998F697CE7}\InprocServer32]

(Default) = "%System%\2exJW3dsaTgWrf5uAPadmHN.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3BDE61A-DB4C-4a68-8A01-CD4A29B88974}\InprocServer32]

(Default) = "%FontsDir%\kb218234933.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F42FCDA4-76C1-4827-9BC3-1C95ADBD6035}\InprocServer32]

(Default) = "%Windir%\Tasks\Ces5WqX3ApQMPmMbYZUxPYh.inf"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

{F42FCDA4-76C1-4827-9BC3-1C95ADBD6035} = ""
{2F5E182E-4BF4-4EEE-A124-F64E74A379DA} = ""
{7CC109E5-B2FC-4FEE-AF04-74B2DCBD2540} = ""
{32D1A17C-A0E9-4B05-AD83-A292B98CD824} = ""
{526EB425-7F56-4773-8D70-B8E45AA8E2B6} = ""
{C3BDE61A-DB4C-4a68-8A01-CD4A29B88974} = ""
{122B901E-493F-4AD9-BC69-7DE8C3E52FCC} = ""
{74DA2FEC-F68F-4DC7-9A45-9174AC044427} = ""
{05FF273B-258B-432D-96B8-E3FE79CEEFB7} = ""
{012AA32F-36E6-405F-9F3F-588E0AA73FBB} = ""
{87DE8A1A-96C5-4420-B222-EF998F697CE7} = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

updater = "%System%\updater.exe"

so that updater.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\142Qcdg`mz,gzg]

142Qcdg`mz,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\142vpc{,gzg]

142vpc{,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]

Debugger = "ntsd -d"
360Safebox.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]

Debugger = "ntsd -d"
360tray.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aacrr,gzg]

aacrr,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAglvgp,gzg]

AAglvgp,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aaGtvOep,gzg]

aaGtvOep,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aaQgvOep,gzg]

aaQgvOep,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]

AgentSvr.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiarp.exe]

antiarp.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]

Debugger = "ntsd -d"
avp.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe]

Debugger = "ntsd -d"
bdagent.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe]

ccapp.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe]

ccEvtMgr.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe]

ccSetMgr.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CeglvQtp,gzg]

CeglvQtp,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clvkcpr,gzg]

clvkcpr,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctr,gzg]

ctr,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe]

defwatch.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]

Debugger = "ntsd -d"
egui.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]

Debugger = "ntsd -d"
ekrn.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fgducvaj,gzg]

fgducvaj,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gewk,gzg]

gewk,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gipl,gzg]

gipl,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IctQvcpv,gzg]

IctQvcpv,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IKQQta,gzg]

IKQQta,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iocknoml,gzg]

iocknoml,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IRDU10,GZG]

IRDU10,GZG = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ITOmlZR,IZR]

ITOmlZR,IZR = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ITQptZR,gzg]

ITQptZR,gzg = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe]

Debugger = "ntsd -d"
KavStart.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe]

Debugger = "ntsd -d"
kmailmon.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe]

Debugger = "ntsd -d"
KPFW32.EXE = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe]

Debugger = "ntsd -d"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]

Debugger = "ntsd -d"
KVMonXP.KXP = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]

Debugger = "ntsd -d"
KVSrvXP.exe = "%System%\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe]

Debugger = "ntsd -d"

Attention! The newly created hidden Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe]

Debugger = "ntsd -d"

The following Registry Values were deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

VMware Tools = "%ProgramFiles%\VMware\VMware Tools\VMwareTray.exe"
VMware User Process = "%ProgramFiles%\VMware\VMware Tools\VMwareUser.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs = ""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

(Default) = "Human Interface Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

(Default) = "Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]

(Default) = "Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

(Default) = "System"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]

(Default) = "SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]

(Default) = "PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

(Default) = "Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

(Default) = "Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

(Default) = "Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]

(Default) = "Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

(Default) = "DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]

(Default) = "CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]

(Default) = "Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinMgmt]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vgasave.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vga.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SRService]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sr.sys]

(Default) = "FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sermouse.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SCSI Class]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcSs]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PlugPlay]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\File system]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmserver]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmload.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmio.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmboot.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dmadmin]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CryptSvc]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot file system]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Base]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

(Default) = "Human Interface Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

(Default) = "Volume"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]

(Default) = "Floppy disk drive"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

(Default) = "System"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]

(Default) = "SCSIAdapter"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]

(Default) = "PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]

(Default) = "NetTrans"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]

(Default) = "NetService"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]

(Default) = "NetClient"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]

(Default) = "Net"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

(Default) = "Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

(Default) = "Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

(Default) = "Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]

(Default) = "Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]

(Default) = "DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]

(Default) = "CD-ROM Drive"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]

(Default) = "Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\WZCSVC]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\WinMgmt]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\vgasave.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\vga.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\termservice]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdtcp.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdpipe.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDI]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Tcpip]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Streams Drivers]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SRService]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sr.sys]

(Default) = "FSFilter System Recovery"

[[pathname with a string SHARE]\SharedAccess]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sermouse.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\SCSI Class]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\RpcSs]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdsessmgr]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpwd.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpdd.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\rdpcdd.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Primary disk]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP_TDI]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PNP Filter]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PlugPlay]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\PCI Configuration]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NtLmSsp]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm.sys]

(Default) = "Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\nm]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetworkProvider]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Network]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetMan]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Netlogon]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetDDEGroup]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBT]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup]

(Default) = "Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS]

(Default) = "Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Ndisuio]

(Default) = "Service"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The HOSTS file was updated with the following URL-to-IP mapping:

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
119.42.225.184	80
119.42.227.250	80
121.12.109.139	80
121.12.110.145	80

The data identified by the following URLs was then requested from the remote web server:

http://js.tongji.linezing.com/1230256/tongji.js
http://121.12.109.139/nbok01/RXCQTT.exe
http://121.12.109.139/nbok01/mhxuTT.exe
http://121.12.109.139/nbok01/qq3gTT.exe
http://121.12.109.139/nbok01/mxsTT.exe
http://121.12.109.139/nbok01/wmgjTT.exe
http://121.12.109.139/nbok01/zxTT.exe
http://121.12.109.139/nbok01/wdTT.exe
http://121.12.109.139/nbok01/dh2TT.exe
http://121.12.109.139/nbok01/qqtt.exe.exe
http://121.12.109.139/nbok01/dnfTT.exe
http://121.12.109.139/nbok01/tlTT.exe
http://www.114baines.com/msn/qq.txt
http://www.114Baines.com/msn/count.asp?mac=00c02918ab11&xxx=ma1
http://www.114baines.com/msn/163.exe
http://nbtj.114anhui.com/msn/163.htm?1

Heuristics Analysis

Heuristically identified capability of spreading across the following weakly restricted network shares:

The network replication uses a dictionary attack by probing credentials from the following list:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.