Analysis Date2015-08-28 11:28:44
MD5c068de75c6d81b8dba86fec207281428
SHA136ec020aa19e25a133a1d5a9f63d48a81bdd0f83

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c02003b9f50c63f6a112afcee0c8057e sha1: 7a491315e9fb929b216e9d249e0b05bee0c28465 size: 16384
Section.data md5: 2395a14b242238675b3a7322d039eb97 sha1: 9221e044437a07c96ff3c8a686e1f031edf554aa size: 4096
Section.rsrc md5: baabdff38152118699c72fc17e454372 sha1: 519883dd302e18b465fe071e2fb2957501e1d7ad size: 8192
Section!55u md5: fdb2840b38dd8eef825653987335c4db sha1: 722c49e541fb103fffe3d8d6d16abd7bb377b2c1 size: 20480
Section.tc md5: e347d822422ba661f7c3e4bf8a8b7f6f sha1: 6bf1063e8583ccbf180c94472bdff061fe1558a8 size: 28672
SectionW55uj md5: 141f2f096939449412ceec1c3ad435c6 sha1: 28bec8b32534178eb04fdef99b6ac80d3629e6a9 size: 20480
Timestamp2001-07-19 19:29:57
Pdb pathpdb
VersionLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: MSNUNIN
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: MSN Uninstall Progman
OriginalFilename: MSNUNIN.EXE
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: MSNUNIN
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: MSN Uninstall Progman
OriginalFilename: MSNUNIN.EXE
PEhash1234840ca0de89bfdc80714a9d3a95e2890a2ea7
IMPhash2a1c59f2822a4b9e0435e5c824306502
AVRisingWin32.Roue.a
AVMcafeeW32/Kudj
AVAvira (antivir)W32/Jadtre.B
AVTwisterVirus.558BEC81EC@120000#.mg
AVAd-AwareWin32.VJadtre.3
AVAlwil (avast)Malware-gen:Viking-CF:Win32:Malware-gen:Win32:Viking-CF
AVEset (nod32)Win32/Wapomi.BA virus
AVGrisoft (avg)Win32/Wapomi.I
AVSymantecW32.Wapomi.C!inf
AVFortinetW32/Nimnul.F
AVBitDefenderWin32.VJadtre.3
AVK7Virus ( 0040f7441 )
AVMicrosoft Security EssentialsVirus:Win32/Mikcer.B
AVMicroWorld (escan)Win32.VJadtre.3
AVMalwareBytesno_virus
AVAuthentiumW32/PatchLoad.E
AVFrisk (f-prot)W32/PatchLoad.E
AVIkarusTrojan-Downloader.Win32.Small
AVEmsisoftWin32.VJadtre.3
AVZillya!Virus.Nimnul.Win32.5
AVKasperskyVirus.Win32.Nimnul.f
AVTrend MicroPE_WAPOMI.BM
AVCAT (quickheal)W32.Nimnul.F1
AVVirusBlokAda (vba32)Virus.Nimnul.19209
AVPadvishno_virus
AVBullGuardWin32.VJadtre.3
AVArcabit (arcavir)Win32.VJadtre.3
AVClamAVWin.Trojan.Downloader-64296
AVDr. WebBackDoor.Darkshell.246
AVF-SecureWin32.VJadtre.3
AVCA (E-Trust Ino)Win32/Nimnul.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\flYtceO.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vqjSfS.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\vqjSfS.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\flYtceO.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Settings ➝
NULL
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\NetworkService\Favorites\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Favorites\Desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexShell.CMruPidlList
Winsock DNSnbtj.114anhui.com

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\vqjSfS.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\temp\files\vqjSfS.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\flYtceO.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\temp\files\AcroRd32.exe
Creates FileC:\temp\files\AcroRd32Info.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\temp\files\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\temp\files\instmsiw.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FileC:\temp\files\reader_sl.exe
Creates FilePIPE\lsarpc
Creates FileC:\temp\files\Digcore.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\temp\files\msnsusii.exe
Creates FileC:\temp\files\AdobeUpdateManager.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\temp\files\flYtceO.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\temp\files\vqjSfS.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\temp\files\monitor.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\temp\files\Msncli.exe
Creates FileC:\temp\files\acroaum.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G56V8XAH\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ODE345I7\desktop.ini
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YSKU8U0B\desktop.ini
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9WG0YPJS\desktop.ini
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS141.8.226.14
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com
Winsock URLhttp://141.8.226.14/ko/03.exe
Winsock URLhttp://141.8.226.14/ko/02.exe

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1872

Process
↳ Pid 1160

Network Details:

DNSnbtj.114anhui.com
Type: A
193.166.255.171
DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSpc1.114central.com
Type: A
141.8.226.14
DNSddos.dnsnb8.net
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://141.8.226.14/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://nbtj.114anhui.com/msn/163.htm?2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/ko/02.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/ko/03.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1037 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1039 ➝ 193.166.255.171:80
Flows TCP192.168.1.1:1040 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1041 ➝ 141.8.226.14:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6d736e 2f313633 2e68746d   GET /msn/163.htm
0x00000010 (00016)   3f322048 5454502f 312e300d 0a416363   ?2 HTTP/1.0..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000050 (00080)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000060 (00096)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000070 (00112)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x00000080 (00128)   290d0a48 6f73743a 206e6274 6a2e3131   )..Host: nbtj.11
0x00000090 (00144)   34616e68 75692e63 6f6d0d0a 436f6e6e   4anhui.com..Conn
0x000000a0 (00160)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....


Strings
\\
X
f
......
f

000004E4
040904B0
6.10.0016.1624
Add or Remove Programs
Add/Remove Programs
Add/Remove Programs PropertiesqYou do not have administrator privileges on this computer.  Please have the administrator uninstall this program.
Built by
Click Cancel to close it yourself.
Click OK to have Uninstall close it for you.
CompanyName
Copyright (C) Microsoft Corp. 1981-2000
Do you want to restart your computer now?
Do you want to uninstall MSN Explorer?
ERROR: "%s" doesn't exist.
FILE
FileDescription
FileVersion
InternalName
LegalCopyright
Microsoft Corporation
Microsoft(R) MSN (R) Communications System
msnbld
MSN Explorer Uninstall
MSN Setup is already running.
MSNUNIN
MSNUNIN.EXE
MSN Uninstall Progman
MS Shell Dlg
Note: For information about how to connect to the Internet or use your e-mail, please open "Important MSN Explorer Information" on your Desktop.
One moment while the programs shut down...
OriginalFilename
Please wait while MSN Explorer Uninstall prepares to run...
ProductName
ProductVersion
StringFileInfo
Translation
Uninstall has detected that MSN Explorer is running.
Uninstalling MSN Explorer will not cancel your account with your Internet Service Provider.  However, if you signed up for dial-up Internet access using MSN Explorer or upgraded an existing MSN dial-up account then you may no longer be able to connect to the Internet after uninstalling.
Uninstall is complete.
Uninstall is complete.uYou must restart your computer before the new settings will take effect.
VarFileInfo
VS_VERSION_INFO
 0+020e0k0
0,0A0^0s0
08101BB
 (08@P`p
0j/0@0E0R0f0
0T0X0\0`0d0h0l0p0t0x0|
0xIJD/
1=>=F=
:1G1P1]1
1K1Z1h1
?%?2?]?
2(2B2N2W2c2n
2<2Q{h2p2
2?3H3Q
2D2J2O2U2b1n2t2
>2>E>S>\>s>
2K2f2v2
2M+-'3
2T2d2{2
??2@YAPAXI@Z
#32770
3$30l3Xk
343=3B3j3p3|3
*37}Cg
;3D;H;L
@3T3e3
4&414]4
4%4+4G4
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
4Q5e5x
5!6&6/6
)56Ab5t5
;!;+;5;?;C;J;
:5:F:Y:w:|:
6.6:6C6M6W6\6
6<6]6i6
6!71767D7R7^7i7p7
7.{645FF040
7FC663
7@ip:K
?7N7T7]
	8 [[@
8-00AA
@.&'85
>!>*>8>B>H>V>`>
9*:/$:
954E}K
9	@5EF
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e
-9;9A9F9
9ao^@q
9.:U:p:}:
A4J4Y4_4
A67-586
.adata
Add or Remove Programs
Add/Remove Programs
Add/Remove Programs Properties
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
advpack.dll
AE4C57'
agX \s
AllocateAndInitializeSid
a Play
appmgmts.dlld
.aspack
au.ini
.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}
{BB7E11D6-5E67-4005-A530-ED1831D6A427}
"bd	WVS
BefJ<Z0
bgTLOkN
BrandID
brand.ini
browser
C1E870B0C
CancelConne
 cannot be run i
CharNextA
CharPrevA
CharUpperA
CheckTokenMembership
CloseHandle
CLSIDFromString
CoCreateInstance
CoInitialize
CopyFileA
Copyro
CoUninitialize
CP<Z<|<
CreateDialogParamA
CreateFileA
CreateMutexA
CreateProcessA
crypt'c
D0H0L0PM
DA-6D69-472e-8981-DBC71
`.data
Ddk h$
default
DefaultUninstall
DefaultUninstall.W2K
DeleteFileA
DestroyWindow
(D/fc_oL
DispatchMessageA
dleAu7
DllGetClassObject
DOS mode.
DownloadComplete
D$ SUVW
dU5 B~
&=,=D=v=
E2<2wz
E8J8O8[8`8i8o8z8
eHanu@
EnumChildWindows
ep1'*"/
eParam$
EqualSid
ERROR: "%s" doesn't exist.
Esht*6
ExecuUA
ExitProcess
ExitWindowsEx
Expor.exe
~f	2bY
F??3@YAXP
F	B^^Vd
f+D?	D
FindClose
FindFirstFileA
FindNextFileA
FindWindowA
FreeLibrary
FreeSid
General
GetCommandLineA
GetCurrentProcess
GetCurrentProcessId
GetExitCodeProcess
GetFileAttributesA
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetMuR
GetPrivateProfileStringA
GetProcAddress
GetSystemDirectoryA
GetTempFileNameA
GetTempPathA
GetTokenInformation
GetVersionExA
GetWindowsDirectoryA
GetWindowThreadProcessId
h1l1.T
hlBT7!2
HTML Application Host Window Class
Hur3'$
iD&YomH
ifyTrLo
igVCRT
Important MSN Explorer Information.htm
InfGma
ingCompatibil
InstallDir
InstallRootDir
IocSymd
IsDBCSLeadByte
i|tlh`
IXR-!m
_;i;z;
 -k 4/
kca:\lsa
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KEveny
K:\Q.pdb`q
L5PFHP7b
LOADER ERROR
LoadLibraryA
LoadStringA
LocalAlloc
LocalFree
logonmgr.dll
LookupPrivilegeValueA
lp6a J
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
m1\U\Kcn
M:d:m:
MessageBoxA
MigrationComplete
{mo?F&
MSBLUIManager
MsgWaitForMultipleObjects
MSN6 ApplicationWindow
MSNCPQ
MSNDELL
MSN Explorer Uninstall
MSN Gam
msn.inf
msnmetal.dll
MSNSetup.Mutex
msnunin.pdb
msnupdate!@#@.exe
msvcrt.dll
MSVCRT.dll
MultiByteToWideChar
NativeHWNDHost
.NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1}
NoPatch
 NT\Curr
NtQu9y
Nv`mG}
oduluI
OEMBrand
OEMInf
oft\Wud
ole32.dll
OLEAUT32.dll
o@P3e4
Op-;4$
~OPEN=-
OpenProcess
OpenProcessToken
+OpsSCM
|otB.8
,ov\A}
PathFileExistsA
PeekMessageA
PendingFileRenameOperations
PostMessageA
.PROMO.{B6C9CCDF-D1BB-4c77-A14A-8D89E8CA1D11}
PSSSSSSh 
pVKwOf
PVVVhl
PWWWWWW
P;Z;d;n;x;
q$A3<.
qidu.com
#]Q)/=J
QQQQQQQ
QWn,n#
\Ra7207
rasapi32.dll
RasDeleteEntryA
 `.rdat[
.rdata
RECYCLER
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
.reloc
Remote
RemoveDirectoryA
RemoveOEMShortcuts
RichM@
_rju@_fd
-<RoA%'_h7
RtlIoU
RunSetupCommand
S1[1`1m1
{schedsvc
SDPSRV
SeShutdownPrivilege
SetFileAttributesA
SetupExe
Setup\msnunin.exe
SetupSize
SetupUrl
SetupVersion
shell32.dll
shfolder.dll
SHGetFolderPathA
SHGetSpecialFolderPathA
shlwapi.dll
SHLWAPI.dll
s\mars\setup\msnunin\obj\i386\msnunin.pdb
SOFTWARE\Mi
Software\Microsoft\MSN
Software\Microsoft\MSN6
Software\Microsoft\MSN6\Setup
Software\Microsoft\MSN\SoftwareInstalled
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s /o:%ld /p:%ld /i:"%s"
Sp`FFF
%s /p:%ld /i:"%s"
Strings
s_/UYY
swsocknetman1ssdp
System\CurrentControlSet\Control\Session Manager
t$8SPj
.tcLCI0
.textVT
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
_This #g
!This program cannot be run in DOS mode.
tl`TDi
ToFilnH
TranslateMessage
tTisrv
?%_#txg
u2SSSSSS
u6AQVj
>"u:F@
	U;MhOy
uMpr.{
UninstallString
Unregister.Custdial.W2K
Unregister.OCXs
#upnphostKn&s
URLDown
URLDownloadToFileA
urlmon.dll
user32.dll
USER32.dll
V3_3o3x3
V6sion\
v7Os2_qWSArcvF
 ;/VDA
v|htcL
vieAak:m
VirtualAlloc
VirtualFree
VirtualProtect
vThfad
\v:.X$
W0YX0wx
|w9=trW
?w"^D{
WideCharToMultiByte
Windows Add/Remove Programs
wininit.ini
 winsta0
WithTag	
WmdmPmSN'Fa
WO$_9E
Wqct q!
Writea7
WriteFile
WritePrivateProfileStringA
wsprintfA
<	=x=}=
/X,.CC
 X -ibcB"
<)<.<X<i<o
xmlpbS
{+xN{?ODBE
XPTPSW
XPVSSG
XRichS
xwuLEwE
XX; tg
/;%y;~;
.y!GN&
|/Yr3Y
*y/.uzyzuEFz8GD
y%*+vp*vCpuC%
/YW'RB
Zh&wP}M
@z}]u2o