130 votes

Daily Paul Erroneously Flagged for Malware (Again)

Friends, it happend again. Back on June 1, Google flagged the Daily Paul as being a distributor of malware. Today it happened again.

Like last time, again it appears to be due to my advertising service provider, which supplied the code that Google is flagging as malicious. It is highly unlikely that there is any problem. Nonetheless, I removed the code that Google identified as suspicious. The next step for me is to resubmit the site to Google for a scan. However, due to weird hosting issues (it is a long story), some changes on the site that should register immediately (such as this) don't. So I will wait a few hours before submitting the site to Google to check. It will likely take them up to a day to resolve the issue. So be prepared to see Google's ugly red warning screen for at least the next 24 hours.

Rest assured, the Daily Paul has not been hijacked or hacked. Thanks everyone for your patience and support. - sigh -

Michael
dailypaul.com/donate

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Arggggg

Sometimes I want to attack the fuckers back. To me they are like pedophiles or Romney Supporters(haven't seen one yet). It is illegal for us the serfs, but not when authorized by the statist people in government or cronies.

Analysis

Guys I posted below a report from an analysis done in a virtual machine. The system used to analyze the malware, doesn't rely on definitions. Norton, SEP, AVG, etc will not pick it up, because it is an unknown malware and there are no definitions created yet that will help your AV to recognize it. My system relies on monitoring all communications and conditions that if true will trigger an automatic analysis in 7 different OS in Virtual machines. Look at the god damn report I posted here for you guys to determine if you are infected. I also saw encrypted data leaving the machine going to the destination IP. Michael the destination IP is at the end of the report.

And the destination IP gives

(whois works pretty good if you use it)

inetnum: 88.198.172.64 - 88.198.172.79
netname: VPSSERVER
descr: vpsserver
country: DE
admin-c: VK1952-RIPE
tech-c: VK1952-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered

person: Viacheslav Krivosheev
address: vps-server
address: Poliykovskaiy 8a
address: 153011 IVANOVO
address: RUSSIAN FEDERATION
phone: +79270563774
nic-hdl: VK1952-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered

route: 88.198.0.0/16
descr: HETZNER-RZ-NBG-BLK4
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered

organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address: Hetzner Online AG
Attn. Martin Hetzner
Stuttgarter Str. 1
91710 Gunzenhausen
GERMANY
phone: +49 9831 610061
fax-no: +49 9831 610062
admin-c: DM93-RIPE
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: RB1502-RIPE
admin-c: SK2374-RIPE
admin-c: TF2013-RIPE
admin-c: MF1400-RIPE
mnt-ref: HOS-GUN
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

I've never been blocked

Am not sure what you guys are talking about. This computer uses Eset Nod32 antivirus, browses with internet explorer, and is hooked to comcast cable.

Occasionally Eset will put up a sticky saying it cleaned something, that's all. Never any warning about the daily paul being bad, and never has it stopped me from going to the Daily Paul.

BTW, as far as virus protection, I found many years ago that Eset is the good stuff; it is much, much lighter than the others, putting little or no load on the computer, it's non intrusive to the user, and it really appears to have kept all my computers clean for many years despite all sorts of unconventional browsing and downloading. Well worth the 30-40$ a year.

But yeah, my computer has not shown any of the blockage or warnings being talked about.

OOOOH!! it has to do with Chip-Ins I think!

Like I said below I was trying to post a comment at the Rhode Island Delegate Chip In thread and got all caught up in the Malware Warning thing AND THEN when I finally got it all straightened out I WASN'T AT THE RI CHIP IN THREAD I WAS AT SOME POST at the Dailypaul about how we needed to support some guy running for office and it had a CHIP IN going on.

LOOK
look at the name of the file listed below by foo:

It also deposited the following registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ciphnime" ="rundll32 \"C:\\ProgramData\\attrrcpl64.dll\",CreateProcessNotify"

I THINK SOMEONE IS TRYING TO SNEAK INTO THIS CHIP IN THING.
Just a theory.

of course I am NOT a programer

of course I am not a programer - "ciphnime" looked like Chipin scrambled up.

I thought that maybe there might be some connection between both of the pages. I started at the RI chipin page - went to Malware Alert - and ended up at some different DailyPaul Chipin page that I wasnt' even familiar with. Just that is enough for me to think it has something to do with ChipIn being referenced.

just trying to help with my observation - not prove my theory.

It's not erroneous...

Every time I come to this site now, some sort of event happens that triggers a java script that errors out. It has all the hallmarks of a java exploit trying to launch a trojan or a worm.

If it's not a virus on your server, then it is someone who is advertising on your site and their ad is an exploit of some kind and people here are at risk of being infected.

When the Googlebot came by to index new content, it recognized the script and penalized you. You are now sandboxed. Sometimes Google will let you out, sometimes they don't. It's a gamble because they answer to nobody. You lucked out the last time it happened.

What you need to do is contact your hosting company and have them scan your server. If it's clean, you need to figure out which ad is triggering the event and ban that advertiser.

I would normally assume the former, but since you guys aren't sharp enough to keep Mitt Romney ads from showing on the site, it's more likely the latter.

haha! love that you ended with a sardonic internet nerd comment

I love that you ended with a sardonic internet nerd comment!

I up-voted you because your assessment probably is correct. I got the Malware Warning last night when I was trying to post a comment at the ChipIn for RI Delegates post.

http://www.dailypaul.com/244322/please-help-rhode-island-chi...

Haha!

I didn't mean to come off like a nerd, I just do business on the internet and know how easy it is to filter certain Google Adsense ads from a site. BTW, It has nothing to do with the Chip In.

GOOD! now everyone can go ChipIn at the RI delegates site!!

we NEED YOUR HELP!
:-)

gee....I wonder if people will go and chip in now. :-(

I wonder if it was just to freak people out so they WOULD NOT donate?

:-) but why was I redirected BACK to some unknown page at DP

but why was I redirected BACK to some unknown page at DP about some other guy running who was doing a chipin? I had never ever been to that page before. That's what made me think that it isn't necessarily chipin but someone wanting to harvest IPs that are friendly to chipin.

Daily Paul Erroneously Flogged for truth telling, (again).

Last time it was just before a major State Convention.

Free includes debt-free!

not only is my web browsers

not only is my web browsers such as Firefox and Internet Explorer not wanting me to view this site but now my firewall is blocking it as well.

Yahoo has been hacked. You need to redo your Yahoo Password

Yahoo Passwords were downloaded by an unknown source and published online. So everyone who has a Yahoo account for safety reasons needs to redo their password. Do not have source link. My roommate informed me.

I got hit with something

when I logged in.I overrode/ignored the message. AND my computer turned blue and logged me out. I got an error Bad Pool Header. I ran my Malware in SafeMode but nothing came up. So, I reset my computer to two days ago and it is fine now. So, there was something and I won't ignore those messages again.

Healthnut4freedom

The lip of truth shall be established forever: but a lying tongue is but for a moment...Lying lips are abomination to the LORD: but they that deal truly are His delight. Prov 12:19,22

Here is a full report if you feel like browsing through it

User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_04

Host: moreopenportlast.dyndns.biz

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive

HTTP/1.1 200 OK

Server: lighttpd

Date: Thu, 12 Jul 2012 17:00:38 GMT

Content-Type: application/octet-stream

Connection: keep-alive

X-Powered-By: PHP/5.2.10

Content-Disposition: inline; filename=b105d5d6.exe

Content-Length: 285184
profile: winxp-sp2
executed-at: 2012-07-12T16:54:04.032032
application: explorer
os-changes (id:99939):
osinfo: Microsoft WindowsXP Professional 5.1 sp2
version: 4.668
analysis:
ftype: exe
mode: malware
version: 4.668
os (name:windows):
version: 5.1.2600
sp: 2
os_monitor:
date: Jan 24 2012
build: 69105
time: 14:44:55
mode: privilege use
uac (mode:privilege use): SeTcbPrivilege
uac:
mode: service
value: Telephony
status: running
process:
mode: started
value: C:\b105d5d6.exe
pid: 420
ppid: 1912
parentname: C:\WINDOWS\system32\cmd.exe
cmdline: "c:\b105d5d6.exe"
filesize: 285184
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
sha1sum: 6beaef2c49d9e7377648667e0f666675132a459c
ads:
fid (ads:): 281474976737592
malicious-alert:
classtype: anomaly-tag
msg: A new process has been launched
display-msg: Startup behavior anomalies observed
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: WaitForMultipleObjectsEx
address: 0x77df9b26
params:
param (id:1): 2
param (id:2): 0x00b9ff6c
param (id:3): 0
param (id:4): 300000
param (id:5): 1
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: WaitForSingleObject
address: 0x01001b7c
params:
param (id:1): 0x0000072c
param (id:2): 1
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: Sleep
address: 0x01001bba
params:
param (id:1): 1000
malicious-alert:
classtype: misc-anomaly
msg: Malware Sleep
display-msg: Tracking Sleep/SleepEx API Call
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: WaitForMultipleObjectsEx
address: 0x77df9b26
params:
param (id:1): 2
param (id:2): 0x00b9ff6c
param (id:3): 0
param (id:4): 300000
param (id:5): 1
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 60 16 f6 66 27 97 22 43 01 df 9e 64 18 81 d5 8b ae 6a 8b b6 a9 9f ef 2a ac a0 7b 31 4c 7d b1 ad 3c 2b 45 3b 54 19 cb 1b cf 97 0a 5b 88 f8 55 48 fe cf 89 6d d6 86 14 34 f4 f4 8b 23 3b 05 15 9f d6 82 49 9d 03 22 ae 47 b0 da 36 20 83 28 e8 4b
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
malicious-alert:
classtype: misc-anomaly
msg: Malware performing cryptographic operations
display-msg: Cryptographic operations performed
mutex:
value:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
mode: privilege use
uac (mode:privilege use): SeTcbPrivilege
uac:
mode: service
value: Remote Access Connection Manager
status: running
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: Sleep
address: 0x010023a1
params:
param (id:1): 1000
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: GetSystemDirectoryA
address: 0x01001066
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: Sleep
address: 0x01001b76
params:
param (id:1): 2000
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: GetSystemDirectoryA
address: 0x010013ba
file:
mode: created
value: C:\WINDOWS\system32\clipdosx.dll
ads:
fid (ads:): 281474976737594
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
malicious-alert:
classtype: misc-anomaly
msg: New exe/dll/sys/ocx file created under WINDOWS or SYSTEM32 directories
display-msg: System services modified
file:
mode: close
value: C:\WINDOWS\system32\clipdosx.dll
ads:
fid (ads:): 281474976737594
filesize: 91136
md5sum: 75248a0a3142dfbb7c18c9e30a9c3ef6
sha1sum: fa0e102a5954c7b7a31f3f2da4e1213c3d47aa64
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: Process32First
address: 0x010015ab
malicious-alert:
classtype: misc-anomaly
msg: Malware enumerating all running processes
display-msg: Running processes listed
regkey:
mode: added
value: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls\"cisvtdde" = C:\WINDOWS\system32\clipdosx.dll
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
codeinjection:
mode: existing process memory write code injection
source:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
target:
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
malicious-alert:
classtype: misc-anomaly
display-msg: Code injection detected
codeinjection:
mode: DLL injection
source:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
target:
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
codeinjection:
mode: existing process memory write code injection
source:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
target:
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: IsDebuggerPresent
address: 0x5ad7b1ba
malicious-alert:
classtype: misc-anomaly
msg: Debugger awareness detected
display-msg: Malware trying to detect the presence of a debugger
codeinjection:
mode: DLL injection
source:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
target:
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
file:
mode: created
value: C:\283859.bat
ads:
fid (ads:): 281474976737595
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
malicious-alert:
classtype: misc-anomaly
msg: Malware polluting root directory
display-msg: Root directory pollution
file:
mode: close
value: C:\283859.bat
ads:
fid (ads:): 281474976737595
filesize: 97
md5sum: d226a657b279c5fc0a892748230a56ff
sha1sum: fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = eb e4 2f 5e d9 ce 7e 76 41 23 a7 80 1a 63 ed a7 7a 4d 95 34 4b ca f1 6a a2 39 b6 40 e5 a0 d1 db ab e8 20 ad e2 1b af 4e 38 f5 ec ad 6b aa 24 42 3c 72 3b 6a 32 51 62 a4 91 cc 85 77 7e 3e 41 f8 b2 fe b8 43 6b db b0 5e 82 12 6d 09 fa 5a 2d 04
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 86 12 87 56 e3 34 5a 30 f4 1a 2a 3a 19 bb 97 4c 47 a7 be a8 68 b2 96 c7 a1 a0 e7 bf c6 dd d8 dd ec 0e 6c ee 3a 07 32 e5 68 96 51 13 e0 a8 c4 c6 56 3c 8f 06 90 09 e7 17 d8 f3 aa a0 6f 44 60 62 60 b3 c1 63 02 80 7e 84 d7 eb d3 29 42 8b a6 ed
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 96 71 d4 bd 98 8d cb 0f 2f 99 5b 93 4d 3f ec 04 7b c0 78 db ca 25 c1 bc 9b 8c 41 ce a5 e4 46 9e 46 8d f2 de db de a4 a2 69 f0 72 30 10 39 2d dc 1a 73 de 90 10 ad 8e 0d 6b 79 0d 6d e7 e7 b1 33 99 f0 ba 4f 67 91 58 e2 e0 02 52 a4 7b f0 49 c5
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 82 ff f0 c2 e5 11 32 e1 6d 10 ae 07 7c 36 aa de cc b6 46 1a 7e 15 6e ed ce c0 ea 7a 18 d6 02 a5 b8 fd 21 42 55 b4 e1 31 3f e3 1e c8 b2 be 70 61 92 16 93 e2 80 a7 bb 9d c9 79 bc 17 09 75 d5 8c 3b 5d a8 4f c4 68 d8 51 6c db fe bf 80 c5 a8 ef
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 5d c5 ef 7b 03 a2 f7 06 77 9e 8b 61 87 5b f2 23 42 75 70 65 26 ff 2e 76 66 30 f5 7d 70 7e e7 51 85 3c 36 df b8 0c cd 19 6a 3a 8a 78 e2 40 14 b7 fa 84 30 e4 0e d9 89 bd c5 85 86 08 9c 62 8b 9a bd a5 f8 49 ca 7d 72 28 61 ae fa a4 cf 22 75 be
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = aa 7d bd 82 ae 36 93 ab 0e 12 50 77 ed ae 65 8c 21 93 4a 33 4b 84 4c 99 8f 3e a0 35 ea e1 eb c1 2a 27 1a 10 85 f4 d7 ba 35 2b 29 68 00 06 3e 82 51 03 b1 79 35 f5 b7 37 5c 5a 84 89 b9 9f 0f 35 e7 f4 29 e5 81 b3 48 07 ff c9 9c e2 8a 70 45 d4
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\"Seed" = 9b d2 1a 4e 53 15 06 ed 1a 3f 84 16 7a bc 3a 9d 32 4c 85 c5 66 7d b1 58 11 c5 f2 92 ad c0 52 86 af 46 56 31 e1 a7 26 ac 35 b2 4a 79 dc 64 4c 41 97 82 97 f0 06 e5 c8 95 b2 00 1c ae d1 91 93 3b 9c 7c 82 73 cc 88 66 1a 03 33 a2 6e a6 ca e6 b4
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dll-loaded:
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
dllpath: C:\WINDOWS\system32\clipdosx.dll
md5sum: 75248a0a3142dfbb7c18c9e30a9c3ef6
sha1sum: fa0e102a5954c7b7a31f3f2da4e1213c3d47aa64
dll-loaded:
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
dllpath: C:\WINDOWS\system32\clipdosx.dll
md5sum: 75248a0a3142dfbb7c18c9e30a9c3ef6
sha1sum: fa0e102a5954c7b7a31f3f2da4e1213c3d47aa64
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: GetSystemDirectoryA
address: 0x74723c1f
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: GetSystemDirectoryA
address: 0x74723c1f
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: WaitForSingleObject
address: 0x7473d232
params:
param (id:1): 0x000006e8
param (id:2): 5000
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: WaitForSingleObject
address: 0x7473d232
params:
param (id:1): 0x000006e8
param (id:2): 5000
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67ec8
params:
param (id:1): 0x00000001
malicious-alert:
classtype: misc-anomaly
msg: Malware hiding critical error message boxes
display-msg: Critical error message boxes hidden
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67f0d
params:
param (id:1): 0x00000001
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Personal" = C:\Documents and Settings\admin\My Documents
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: GetSystemDirectoryW
address: 0x7792732c
mutex:
value:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e319f02e-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e319f02c-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d62
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d75
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d62
params:
param (id:1): 0x00000001
file:
mode: open
value: C:\Documents and Settings\admin\My Documents\desktop.ini
ads:
fid (ads:): 281474976720145
filesize: 76
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d75
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d62
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d75
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d62
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d75
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d62
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d75
params:
param (id:1): 0x00000001
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Common Documents" = C:\Documents and Settings\All Users\Documents
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d62
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d75
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d62
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x77f67d75
params:
param (id:1): 0x00000001
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Desktop" = C:\Documents and Settings\admin\Desktop
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Common Desktop" = C:\Documents and Settings\All Users\Desktop
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: GetSystemDirectoryW
address: 0x76fd8a1d
mutex:
value: \BaseNamedObjects\ZoneAttributeCacheCounterMutex
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName" = 0x00000001
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
mutex:
value: \BaseNamedObjects\ZoneAttributeCacheCounterMutex
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName" = 0x00000001
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x7c813100
params:
param (id:1): 0x00008001
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cache" = C:\Documents and Settings\admin\Local Settings\Temporary Internet Files
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x7c8132b1
params:
param (id:1): 0x00000001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x7c813100
params:
param (id:1): 0x00008001
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x7c8132b1
params:
param (id:1): 0x00000001
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Cookies" = C:\Documents and Settings\admin\Cookies
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
repeat: 30
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: SetErrorMode
address: 0x73e6884b
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: GetSystemDirectoryA
address: 0x73e68bcc
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: WaitForMultipleObjectsEx
address: 0x77a89675
params:
param (id:1): 1
param (id:2): 0x00186a08
param (id:3): 0
param (id:4): 15000
param (id:5): 0
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\"c:\283859.bat" = 283859
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dll-loaded:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllpath: C:\WINDOWS\system32\clipdosx.dll
md5sum: 75248a0a3142dfbb7c18c9e30a9c3ef6
sha1sum: fa0e102a5954c7b7a31f3f2da4e1213c3d47aa64
mutex:
value: \BaseNamedObjects\{98f24545-f5e0-afbf-4912-8d6663144788}
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
mutex:
value: \BaseNamedObjects\{5c3a4e31-71dc-638b-f56e-f982efd09304}
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: WaitForMultipleObjectsEx
address: 0x77a89675
params:
param (id:1): 1
param (id:2): 0x00186a08
param (id:3): 0
param (id:4): 15000
param (id:5): 0
mutex:
value: \BaseNamedObjects\{446aa201-936c-77db-c57e-c9923f60e394}
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
apicall:
processinfo:
pid: 420
imagepath: c:\b105d5d6.exe
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
dllname: kernel32
apiname: WaitForMultipleObjects
address: 0x016b890c
params:
param (id:1): 2
param (id:2): 0x001895f8
param (id:3): 1
param (id:4): 100
process:
mode: started
value: C:\WINDOWS\system32\cmd.exe
pid: 1624
ppid: 420
parentname: C:\b105d5d6.exe
cmdline: cmd /c ""c:\283859.bat" "c:\b105d5d6.exe""
filesize: N/A
md5sum: N/A
sha1sum: N/A
ads:
fid (ads:): 1125899906849632
malicious-alert:
classtype: misc-anomaly
msg: Malware starting command prompt
display-msg: New command prompt started
processstats:
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
bytesreceived: 0
totalmemory: 37298176
id: 2
deltatime: 117265
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Internet Explorer\Main\"NoProtectedModeBanner" = 0x00000001
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
malicious-alert:
classtype: misc-anomaly
msg: Malware modifying browser helper objects
display-msg: Browser settings tampered
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Internet Explorer\Main\"TabProcGrowth" = 0x00000000
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
malicious-alert:
classtype: misc-anomaly
msg: Malware disabling internet explorer protected mode
display-msg: Browser settings tampered
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" = 0x00000003
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
regkey:
mode: added
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\AppDataLow
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
regkey:
mode: added
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\AppDataLow\{13b6e323-6e26-af4d-0748-2bfcd1ba958e}
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\AppDataLow\{13b6e323-6e26-af4d-0748-2bfcd1ba958e}\"k1" = 0x8c2a4bf6
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\AppDataLow\{13b6e323-6e26-af4d-0748-2bfcd1ba958e}\"k2" = 0x4f42e5f7
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\AppDataLow\{13b6e323-6e26-af4d-0748-2bfcd1ba958e}\"Version" = 0x0000001f
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
mutex:
value: \BaseNamedObjects\{6e1e0e81-15ec-185b-45fe-4912bfe06314}
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Internet Explorer\Main\"NoProtectedModeBanner" = 0x00000001
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Internet Explorer\Main\"TabProcGrowth" = 0x00000000
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" = 0x00000003
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
process:
mode: terminated
value: C:\b105d5d6.exe
pid: 420
ppid: 1912
parentname: C:\WINDOWS\system32\cmd.exe
cmdline: N/A
ads:
fid (ads:): 281474976737592
mutex:
value: \BaseNamedObjects\MSCTF.Shared.MUTEX.AFG
processinfo:
pid: 660
imagepath: C:\Program Files\Internet Explorer\iexplore.exe
mutex:
value: \BaseNamedObjects\MSCTF.Shared.MUTEX.AFG
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
mutex:
value:
processinfo:
pid: 1624
imagepath: C:\WINDOWS\system32\cmd.exe
dll-loaded:
processinfo:
pid: 1624
imagepath: C:\WINDOWS\system32\cmd.exe
dllpath: C:\WINDOWS\system32\clipdosx.dll
md5sum: 75248a0a3142dfbb7c18c9e30a9c3ef6
sha1sum: fa0e102a5954c7b7a31f3f2da4e1213c3d47aa64
mutex:
value: \BaseNamedObjects\{bbde9725-5e40-3c9f-2972-6dc6437427e8}
processinfo:
pid: 1624
imagepath: C:\WINDOWS\system32\cmd.exe
process:
mode: started
value: C:\WINDOWS\system32\attrib.exe
pid: 1764
ppid: 1624
parentname: C:\WINDOWS\system32\cmd.exe
cmdline: attrib -s -r -h"c:\b105d5d6.exe"
filesize: N/A
md5sum: N/A
sha1sum: N/A
ads:
fid (ads:): 281474976711318
malicious-alert:
classtype: misc-anomaly
msg: Malware modifying file attributes via an external process
display-msg: External file attribute modification
mutex:
value:
processinfo:
pid: 1764
imagepath: C:\WINDOWS\system32\attrib.exe
process:
mode: terminated
value: C:\WINDOWS\system32\attrib.exe
pid: 1764
ppid: 1624
parentname: C:\WINDOWS\system32\cmd.exe
cmdline: N/A
ads:
fid (ads:): 281474976711318
file:
mode: delete
value: C:\b105d5d6.exe
ads:
fid (ads:): 281474976737592
filesize: 285184
md5sum: 7afb752b21ff6bda7db3a84a5b2851c6
sha1sum: 6beaef2c49d9e7377648667e0f666675132a459c
processinfo:
pid: 1624
imagepath: C:\WINDOWS\system32\cmd.exe
malicious-alert:
classtype: misc-anomaly
msg: Malware deleting itself
display-msg: Root process deleted
file:
mode: delete
value: C:\283859.bat
ads:
fid (ads:): 281474976737595
filesize: 97
md5sum: d226a657b279c5fc0a892748230a56ff
sha1sum: fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5
processinfo:
pid: 1624
imagepath: C:\WINDOWS\system32\cmd.exe
process:
mode: terminated
value: C:\WINDOWS\system32\cmd.exe
pid: 1624
ppid: 420
parentname: C:\b105d5d6.exe
cmdline: N/A
ads:
fid (ads:): 1125899906849632
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithProgids\"AIFFFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithProgids\"AIFFFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithProgids\"AIFFFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.application\OpenWithProgids\"Application.Manifest" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\OpenWithProgids\"ASFFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithProgids\"ASXFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithProgids\"AUFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au3\OpenWithProgids\"AutoIt3Script" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithProgids\"avifile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.awb\OpenWithProgids\"RealPlayer.AMR_WB.10" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithProgids\"Paint.Picture" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.css\OpenWithProgids\"CSSfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithProgids\"Paint.Picture" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.divx\OpenWithProgids\"RealPlayer.DIVX.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\OpenWithProgids\"Word.Document.8" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dot\OpenWithProgids\"Word.Template.8" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dvr-ms\OpenWithProgids\"WMP.DVR-MSFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\OpenWithProgids\"emffile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\OpenWithProgids\"Microsoft Internet Mail Message" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flv\OpenWithProgids\"RealPlayer.FLV.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithProgids\"giffile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids\"htmlfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids\"htmlfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithProgids\"icofile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.IVF\OpenWithProgids\"IVFFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ivr\OpenWithProgids\"RealPlayer.IVR.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\OpenWithProgids\"pjpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\OpenWithProgids\"jpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithProgids\"jpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithProgids\"jpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\OpenWithProgids\"mpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\OpenWithProgids\"m3ufile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithProgids\"mhtmlfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithProgids\"mhtmlfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithProgids\"midfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\OpenWithProgids\"midfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithProgids\"mpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\OpenWithProgids\"mpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\OpenWithProgids\"mp3file" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\OpenWithProgids\"mpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\OpenWithProgids\"mpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithProgids\"mpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithProgids\"mpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\OpenWithProgids\"mpegfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nws\OpenWithProgids\"Microsoft Internet News Message" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.obd\OpenWithProgids\"Office.Binder.9" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.obt\OpenWithProgids\"Office.Binder.Template.9" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids\"pngfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pot\OpenWithProgids\"PowerPoint.Template.8" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppt\OpenWithProgids\"PowerPoint.Show.8" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ra\OpenWithProgids\"RealPlayer.RA.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ram\OpenWithProgids\"RealPlayer.RAM.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rax\OpenWithProgids\"RealPlayer.RAX.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rm\OpenWithProgids\"RealPlayer.RM.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithProgids\"midfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmj\OpenWithProgids\"RealJukebox.RMJ.1" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmm\OpenWithProgids\"RealPlayer.RAM.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmp\OpenWithProgids\"RealJukebox.RMP.1" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rms\OpenWithProgids\"RealPlayer.RMS.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmvb\OpenWithProgids\"RealPlayer.RMVB.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmx\OpenWithProgids\"RealJukebox.RMX.1" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsml\OpenWithProgids\"RealPlayer.RSML.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithProgids\"Word.RTF.8" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rv\OpenWithProgids\"RealPlayer.RV.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rvx\OpenWithProgids\"RealPlayer.RVX.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids\"shtmlfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smi\OpenWithProgids\"RealPlayer.SMIL.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smil\OpenWithProgids\"RealPlayer.SMIL.6" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithProgids\"AUFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ssm\OpenWithProgids\"SSM" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\"txtfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.URL\OpenWithProgids\"InternetShortcut" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithProgids\"soundrec" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\OpenWithProgids\"WAXFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\OpenWithProgids\"wdpfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\OpenWithProgids\"ASFFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\OpenWithProgids\"WMAFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\OpenWithProgids\"wmffile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmp\OpenWithProgids\"WMPFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\OpenWithProgids\"WMVFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\OpenWithProgids\"ASXFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\OpenWithProgids\"WPLFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wri\OpenWithProgids\"wrifile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithProgids\"WVXFile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xaml\OpenWithProgids\"Windows.XamlDocument" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbap\OpenWithProgids\"Windows.Xbap" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xls\OpenWithProgids\"Excel.Sheet.8" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlt\OpenWithProgids\"Excel.Template" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithProgids\"xmlfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xps\OpenWithProgids\"XPSViewer.Document" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xsl\OpenWithProgids\"xslfile" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
regkey:
mode: setval
value: \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithProgids\"CompressedFolder" =
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
process:
mode: terminated
value: C:\Program Files\Java\jre6\bin\jusched.exe
pid: 1348
ppid: 1272
parentname: C:\WINDOWS\explorer.exe
cmdline: N/A
ads:
fid (ads:): 562949953442415
mutex:
value:
processinfo:
pid: 1272
imagepath: C:\WINDOWS\Explorer.EXE
process:
mode: terminated
value: C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
pid: 1404
ppid: 1272
parentname: C:\WINDOWS\explorer.exe
cmdline: N/A
ads:
fid (ads:): 281474976730507
end-of-report:
anomaly: misc-anomaly
src:
vlan: 0
ip:
dst:
ip: 88.198.172.75

Might not be a false warning.

I got the warning. I clicked through. I got hit. (Can't say for sure it was the DP, but the only sites I've visited today are the same sites I visit pretty much every day, and only at the DP did I get a malware warning, and this is only the 2nd virus I've seen in about 6 years -- sounds like quite a coincidence if it wasn't the DP.)

The thing deposited two files in my "C:\ProgramData" directory:

07/12/2012 11:02 AM 91,136 attrrcpl.dll
07/12/2012 11:02 AM 92,672 attrrcpl64.dll

It also deposited the following registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ciphnime"="rundll32 \"C:\\ProgramData\\attrrcpl64.dll\",CreateProcessNotify"

Those file names and registry key may be random, so if you want to check your own box, just look for any new .dll in "C:\ProgramData" (this is on Vista, the directory may be different under a different Windows version) and run "regedit" and check for anything suspicious in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run".

kept me away for a few hours again

by the 4th time I'll just log in anyway and THEN i'll get infected by actual malware lol- gah

I have a very sophisticated software to detect malware

At 12:54 PM I came here to the dailypaul and my system detected the malware. After reading all the shit it changed in my system and the remote control utilities it was setting up. I decided to wipe my system out. Below are some of the details to know if YOU are infected. Mind that anti viruses did not detected this malware.

Host that my computer called back: moreopenportlast.dyndns.biz
File to look for: clipdosx.dll
look in your registry for this change: regkey:
mode: setval
value: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls\"cisvtdde" = C:\WINDOWS\system32\clipdosx.dll

Do a CHECKSUM check against your cmd.exe. If it fails, you are infected.
Here is a Microsoft checksum checker: http://www.microsoft.com/en-us/download/details.aspx?id=11533

The malware encrypts all communications going out of your machine. It is pretty sophisticated. It is either A. Governemt(China, Russia, Israel, US, etc) or B. A hacker that hates daily paul so much that spent a long time writting it.

Just made Yahoo my homepage.

No-one stops the revolution!

Lord Acton, Lord Chief Justice of England, 1875 - "The issue which has swept down the centuries and which will have to be fought sooner or later is the People v. The Banks."

Michael Nystrom's picture

Thanks Reed

I think you're right.

Let's hope it doesn't happen again.

To be mean is never excusable, but there is some merit in knowing that one is; the most irreparable of vices is to do evil out of stupidity. - C.B.
Michael Nystrom's picture

Actually not

Still getting this message from Google:

http://www.google.com/interstitial?url=http://www.dailypaul....

To be mean is never excusable, but there is some merit in knowing that one is; the most irreparable of vices is to do evil out of stupidity. - C.B.
reedr3v's picture

I think it's fixed now. Thanks Michael

and Mods.

Not an accident

I work in Online Media, while it is common to have these types of issues it is uncommon for Google (Doubleclick) to have these issues. If you are using third tier banner partners then it is possible.

My two thoughts are A) look into third party malware scanning companies Dasient was one we worked with for a long time until they were bought by Twitter. B) if u are using Google and their ads are getting you flagged then to me it would seem intentional. If you can locate who purchased the ad then you can pursue them with C/D and other legal means if you desire.

Keep up the good work!

Video of "warning" message

Here is the "Reported-Attack-Page" warning for those who didn't see it. Sure would be nice if Google could just block the offending script instead of the entire website. http://youtu.be/5fAZqh_-cA8

Catains Log...7-12-12 On the Daily Paul 15 minutes..No Red Flag

I think we killed it by God!

and the paranoia sets in

burn everything.

I logged on and didn't see a 'red flag'

keep my fingers crossed..maybe just maybe we got rid of the damn thing..

Yep.

I got it.

I've seen this on occasion

Not so much on websites, but believe me, I know when it's fake, especially w/ files. And this is definitely one of those false alarms!! Probably just more business, establishment, gov't foolery! What cowards!!