FakeAV Analysis: Defense Center

Defense Center is doing the rounds again, but this time seems to be a bit more aggresive!

Lets start off with some screen shots.

Defence Center Main

Like all rogue AV’s it bombards you with warnings about how your computer is “infected”.

Fake Attack

Fake Warning

Fake Alert

30% off! You’d be a fool not to snap that offer up, wouldn’t you?

Fake Offer

Once installed, Defence Center installs a handler in HKCR\.exe\shell\open\command so it can intercept any .exe that is executed, if not removed properly you won’t be able to run any .exe file.

Registry Modification

This is a list of strings from the unpacked dropper.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
0x00002110	0x0000000E	UNKNOWN
0x00002120	0x00000014	%s%s%d.tmp
0x00002140	0x00000014	Azerbaijan
0x00002158	0x0000000E	Belarus
0x00002168	0x00000014	Kazakhstan
0x00002180	0x00000014	Kyrgyzstan
0x00002198	0x0000000C	Russia
0x000021A8	0x00000014	Uzbekistan
0x000021C0	0x0000000E	Ukraine
0x000021D0	0x0000001C	Czech Republic
0x000021F0	0x0000000C	Poland
0x00002210	0x00000018	_favdata.dat
0x00002230	0x00000014	Printers\Connections
0x00002248	0x00000005	affid
0x00002250	0x00000005	subid
0x00002258	0x0000004A	\AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
0x000022A4	0x0000000C	%[^;];%[^;];
0x000022BC	0x0000000E	IsWow64Process
0x000022CC	0x00000008	kernel32
0x000022D8	0x00000015	ObtainUserAgentString
0x000022F0	0x0000000A	urlmon.dll
0x000022FC	0x00000037	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
 
336;landing;-1;.hxxp://Traffic-Photos.com/ms05/ad;hxxp://www.easysecurityscan.com/ms05/ad;hxxp://www.fastanyprime.com/ms05/ad;...hxxp://Traffic-Photos.com/ms05/ad;hxxp://www.easysecurityscan.com/ms05/ad;hxxp://www.fastanyprime.com/ms05/ad

Here we can see the results of these URL’s on URLVoid.

Traffic-Photos.com
easysecurityscan.com
fastanyprime.com

The small list of country strings are countries the writer of this malware doesn’t want it to execute on.

1
2
3
4
5
6
7
8
9
10
0040113A   |>  56                 /PUSH ESI                                          ; /wstr2 = "United States"
0040113B   |. |FF74BD DC          |PUSH DWORD PTR SS:[EBP+EDI*4-24]                  ; |wstr1 = "Azerbaijan"
0040113F   |. |E8 5E0A0000        |CALL                         ; \_wcsicmp
00401144   |. |85C0               |TEST EAX,EAX
00401146   |. |59                 |POP ECX
00401147   |. |59                 |POP ECX
00401148   |. |74 0C              |JE SHORT dump_.00401156 ; eventually goes to ExitProcess.
0040114A   |. |47                 |INC EDI
0040114B   |. |83FF 09            |CMP EDI,9
0040114E   |.^\72 EA              \JB SHORT dump_.0040113A

This is a list of strings from the dropped file that now handles all executions of .exe’s.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
0x00005044	0x00000011	 jour importantes
0x000051F5	0x00000005	 jour
0x0000539C	0x00000014	Updates installieren
0x000053B4	0x00000050	Riavviare il computer per completare l'installazione di importanti aggiornamenti
0x0000556C	0x00000016	Installa aggiornamenti
0x000055AB	0x0000002A	re installasjonen av viktige oppdateringer
0x000056F4	0x00000017	Installer oppdateringer
0x0000570C	0x00000046	Reinicie su equipo para acabar de instalar actualizaciones importantes
0x000058C4	0x00000018	Instalar actualizaciones
0x000058E0	0x0000003C	Restart your computer to finish installing important updates
0x00005920	0x00000018	AUTMGR32.EXE
0x000059FC	0x00000009	1. Click 
0x00005A08	0x00000011	"Install Updates"
0x00005A1C	0x00000009	2. Click 
0x00005A28	0x00000018	 when UAC screen appears
0x00005A44	0x00000007	"Allow"
0x00005A4C	0x0000000E	System Failure
0x00005BC0	0x00000012	Pvebbmg)Tlkpkw*gki
0x00005C40	0x00000012	Pvebbmg)Tlkpkw*gki
0x00005CC0	0x00000012	Pvebbmg)Tlkpkw*gki
0x00005D44	0x00000005	ffid_
0x00005D63	0x00000008	heck_vm_
0x00005D83	0x00000006	setid_
0x00005DA0	0x0000000A	runas
0x00005DAC	0x00000022	WindowsUpdate.exe
0x00005DD0	0x0000000C	\license.dat
0x00005DE0	0x00000017	Software\Defense Center
0x00005DF8	0x00000007	License
0x00005E00	0x0000002C	94804860143697233939975370329435970097710202
0x00005E30	0x0000000C	LoadLibraryA
0x00005E40	0x0000000C	kernel32.dll
0x00005E50	0x00000030	AcceptedPrivacyStatement
0x00005E84	0x0000005E	Software\Classes\Software\Microsoft\Preferences
0x00005EE4	0x00000046	Software\Classes\Software\Microsoft
0x00005F2C	0x00000032	Software\Classes\Software
0x00005F60	0x00000058	Software\Classes\secfile\shell\start\command
0x00005FBC	0x00000048	Software\Classes\secfile\shell\start
0x00006008	0x00000058	Software\Classes\secfile\shell\runas\command
0x00006064	0x00000048	Software\Classes\secfile\shell\runas
0x000060B0	0x00000056	Software\Classes\secfile\shell\open\command
0x00006108	0x00000046	Software\Classes\secfile\shell\open
0x00006150	0x0000003C	Software\Classes\secfile\shell
0x00006190	0x00000048	Software\Classes\secfile\DefaultIcon
0x000061DC	0x00000030	Software\Classes\secfile
0x00006210	0x00000016	Application
0x00006228	0x00000052	Software\Classes\.exe\shell\start\command
0x0000627C	0x00000042	Software\Classes\.exe\shell\start
0x000062C0	0x00000052	Software\Classes\.exe\shell\runas\command
0x00006314	0x00000042	Software\Classes\.exe\shell\runas
0x00006358	0x0000001E	IsolatedCommand
0x00006378	0x0000000E	"%1" %*
0x00006388	0x0000002A	"%s" /START "%%1" %%*
0x000063B4	0x00000050	Software\Classes\.exe\shell\open\command
0x00006408	0x00000040	Software\Classes\.exe\shell\open
0x0000644C	0x00000036	Software\Classes\.exe\shell
0x0000648C	0x00000042	Software\Classes\.exe\DefaultIcon
0x000064D0	0x00000018	Content Type
0x000064EC	0x00000030	application/x-msdownload
0x00006520	0x0000000E	secfile
0x00006530	0x0000002A	Software\Classes\.exe
0x0000655C	0x00000020	Software\Classes
0x0000658C	0x00000039	Software\Microsoft\Windows\CurrentVersion\Policies\System
0x000065C8	0x0000000E	DisableTaskMgr
0x000065D8	0x00000014	topwesitjh
0x000065F0	0x00000048	d8bb5910-2d85-489b-8403-803ed25e73bc
0x0000663C	0x00000048	9cf2592c-1832-4358-a0fc-26d6a0c29808
0x00006688	0x00000005	%09lu
0x00006690	0x00000008	wget 3.0
0x0000669C	0x00000048	f7c5da73-b4a5-4947-8f40-08f2871eb36b
0x000066E8	0x00000010	Software
0x00006700	0x0000001B	http://%s/any2/%s-direct.ex
0x00006734	0x0000000D	\_favdata.dat
0x00006744	0x00000006	French
0x0000674C	0x00000007	Italian
0x00006754	0x00000006	German
0x0000675C	0x00000007	Spanish
0x00006764	0x00000009	Norwegian
0x00006770	0x00000006	Polish
0x00006778	0x00000005	Czech
0x00006780	0x00000009	Ukrainian
0x0000678C	0x00000007	Russian
0x00006794	0x00000006	_Run@0
0x0000679C	0x0000000C	Explorer.exe
0x000067AC	0x0000000E	mschrt20ex.dll
0x000067C4	0x0000000E	/START 
0x000067D4	0x0000000C	/START
0x0000B350	0x00000005	.text
0x0000B377	0x00000007	`.rdata
0x0000B39F	0x00000006	@.data
0x0000B3C8	0x00000005	.rsrc
0x0000B3EF	0x00000007	@.fasoc
0x0000CF7D	0x00000005	(>T$C
0x0000D12E	0x00000014	ouporn.com
0x0000D144	0x00000018	nudetube.com
0x0000D160	0x0000001A	pornotube.com
0x0000D17C	0x0000000A	3.ico
0x0000D188	0x0000000A	2.ico
0x0000D194	0x0000000A	1.ico
0x0000D1A0	0x000000A0	A security threat detected on your computer! This malicious program may steal your private data. Click on the message to ensure 
0x0000D248	0x0000009A	Harmful viruses detected on your computer. This malicious software may harm your computer. Click on the message to ensure the pr
0x0000D2E8	0x000000C0	You are running a trial antivirus software version. Activate your antivirus software copy to get full-time antivirus protection.
0x0000D3B0	0x0000008D	It is strongly recommended to protect your computer against security threats. Click on the message to ensure the protection of y
0x0000D440	0x000000B5	It is strongly recommended to remove all detected viruses to protect your computer against existing security threats. Click on t
0x0000D4F8	0x00000007	Danger!
0x0000D500	0x0000009D	A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click
0x0000D5A0	0x0000007A	Unauthorized person tries to steal your passwords and private information. Click on the message to prevent identity theft.
0x0000D620	0x00000066	Unauthosrized access to your computer! Click on the message to install up-to-date antivirus software. 
0x0000D688	0x00000074	Harmful viruses detected on your computer. Click on the message to scan your computer for security threats for free.
0x0000D700	0x00000005	%09lu
0x0000D708	0x00000034	\Defense Center\defcnt.exe
0x0000D748	0x00000018	wscsvc32.exe
0x0000D768	0x00000048	d8bb5910-2d85-489b-8403-803ed25e73bc
0x0000D7B4	0x0000002C	94804860143697233939975370329435970097710202
0x0000D7E4	0x00000007	License
0x0000D7EC	0x00000017	Software\Defense Center
0x0000D804	0x0000000C	\license.dat
0x0000D814	0x0000001A	\Defense Center\defcnt.exe
0x0000D830	0x00000016	Windows Security Alert
0x0000D848	0x0000000C	 /inst
0x0000D860	0x0000001E	eiojrthgoeijujwqodiehurisejawu
0x0000D880	0x00000018	\spam001.exe
0x0000D89C	0x00000018	\spam003.exe
0x0000D8B8	0x00000018	\troj000.exe
0x0000D8D4	0x0000000D	Shell_TrayWnd
0x0000D8E4	0x00000006	Button
0x0000D8F0	0x00000098	System files of your computer are damaged. Please, restart your system ASAP.
0x0000D994	0x00000014	Printers\Connections
0x0000D9B0	0x0000000D	\_favdata.dat
0x0000D9C8	0x0000004E	http://%s/readdatagateway.php?type=stats&affid=%s&subid=%s&version=%s&adwareok
0x0000DA18	0x0000000E	DisableTaskMgr
0x0000DA28	0x00000039	Software\Microsoft\Windows\CurrentVersion\Policies\System
0x0000DA64	0x0000000C	explorer.exe
0x0000DA74	0x00000008	Software
0x0000DA80	0x00000024	dd1c3e54-4b10-4a73-91eb-fa561c094261
0x0000DAA8	0x00000024	24d1ca9a-a864-4f7b-86fe-495eb56529d8
0x0000DAD0	0x00000008	wget 3.0
0x0000DAE0	0x0000003E	\Internet Explorer\iexplore.exe
0x0000DB30	0x00000026	SeShutdownPrivilege
0x0000DB58	0x00000014	fiuejsiogj
0x0000DD88	0x00000009	ntdll.dll
0x0000DD94	0x00000008	StrStrIA
0x0000DDA0	0x00000007	StrCatW
0x0000DDAA	0x0000000A	wnsprintfA
0x0000DDB8	0x00000007	StrCpyW
0x0000DDC0	0x0000000B	SHLWAPI.dll
0x0000DDCE	0x00000010	InternetOpenUrlA
0x0000DDE2	0x00000010	InternetReadFile
0x0000DDF6	0x0000000D	InternetOpenA
0x0000DE07	0x00000012	nternetCloseHandle
0x0000DE1A	0x0000000B	WININET.dll
0x0000DE28	0x00000017	SHGetSpecialFolderPathA
0x0000DE42	0x00000017	SHGetSpecialFolderPathW
0x0000DE5C	0x00000011	Shell_NotifyIconA
0x0000DE6E	0x0000000B	SHELL32.dll
0x0000DE7C	0x00000010	GetComputerNameA
0x0000DE91	0x0000000B	reateMutexW
0x0000DEA0	0x00000008	lstrlenA
0x0000DEAC	0x00000009	lstrcpynA
0x0000DEB8	0x00000013	WaitForSingleObject
0x0000DECE	0x0000000C	GetTickCount
0x0000DEDE	0x0000000B	VirtualFree
0x0000DEEC	0x00000019	InitializeCriticalSection
0x0000DF08	0x00000015	GetVolumeInformationA
0x0000DF20	0x00000005	Sleep
0x0000DF28	0x00000008	lstrcatA
0x0000DF34	0x00000008	lstrlenW
0x0000DF40	0x0000000C	GetTempPathW
0x0000DF50	0x00000019	DisableThreadLibraryCalls
0x0000DF6C	0x00000012	GetModuleFileNameA
0x0000DF82	0x00000008	lstrcatW
0x0000DF8E	0x00000015	DeleteCriticalSection
0x0000DFA7	0x0000000B	reateThread
0x0000DFB6	0x00000008	lstrcpyA
0x0000DFC2	0x00000010	GetTempFileNameW
0x0000DFD7	0x0000000A	reateFileA
0x0000DFE4	0x0000000B	GetFileSize
0x0000DFF2	0x0000000E	SetFilePointer
0x0000E004	0x0000000D	FindResourceW
0x0000E014	0x0000000C	LoadResource
0x0000E025	0x0000000D	reateProcessW
0x0000E036	0x00000011	GetCurrentProcess
0x0000E04A	0x00000009	WriteFile
0x0000E056	0x0000000E	SizeofResource
0x0000E068	0x00000012	GetFileAttributesA
0x0000E07E	0x00000008	ReadFile
0x0000E08B	0x0000000A	reateFileW
0x0000E098	0x0000000C	GetLastError
0x0000E0A8	0x0000000C	VirtualAlloc
0x0000E0B8	0x0000000C	LockResource
0x0000E0C9	0x0000000A	loseHandle
0x0000E0D4	0x0000000C	KERNEL32.dll
0x0000E0E4	0x00000010	DispatchMessageW
0x0000E0F8	0x0000000B	FindWindowA
0x0000E106	0x0000000C	SendMessageW
0x0000E116	0x0000000C	PostMessageA
0x0000E126	0x00000008	IsWindow
0x0000E132	0x0000000A	ShowWindow
0x0000E140	0x00000009	EndDialog
0x0000E14C	0x0000000E	GetWindowTextW
0x0000E15E	0x00000009	LoadIconW
0x0000E16A	0x00000010	IsDialogMessageW
0x0000E17E	0x00000010	TranslateMessage
0x0000E192	0x0000000B	EnumWindows
0x0000E1A0	0x00000009	wsprintfA
0x0000E1AC	0x00000009	KillTimer
0x0000E1B8	0x0000000C	PostMessageW
0x0000E1C8	0x0000000B	GetMessageW
0x0000E1D7	0x00000011	reateDialogParamA
0x0000E1EC	0x00000008	SetTimer
0x0000E1F6	0x0000000A	USER32.dll
0x0000E204	0x00000010	OpenProcessToken
0x0000E218	0x0000000E	RegSetValueExA
0x0000E22A	0x00000010	RegQueryValueExA
0x0000E23E	0x0000000D	RegCreateKeyA
0x0000E24E	0x00000015	LookupPrivilegeValueW
0x0000E266	0x0000000B	RegOpenKeyA
0x0000E274	0x00000015	AdjustTokenPrivileges
0x0000E28C	0x00000017	InitiateSystemShutdownW
0x0000E2A6	0x0000000B	RegCloseKey
0x0000E2B2	0x0000000C	ADVAPI32.dll
0x0000E2C3	0x0000000B	oInitialize
0x0000E2D2	0x00000010	CoCreateInstance
0x0000E2E4	0x00000009	ole32.dll
0x0000E2F0	0x00000006	memset
0x0000E2FA	0x00000007	_chkstk
0x0000E342	0x0000000A	Adware.dll
0x0000E34D	0x00000006	_Run@0
0x0000E36C	0x00000036	f:\src\mrs_adware\Adware2\trunk\Dll\release\Adware.pdb
0x00020097	0x00000007	)w2%n%~
0x000234F3	0x00000005	q\MP&
0x000264C7	0x00000005	rX${p
0x00027B44	0x00000005	03uJS
0x0002E1F5	0x00000007	zdC?irU
0x000369EA	0x00000006	g@*jRV
0x000520A2	0x00000009	qE{tDs/id
0x00054406	0x00000005	\6+9'
0x0005AB1F	0x00000005	SI~/W
0x0005AD20	0x0000000C	kernel32.dll
0x0005AD2F	0x00000010	GetModuleHandleW
0x0005AD42	0x00000010	GetCurrentThread
0x0005AD55	0x0000000F	TerminateThread
0x0005AD75	0x0000000C	advapi32.dll
0x0005AD84	0x00000011	AdjustTokenGroups
0x0005AD98	0x0000000D	CloseEventLog
0x0005ADA8	0x00000011	CryptSetHashParam
0x0005ADBC	0x00000009	DeleteAce
0x0005ADC8	0x0000000E	DuplicateToken
0x0005ADD9	0x00000011	CryptGetHashParam
0x0005AE07	0x0000000A	msvcrt.dll
0x0005AE1B	0x00000010	_except_handler2
0x0005AE2E	0x00000007	_CIacos
0x0005AE38	0x00000006	_cexit
0x0006B78A	0x0000001C	Windows Update
0x0006B7AA	0x00000018	MS Shell Dlg
0x0006B7DA	0x0000001E	Install Updates
0x0006B812	0x0000000C	Static
0x0006B83A	0x00000012	1. Click 
0x0006B866	0x00000022	"Install Updates"
0x0006B8A2	0x00000010	2. Click
0x0006B8CE	0x0000000E	"Allow"
0x0006B8F6	0x0000002E	when UAC screen appears

Notice the compile path for the DLL?

f:\src\mrs_adware\Adware2\trunk\Dll\release\Adware.pdb

This malware also creates some p0rn shortcuts on the desktop, and three other files, spam001.exe, spam003.exe and troj000.exe, but these files aren’t actually executables.

This is what the payment screen looks like in their so-called “Safebrowser”. Obviously filling out that information could put you in some serious danger, either by them emptying your bank account, and/or using the personal information for identity theft.

Fake Payment

This is a sandbox report of the original dropper.

1
2
3
4
5
6
7
8
9
10
11
12
Detailed report of suspicious malware actions:
 
Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\TMP57114.tmp
Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\topwesitjh
Created file on defined folder: C:\Documents and Settings\All Users\Favorites\_favdata.dat
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\AUTMGR32.EXE
Defined registry AutoStart location added or modified: user\current_classes\.exe\shell\open\command  = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AUTMGR32.EXE" /START "%1" %*
Defined registry AutoStart location added or modified: user\current_classes\.exe\shell\open\command\IsolatedCommand = "%1" %*
Internet connection: C:\Documents and Settings\Administrator\Desktop\dropper.exe Connects to "91.213.157.69" on port 80 (TCP - HTTP).
Query DNS: traffic-photos .com
 
Risk evaluation result: High

This also downloaded the pragma rootkit, the old(and probably sold) version of TDSS.

Pragma Rootkit

pragmacfg.ini:

[common]
botid=414796669-1177238915-152049171-1708537768
affid=336
subid=direct
build=no
[injections]
explorer.exe=pragmaserf
iexplore.exe=pragmaserf;pragmabbr
firefox.exe=pragmabbr
safari.exe=pragmabbr
chrome.exe=pragmabbr
opera.exe=pragmabbr

pragmabbr.dll strings:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
0x000001E0	0x00000005	.text
0x00000207	0x00000007	`.rdata
0x0000022F	0x00000006	@.data
0x00000258	0x00000006	.reloc
0x0000027F	0x00000009	B.datatxt
0x000002A7	0x00000007	@.rdata
0x000002CF	0x00000007	@.ldata
0x000002F7	0x00000007	@.rdsec
0x00000320	0x00000005	.rsrc
0x00000347	0x00000007	@.sdata
0x0000036F	0x00000007	@.mdata
0x00000397	0x00000007	@.kdata
0x000003BF	0x00000007	@.edata
0x00001076	0x00000005	D$ Pj
0x000010D5	0x00000005	T$ Rj
0x00001134	0x00000005	L$ Qj
0x00001193	0x00000005	D$ Pj
0x000011F8	0x00000005	tZhHb
0x00001894	0x00000007	UWSPhXc
0x00001AB8	0x00000005	tDj@h
0x00001F36	0x00000005	u|h0d
0x00001F42	0x00000005	uphHd
0x00001F4E	0x00000005	udhXd
0x00001F5A	0x00000005	uXhpd
0x0000257A	0x00000005	D$8Te
0x00002582	0x00000005	D$<de
0x00002662	0x00000005	tFhde
0x00002670	0x00000005	t8hde
0x00002EDC	0x00000005	T$(Rj
0x000032D0	0x00000005	tuh@g
0x000033CB	0x00000007	L$ Qhhk
0x00003412	0x00000007	L$ Qhhk
0x000036F7	0x00000007	D$ Phhk
0x0000393C	0x00000006	Ut7j@h
0x000039D5	0x00000005	t7j@h
0x00003A5D	0x00000005	l( Uj
0x00003BCA	0x00000005	t7j@h
0x000044FE	0x00000007	UUUUh4k
0x00004621	0x00000005	v]j@h
0x00004EF3	0x00000006	u;WhDk
0x00004F95	0x00000005	PQhXk
0x00006178	0x0000000F	searchequal.com
0x00006188	0x0000000D	findsomup.org
0x00006198	0x0000000D	raincfind.org
0x000061A8	0x0000002C	94804860143697233939975370329435970097710202
0x000061D8	0x0000002C	85108357713673677262162845570576027004153211
0x00006208	0x00000007	License
0x00006210	0x0000001A	Software\Paladin Antivirus
0x0000622C	0x00000018	Software\Malware Defense
0x00006248	0x0000000C	\license.dat
0x00006258	0x0000000D	pragmacfg.ini
0x0000626C	0x00000005	affid
0x00006274	0x00000006	common
0x0000627C	0x00000007	default
0x00006284	0x00000005	subid
0x0000628C	0x00000012	[PANEL_SIGN_CHECK]
0x000062A0	0x0000000C	[panels_end]
0x000062B0	0x0000000E	[panels_begin]
0x000062C8	0x0000000D	[referer_end]
0x000062D8	0x0000000F	[referer_begin]
0x000062E8	0x00000013	[request_param_end]
0x000062FC	0x00000015	[request_param_begin]
0x00006314	0x0000000A	[prov_end]
0x00006320	0x0000000C	[prov_begin]
0x00006330	0x00000011	[domens_fake_end]
0x00006344	0x00000013	[domens_fake_begin]
0x00006358	0x0000003E	http://%s/?gd=%s&affid=%s&subid=%s&dprov=&mode=cr&v=6&newref=1
0x00006398	0x0000000A	OK_INSTALL
0x000063A4	0x0000000A	GET_PARAMS
0x000063C8	0x00000053	http://%s/?affid=%s&subid=%s&prov=%s&keyword=%s&ref=%s&direct=1&shurl=1&lastpage=%s
0x0000641C	0x00000010	clients1.google.
0x00006430	0x00000016	toolbarqueries.google.
0x00006448	0x0000000F	maps.google.com
0x00006458	0x00000016	suggestqueries.google.
0x00006470	0x00000006	/aclk?
0x00006478	0x00000007	google.
0x00006480	0x00000035	http://www.google.com/tools/toolbar/service/noupdate?
0x000064B8	0x0000000F	X-Moz: prefetch
0x000064C8	0x0000001A	click-analytics.google.com
0x000064E4	0x0000000C	search/cache
0x000064F4	0x0000000E	/search/search
0x00006504	0x0000000C	search/redir
0x00006514	0x00000009	alexa.com
0x00006520	0x00000009	facebook.
0x0000652C	0x00000011	Accept-Language: 
0x00006544	0x0000000C	User-Agent: 
0x00006554	0x0000000C	/gp/product/
0x0000656C	0x0000000A	amazon.com
0x00006580	0x0000000B	endless.com
0x00006590	0x00000071	http://www.amazon.com/gp/product/%s?ie=UTF8&tag=peakclick-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=%s
0x00006608	0x00000063	http://www.endless.com/dp/%s?_encoding=UTF8&tag=peakclick-20&linkCode=xm2&camp=1789&creativeASIN=%s
0x00006674	0x00000005	POST 
0x0000667C	0x00000034	click-analytics.google.com
0x000066BC	0x00000007	wsock32
0x000066C4	0x00000006	ws2_32
0x000066CC	0x00000007	WSASend
0x000066D4	0x00000007	WSARecv
0x000066DC	0x00000007	connect
0x000066E4	0x0000000B	closesocket
0x000066F8	0x0000000A	DnsQuery_A
0x00006704	0x00000006	Dnsapi
0x0000670C	0x0000000A	DnsQuery_W
0x00006748	0x00000006	200 OK
0x00006768	0x00000010	pragmamainqt.dll
0x0000677C	0x00000020	pragmapdconf.ini
0x000067A0	0x0000000D	TabProcGrowth
0x000067B0	0x00000029	Software\Microsoft\Internet Explorer\Main
0x000067E0	0x0000006A	User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
0x0000684C	0x00000016	Accept-Language: en-us
0x00006864	0x0000000F	gesualdo.alexa.
0x00006874	0x00000011	.googlehosted.com
0x00006888	0x00000010	cc.msnscache.com
0x0000689C	0x00000015	searchapi.search.aol.
0x000068B4	0x00000009	askcache.
0x000068C0	0x00000014	microsofttranslator.
0x000068D8	0x0000000A	altavista.
0x000068E4	0x0000000A	alltheweb.
0x000068F0	0x00000015	scorecardresearch.com
0x00006908	0x0000000E	.alexametrics.
0x00006918	0x0000000B	googleapis.
0x00006924	0x00000006	.ixnp.
0x0000692C	0x0000000D	.everesttech.
0x0000693C	0x00000014	google-analytics.com
0x00006954	0x00000008	i.i.com.
0x00006960	0x0000000C	img.youtube.
0x00006970	0x00000009	.gstatic.
0x0000697C	0x00000007	dw.com.
0x00006984	0x00000005	.icq.
0x0000698C	0x00000007	sa.aol.
0x00006994	0x00000008	dmn.aol.
0x000069A0	0x00000005	.aol.
0x000069A8	0x0000000A	atwola.com
0x000069B4	0x00000007	aolcdn.
0x000069BC	0x00000006	atdmt.
0x000069C4	0x00000006	yahoo.
0x000069CC	0x00000005	bing.
0x000069D4	0x00000007	.google
0x000069DC	0x0000000A	rds.yahoo.
0x000069E8	0x00000005	yimg.
0x000069F0	0x00000007	http://
0x000069F8	0x00000006	Host: 
0x00006A00	0x00000007	HTTP/1.
0x00006A08	0x00000009	Referer: 
0x00006A14	0x0000000D	googlehosted.
0x00006A40	0x00000018	iexplore.exe
0x00006A5C	0x00000024	Software\Microsoft\Internet Explorer
0x00006A84	0x00000007	Version
0x00006A8C	0x00000016	firefox.exe
0x00006AA4	0x00000012	opera.exe
0x00006AB8	0x00000014	Safari.exe
0x00006AD0	0x00000014	chrome.exe
0x00006AE8	0x00000010	0123456789ABCDEF
0x00006AFC	0x0000000F	Software\pragma
0x00006B0C	0x00000024	48a10810-b8c6-442e-b021-2f1a5deb810c
0x00006B34	0x00000008	wget 3.0
0x00006B44	0x00000009	-_.!~*'()
0x00006B50	0x00000006	pragma
0x00006B58	0x0000000E	default
0x00006D86	0x00000007	strncpy
0x00006D90	0x00000007	_strlwr
0x00006D9A	0x00000006	strstr
0x00006DA4	0x00000006	strchr
0x00006DAE	0x00000007	isalnum
0x00006DB8	0x00000006	_ultow
0x00006DC2	0x0000001C	RtlImageDirectoryEntryToData
0x00006DE2	0x00000010	RtlImageNtHeader
0x00006DF6	0x00000005	_wtol
0x00006DFC	0x00000009	ntdll.dll
0x00006E09	0x0000000A	SASetEvent
0x00006E14	0x0000000A	WS2_32.dll
0x00006E22	0x00000008	StrStrIA
0x00006E2E	0x00000008	StrCmpIW
0x00006E3A	0x00000007	StrStrA
0x00006E44	0x0000000A	wnsprintfA
0x00006E52	0x00000009	StrCmpNIA
0x00006E5E	0x00000008	StrStrIW
0x00006E6A	0x00000008	StrCmpNA
0x00006E76	0x00000007	StrChrA
0x00006E7E	0x0000000B	SHLWAPI.dll
0x00006E8D	0x00000017	nternetCanonicalizeUrlA
0x00006EA8	0x00000010	InternetOpenUrlA
0x00006EBC	0x00000010	InternetReadFile
0x00006ED0	0x0000000D	InternetOpenA
0x00006EE1	0x00000012	nternetCloseHandle
0x00006EF4	0x0000000B	WININET.dll
0x00006F02	0x00000008	lstrcmpA
0x00006F0E	0x00000008	lstrlenA
0x00006F1A	0x00000009	lstrcpynA
0x00006F26	0x0000000C	GetTickCount
0x00006F36	0x0000000B	VirtualFree
0x00006F44	0x00000019	InitializeCriticalSection
0x00006F60	0x00000005	Sleep
0x00006F68	0x00000014	LeaveCriticalSection
0x00006F80	0x0000000D	IsBadWritePtr
0x00006F90	0x00000008	lstrcatA
0x00006F9C	0x00000013	MultiByteToWideChar
0x00006FB2	0x0000000C	GetTempPathW
0x00006FC2	0x00000013	InterlockedExchange
0x00006FD8	0x00000018	FreeLibraryAndExitThread
0x00006FF4	0x00000009	lstrcmpiA
0x00007000	0x0000000C	VirtualAlloc
0x00007010	0x00000014	EnterCriticalSection
0x00007028	0x00000019	DisableThreadLibraryCalls
0x00007044	0x00000018	GetPrivateProfileStringA
0x00007060	0x0000000C	GetLocalTime
0x00007070	0x0000000C	LoadLibraryA
0x00007080	0x00000012	GetModuleFileNameA
0x00007096	0x00000008	lstrcatW
0x000070A3	0x0000000A	loseHandle
0x000070B0	0x0000000C	GetTempPathA
0x000070C0	0x0000000D	GetSystemTime
0x000070D0	0x0000000B	DeleteFileA
0x000070DF	0x0000000B	reateThread
0x000070EE	0x00000008	lstrcpyA
0x000070FA	0x00000012	GetModuleFileNameW
0x00007111	0x0000000A	reateFileA
0x0000711E	0x0000000B	GetFileSize
0x0000712C	0x00000014	SystemTimeToFileTime
0x00007144	0x00000018	GetPrivateProfileStringW
0x00007160	0x00000009	WriteFile
0x0000716C	0x00000008	ReadFile
0x00007178	0x0000001A	WritePrivateProfileStringW
0x00007196	0x00000010	GetTempFileNameA
0x000071AA	0x0000000E	VirtualProtect
0x000071BA	0x0000000C	KERNEL32.dll
0x000071CA	0x00000010	RegQueryValueExA
0x000071DE	0x0000000D	RegOpenKeyExA
0x000071EE	0x0000000B	RegCloseKey
0x000071FC	0x0000000E	RegSetValueExA
0x0000720E	0x0000000D	RegCreateKeyA
0x0000721C	0x0000000C	ADVAPI32.dll
0x0000722C	0x00000017	SHGetSpecialFolderPathA
0x00007244	0x0000000B	SHELL32.dll
0x00007252	0x00000006	memcpy
0x0000725C	0x00000006	memset
0x00007266	0x00000007	_chkstk
0x00007270	0x00000008	_aulldiv
0x0000727C	0x00000007	_allmul
0x00007286	0x00000008	_aullrem
0x000072C2	0x0000000B	Clicker.dll
0x000072CE	0x0000000A	_Install@0
0x00008013	0x000000CE	<form name="myform" action="%s" method="post"></form>&lt;script ty
0x00008123	0x00000056	window.location="%s";
0x00008193	0x0000009F	<a name="redirect" id="redirect" href="%s">ClickMe</a>redirect.
0x00008238	0x00000040	ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
0x00008293	0x000000CE	<form name="myform" action="%s" method="post"></form>&lt;script ty
0x000083A3	0x00000056	window.location="%s";
0x00008413	0x0000009F	<a name="redirect" id="redirect" href="%s">ClickMe</a>redirect.
0x000084CB	0x000000CE	<form name="myform" action="%s" method="post"></form>&lt;script ty
0x000085DB	0x00000056	window.location="%s";
0x0000864B	0x0000009F	<a name="redirect" id="redirect" href="%s">ClickMe</a>redirect.
0x00008783	0x000000CE	<form name="myform" action="%s" method="post"></form>&lt;script ty
0x00008893	0x00000056	window.location="%s";
0x00008903	0x0000009F	<a name="redirect" id="redirect" href="%s">ClickMe</a>redirect.
0x0001E5D4	0x0000000C	63&lt;3B3H3N3T3
0x000260A0	0x0000000C	kernel32.dll
0x000260AF	0x0000000F	GetCommandLineA
0x000260C1	0x0000000C	GetTempPathA
0x000260D0	0x0000000B	CloseHandle
0x000260DE	0x0000000F	GetStartupInfoA
0x000260F0	0x0000000E	VirtualProtect
0x00026101	0x00000009	FatalExit
0x0002610E	0x0000000A	user32.dll
0x0002611B	0x00000012	IsDlgButtonChecked
0x00026130	0x0000000C	GetUpdateRgn
0x00027032	0x0000000D	sciqfvgxk.exe
0x00027040	0x0000000C	SetIktawoxpd

pragmac.dll strings:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
0x000001D0	0x00000005	.text
0x000001F7	0x00000007	`.rdata
0x0000021F	0x00000006	@.data
0x00000248	0x00000005	.test
0x00000270	0x00000006	.reloc
0x00000297	0x00000009	B.datatxt
0x000002BF	0x00000007	@.rdata
0x000002E7	0x00000007	@.ldata
0x0000030F	0x00000007	@.rdsec
0x00000338	0x00000005	.rsrc
0x0000035F	0x00000007	@.sdata
0x00000387	0x00000007	@.mdata
0x000003AF	0x00000007	@.kdata
0x000003D7	0x00000007	@.edata
0x000011DF	0x00000008	T$0RVhHD
0x00001E01	0x00000006	SVWj@h
0x00002028	0x00000005	QVj@h
0x000029D9	0x00000005	tGj@h
0x00002D77	0x00000005	SWhhF
0x0000300E	0x00000005	SVhtD
0x000043A7	0x0000000D	 \license.dat
0x000043B8	0x0000002C	94804860143697233939975370329435970097710202
0x000043E8	0x00000018	ROOT\DEFAULT
0x00004404	0x0000001A	SystemRestore
0x00004420	0x00000014	SRRemoveRestorePoint
0x00004438	0x0000000C	srclient.dll
0x00004448	0x0000001C	SequenceNumber
0x00004468	0x00000008	%s_%s_ok
0x00004480	0x00000054	\registry\machine\software\PRAGMA\injector
0x000044DC	0x0000000A	injections
0x000044E8	0x00000005	%s;%s
0x000044F8	0x00000006	PRAGMA
0x00004500	0x00000010	cmddelay
0x00004518	0x00000042	\registry\machine\software\PRAGMA
0x0000455C	0x0000000E	PRAGMAsrcr.dat
0x00004570	0x00000054	\registry\machine\software\PRAGMA\versions
0x000045DC	0x00000012	%[^.].%[^(](%[^)])
0x000045F0	0x00000005	%s/%s
0x000045F8	0x0000000A	build
0x00004610	0x0000000A	affid
0x0000461C	0x0000000A	subid
0x00004628	0x00000007	%s (%d)
0x00004630	0x00000035	file=%s&amp;address=0x%x&amp;image=%s&amp;code=0x%x&amp;info=%s&amp;id=%s
0x00004668	0x00000010	PRAGMAerrors.log
0x0000467C	0x00000018	%[^;];%[^;];%[^;];%[^;];
0x00004698	0x0000000F	software\PRAGMA
0x000046A8	0x00000005	affid
0x000046B0	0x00000005	subid
0x000046B8	0x00000005	botid
0x000046C0	0x00000006	common
0x000046C8	0x00000005	build
0x000046D0	0x0000000E	netsvcs
0x000046E0	0x0000004A	\ACA9DB5C-7EAB-4026-A9A7-BED05538CE9D
0x0000472C	0x0000001A	PRAGMAcfg.ini
0x00004748	0x0000000B	PRAGMAc.dll
0x00004754	0x0000000B	PRAGMAd.sys
0x00004768	0x0000000A	%s%s%x.tmp
0x00004778	0x000000AC	software\microsoft\internet explorer\main\featurecontrol\feature_enable_ie_compression
0x00004828	0x0000000A	urlmon.dll
0x00004834	0x00000005	.test
0x0000483C	0x00000005	%u-%s
0x0000484C	0x00000022	\\?\globalroot\systemroot\system32
0x00004870	0x00000005	%s\%s
0x00004878	0x0000002F	Content-Type: application/x-www-form-urlencoded
0x000048A8	0x0000000C	PRAGMA
0x000048B8	0x00000015	ObtainUserAgentString
0x000048D0	0x00000037	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
0x000053DE	0x00000008	tdll.dll
0x000053E7	0x00000007	CmdExec
0x000053EF	0x0000000C	CmdExecAffID
0x000053FC	0x0000000C	CmdExecBuild
0x00005409	0x0000000C	CmdExecSubID
0x00005416	0x0000000B	CmdExecType
0x00005422	0x0000000E	CmdExecVersion
0x00005431	0x00000008	CmdKnock
0x0000543A	0x0000000C	FileDownload
0x00005447	0x00000012	FileDownloadRandom
0x0000545A	0x0000000B	InjectorAdd
0x00005466	0x0000000B	InjectorSet
0x00005472	0x00000013	ModuleDownloadUnxor
0x00005486	0x0000000A	ModuleLoad
0x00005491	0x0000000C	ModuleUnload
0x0000549E	0x0000000B	SetCmdDelay
0x00007000	0x00000011	336;direct;no;no;
0x0000F0A0	0x0000000C	kernel32.dll
0x0000F0AF	0x0000000F	GetCommandLineA
0x0000F0C1	0x0000000C	GetTempPathA
0x0000F0D0	0x0000000B	CloseHandle
0x0000F0DE	0x0000000F	GetStartupInfoA
0x0000F0F0	0x0000000E	VirtualProtect
0x0000F101	0x00000009	FatalExit
0x0000F10E	0x0000000A	user32.dll
0x0000F11B	0x00000012	IsDlgButtonChecked
0x0000F130	0x0000000C	GetUpdateRgn
0x0000F432	0x0000000A	cseteo.exe
0x0000F43D	0x00000007	Caokyjf

pragmaserf.dll strings:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
0x000001D8	0x00000005	.text
0x000001FF	0x00000007	`.rdata
0x00000227	0x00000006	@.data
0x00000250	0x00000006	.reloc
0x00000277	0x00000009	B.datatxt
0x0000029F	0x00000007	@.rdata
0x000002C7	0x00000007	@.ldata
0x000002EF	0x00000007	@.rdsec
0x00000318	0x00000005	.rsrc
0x0000033F	0x00000007	@.sdata
0x00000367	0x00000007	@.mdata
0x0000038F	0x00000007	@.kdata
0x000003B7	0x00000007	@.edata
0x00001076	0x00000005	D$ Pj
0x000010D5	0x00000005	T$ Rj
0x00001134	0x00000005	L$ Qj
0x00001193	0x00000005	D$ Pj
0x000011F8	0x00000005	tZhHR
0x00001278	0x00000005	$PhXR
0x000012B7	0x00000005	D$$Pj
0x000012F1	0x00000005	D$(Pj
0x0000146F	0x00000006	D$ hTS
0x0000161E	0x00000005	L$DQh
0x000026E3	0x00000007	D$,PSSh
0x00002954	0x00000007	UWSPh&lt;V
0x00002C4C	0x00000005	D$,Pj
0x00002C91	0x00000005	D$,Pj
0x00003092	0x00000007	D$&lt;PSSh
0x000036A1	0x00000005	v]j@h
0x0000413E	0x00000007	UUUUh`]
0x000045B6	0x00000007	l$4VWUj
0x000045E2	0x00000005	D$&lt;Pj
0x0000465D	0x00000005	T$$Rj
0x000046CE	0x00000005	D$4Pj
0x00005178	0x0000000F	searchequal.com
0x00005188	0x0000000D	findsomup.org
0x00005198	0x0000000D	raincfind.org
0x000051A8	0x0000002C	94804860143697233939975370329435970097710202
0x000051D8	0x0000002C	85108357713673677262162845570576027004153211
0x00005208	0x00000007	License
0x00005210	0x0000001A	Software\Paladin Antivirus
0x0000522C	0x00000018	Software\Malware Defense
0x00005248	0x0000000C	\license.dat
0x00005258	0x00000034	Software\Microsoft\Internet Explorer\Recovery\Active
0x00005290	0x00000012	[PANEL_SIGN_CHECK]
0x000052A4	0x0000000C	[panels_end]
0x000052B4	0x0000000E	[panels_begin]
0x000052C8	0x0000000F	Use FormSuggest
0x000052D8	0x00000029	Software\Microsoft\Internet Explorer\Main
0x00005310	0x00000043	Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
0x00005354	0x00000013	NoReopenLastSession
0x00005368	0x00000036	Software\Policies\Microsoft\Internet Explorer\Recovery
0x000053A0	0x0000000B	AutoRecover
0x000053AC	0x0000002D	Software\Microsoft\Internet Explorer\Recovery
0x000053E0	0x00000012	Check_Associations
0x000053F4	0x00000016	Play_Background_Sounds
0x0000540C	0x0000003B	AppEvents\Schemes\Apps\Explorer\ActivatingDocument\.current
0x0000544C	0x00000033	AppEvents\Schemes\Apps\Explorer\Navigating\.current
0x00005480	0x00000031	AppEvents\Schemes\Apps\.Default\CCSelect\.Current
0x000054B4	0x00000008	test.reg
0x000054C0	0x00000010	\regedit.exe /s 
0x000054D4	0x00000009	referer: 
0x000054E4	0x0000000E	msacm32
0x000054F4	0x00000007	msacm32
0x000054FC	0x0000000B	Referer: %s
0x00005508	0x0000000C	iexplore.exe
0x00005518	0x0000000E	popupcount_end
0x00005528	0x00000012	[popupcount_begin]
0x0000553C	0x00000010	[runs_count_end]
0x00005550	0x00000012	[runs_count_begin]
0x00005564	0x00000012	[urls_to_serf_end]
0x00005578	0x00000014	[urls_to_serf_begin]
0x00005590	0x00000014	[refs_to_change_end]
0x000055A8	0x00000016	[refs_to_change_begin]
0x000055C0	0x0000000F	[popupurl2_end]
0x000055D0	0x00000011	[popupurl2_begin]
0x000055E4	0x00000022	\Internet Explorer\iexplore.exe %s
0x00005608	0x0000000D	pragmacfg.ini
0x0000561C	0x00000005	affid
0x00005624	0x00000006	common
0x0000562C	0x00000007	default
0x00005634	0x00000005	subid
0x0000563C	0x00000037	http://%s/?gd=%s&amp;affid=%s&amp;subid=%s&amp;prov=&amp;mode=cr&amp;v=6nkr
0x00005674	0x0000000A	OK_INSTALL
0x00005680	0x0000000A	GET_PARAMS
0x00005694	0x0000000F	Software\pragma
0x000056AC	0x00000008	TestDesk
0x000056B8	0x0000000A	IEUser.exe
0x000056C4	0x0000000C	explorer.exe
0x000056D4	0x0000000A	chrome.exe
0x000056E0	0x0000000A	Safari.exe
0x000056EC	0x00000009	opera.exe
0x000056F8	0x0000000B	firefox.exe
0x00005704	0x0000000A	ieuser.exe
0x00005710	0x00000014	\pragmamfeklnmal.dll
0x00005728	0x00000016	HttpAddRequestHeadersA
0x00005740	0x00000007	wininet
0x00005748	0x00000016	HttpAddRequestHeadersW
0x00005760	0x00000010	HttpOpenRequestW
0x00005774	0x00000010	HttpOpenRequestA
0x00005788	0x00000010	InternetConnectW
0x0000579C	0x00000010	InternetConnectA
0x000057B0	0x00000007	http://
0x000057B8	0x0000000C	LoadLibraryW
0x000057C8	0x00000008	kernel32
0x000057D4	0x0000000C	LoadLibraryA
0x000057E4	0x00000014	CreateProcessAsUserW
0x000057FC	0x00000008	Advapi32
0x00005808	0x0000000C	indobids.com
0x00005818	0x00000011	spywarefixpro.com
0x0000582C	0x00000011	trojan-killer.net
0x00005840	0x0000000D	hijackthis.nl
0x00005850	0x00000014	virusremovalguru.com
0x00005868	0x0000000F	pc-helpforum.be
0x00005878	0x00000015	howtofixcomputers.com
0x00005890	0x0000000A	zimbio.com
0x0000589C	0x0000000C	xp-vista.com
0x000058AC	0x00000015	windowsprotection.net
0x000058C4	0x00000015	whois.domaintools.com
0x000058DC	0x00000013	webtoolsandtips.com
0x000058F0	0x0000000E	wareseeker.com
0x00005900	0x0000000E	tech.yahoo.com
0x00005910	0x0000000F	spywarevoid.com
0x00005920	0x00000013	spywares-remove.com
0x00005934	0x00000011	spywareremove.com
0x00005948	0x00000013	spywaredetector.net
0x0000595C	0x00000012	spyware-techie.com
0x00005970	0x00000009	spyna.com
0x0000597C	0x00000008	snpx.com
0x00005988	0x0000001D	rogueantispyware.blogspot.com
0x000059A8	0x0000001A	rogue-malware.blogspot.com
0x000059C4	0x0000000F	removevirus.org
0x000059D4	0x0000000D	removeit.info
0x000059E4	0x00000017	remove-spy.blogspot.com
0x000059FC	0x00000012	remove-malware.net
0x00005A10	0x00000010	removal-tool.com
0x00005A24	0x00000013	precisesecurity.com
0x00005A38	0x0000000F	powerclickz.com
0x00005A48	0x0000000C	pcthreat.com
0x00005A58	0x0000000E	pcindanger.com
0x00005A68	0x0000000B	pc1news.com
0x00005A74	0x0000000F	news.loaris.com
0x00005A84	0x00000011	myantispyware.com
0x00005A98	0x0000000F	malwarehelp.org
0x00005AA8	0x0000000C	lognrock.com
0x00005AB8	0x0000000C	kiguolis.com
0x00005AC8	0x00000009	iobit.com
0x00005AD4	0x0000000F	im-infected.com
0x00005AE4	0x00000010	hands-oncorp.com
0x00005AF8	0x0000000D	geekstogo.com
0x00005B08	0x00000014	freepcsecurity.co.uk
0x00005B20	0x0000000F	forum.drweb.com
0x00005B30	0x0000000E	findmysoft.com
0x00005B40	0x0000000B	fakeware.ru
0x00005B4C	0x00000011	ezinearticles.com
0x00005B60	0x00000012	exterminate-it.com
0x00005B74	0x00000012	enigmasoftware.com
0x00005B88	0x0000000F	downloadbox.org
0x00005B98	0x0000000E	comprolive.com
0x00005BA8	0x00000024	cid-556a72d9038a7868.spaces.live.com
0x00005BD0	0x00000018	carnegiecyberacademy.com
0x00005BEC	0x0000000F	cantalktech.com
0x00005BFC	0x0000000F	brothersoft.com
0x00005C0C	0x0000000F	blogcatalog.com
0x00005C1C	0x00000014	bleepingcomputer.com
0x00005C34	0x0000001E	bharath-m-narayan.blogspot.com
0x00005C54	0x00000012	beyondsecurity.com
0x00005C68	0x00000010	averyjparker.com
0x00005C7C	0x00000018	antispyware.wetpaint.com
0x00005C98	0x0000000F	antispyware.com
0x00005CA8	0x00000014	anti-spyware-101.com
0x00005CC0	0x00000011	answers.yahoo.com
0x00005CD4	0x0000000C	PCTHREAT.com
0x00005CE4	0x0000000F	411-spyware.com
0x00005CF4	0x0000000D	2-viruses.com
0x00005D04	0x0000000D	2-spyware.com
0x00005D14	0x0000000A	2-free.net
0x00005D20	0x00000024	dae91b54-7265-4dac-b01e-e4787b4ccaea
0x00005D48	0x00000006	pragma
0x00005D60	0x00000008	wget 3.0
0x00005D6C	0x00000008	Internet
0x00005D78	0x00000020	SeDebugPrivilege
0x00005FC6	0x00000006	strstr
0x00005FD0	0x00000007	strncpy
0x00005FDA	0x00000007	strtoul
0x00005FE4	0x00000007	_strlwr
0x00005FEE	0x0000001C	RtlImageDirectoryEntryToData
0x0000600E	0x00000019	ZwQueryInformationProcess
0x0000602A	0x00000010	RtlImageNtHeader
0x0000603C	0x00000009	ntdll.dll
0x00006048	0x00000008	StrStrIA
0x00006054	0x00000008	StrStrIW
0x00006060	0x0000000A	wnsprintfA
0x0000606E	0x00000009	StrCmpNIA
0x00006078	0x0000000B	SHLWAPI.dll
0x00006087	0x00000010	nternetCrackUrlA
0x0000609A	0x00000010	InternetReadFile
0x000060AE	0x0000000D	InternetOpenA
0x000060BF	0x00000012	nternetCloseHandle
0x000060D4	0x00000010	InternetOpenUrlA
0x000060E6	0x0000000B	WININET.dll
0x000060F4	0x00000017	SHGetSpecialFolderPathA
0x0000610C	0x0000000B	SHELL32.dll
0x0000611A	0x0000000D	EnumProcesses
0x0000612A	0x00000014	GetModuleFileNameExA
0x00006140	0x00000009	PSAPI.DLL
0x0000614D	0x0000000A	reateFileA
0x0000615A	0x00000008	lstrlenA
0x00006166	0x0000000B	VirtualFree
0x00006174	0x00000014	GetWindowsDirectoryA
0x0000618C	0x00000009	WriteFile
0x00006198	0x0000000F	GetCommandLineA
0x000061AA	0x00000013	WideCharToMultiByte
0x000061C0	0x00000005	Sleep
0x000061C9	0x0000000D	reateProcessA
0x000061DA	0x0000000D	IsBadWritePtr
0x000061EA	0x00000010	TerminateProcess
0x000061FE	0x00000008	lstrcatA
0x0000620A	0x00000013	MultiByteToWideChar
0x00006220	0x0000000F	GetStartupInfoW
0x00006232	0x00000018	FreeLibraryAndExitThread
0x0000624E	0x00000009	lstrcmpiA
0x0000625A	0x0000000C	VirtualAlloc
0x0000626A	0x00000019	DisableThreadLibraryCalls
0x00006286	0x00000018	GetPrivateProfileStringA
0x000062A2	0x0000000C	LoadLibraryA
0x000062B2	0x00000012	GetModuleFileNameA
0x000062C8	0x00000012	GetCurrentThreadId
0x000062DE	0x00000007	WinExec
0x000062E9	0x0000000A	loseHandle
0x000062F6	0x0000000C	GetTempPathA
0x00006306	0x0000000D	GetSystemTime
0x00006316	0x0000000B	DeleteFileA
0x00006325	0x0000000B	reateThread
0x00006334	0x00000008	lstrcpyA
0x00006340	0x0000000B	GetFileSize
0x0000634E	0x0000000E	SetFilePointer
0x00006360	0x00000009	lstrcpynA
0x0000636C	0x00000011	GetCurrentProcess
0x00006380	0x00000010	GetCurrentThread
0x00006394	0x0000000B	OpenProcess
0x000063A2	0x00000011	ReadProcessMemory
0x000063B6	0x0000000D	GetVersionExW
0x000063C6	0x00000008	ReadFile
0x000063D2	0x0000000C	GetLastError
0x000063E2	0x0000000C	SetLastError
0x000063F2	0x00000010	GetTempFileNameA
0x00006406	0x0000000E	VirtualProtect
0x00006416	0x0000000C	KERNEL32.dll
0x00006427	0x0000000B	loseDesktop
0x00006436	0x00000009	wsprintfA
0x00006443	0x0000000D	reateDesktopA
0x00006454	0x00000010	GetThreadDesktop
0x00006468	0x00000018	GetWindowThreadProcessId
0x00006484	0x00000010	GetSystemMetrics
0x00006498	0x0000000C	SetWindowPos
0x000064A8	0x0000000E	GetWindowTextA
0x000064BA	0x0000000B	EnumWindows
0x000064C6	0x0000000A	USER32.dll
0x000064D4	0x0000000D	RegCreateKeyA
0x000064E4	0x0000000F	RegDeleteValueA
0x000064F6	0x0000000D	RegEnumValueA
0x00006506	0x0000000B	RegCloseKey
0x00006514	0x00000010	OpenProcessToken
0x00006528	0x0000000F	OpenThreadToken
0x0000653A	0x00000013	GetTokenInformation
0x00006550	0x0000000E	RegSetValueExA
0x00006562	0x00000010	RegQueryValueExA
0x00006576	0x00000015	LookupPrivilegeValueW
0x0000658E	0x0000000B	RegOpenKeyA
0x0000659C	0x00000015	AdjustTokenPrivileges
0x000065B2	0x0000000C	ADVAPI32.dll
0x000065C2	0x00000006	memcpy
0x000065CC	0x00000006	memset
0x000065D6	0x00000007	_chkstk
0x00006612	0x0000000A	NkrDll.dll
0x0000661D	0x0000000A	_Install@0
0x00007000	0x00000040	ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
0x0000C493	0x0000000B	86&lt;&lt;&lt;B&lt;H&lt;N&lt;
0x0000C513	0x0000001F	1 1$1(1,1014181x&gt;|&gt;
0x000110E4	0x00000005	cuvwx
0x000140A0	0x0000000C	kernel32.dll
0x000140AF	0x0000000F	GetCommandLineA
0x000140C1	0x0000000C	GetTempPathA
0x000140D0	0x0000000B	CloseHandle
0x000140DE	0x0000000F	GetStartupInfoA
0x000140F0	0x0000000E	VirtualProtect
0x00014101	0x00000009	FatalExit
0x0001410E	0x0000000A	user32.dll
0x0001411B	0x00000012	IsDlgButtonChecked
0x00014130	0x0000000C	GetUpdateRgn
0x00015032	0x00000009	lpoaw.exe
0x0001503C	0x00000007	Mjexfdm

pragmad.sys strings:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
0x000001C0	0x00000005	.text
0x000001E7	0x00000007	`.rdata
0x0000020F	0x00000006	@.data
0x00000238	0x00000005	.test
0x00000260	0x00000006	.reloc
0x00000287	0x00000009	Bsecsct10
0x000002B0	0x00000008	nr7rc660
0x000002D8	0x00000005	idata
0x000002FF	0x00000007	@.idata
0x00000328	0x00000005	.rsrc
0x00004110	0x0000001A	PRAGMAcfg.ini
0x0000412C	0x0000000C	PRAGMA
0x0000413C	0x0000000E	\\?\globalroot
0x0000414C	0x0000000A	%s\%s
0x0000415C	0x0000000A	start
0x00004174	0x00000012	imagepath
0x00004190	0x0000000B	file system
0x0000419C	0x0000000A	group
0x000041AC	0x00000010	\\?\globalroot%s
0x000041C0	0x00000054	\registry\machine\software\PRAGMA\injector
0x00004224	0x0000000B	svchost.exe
0x00004230	0x0000000B	PRAGMAc.dll
0x0000423C	0x0000001C	*\KERNEL32.DLL
0x0000425C	0x00000016	*\NTDLL.DLL
0x00004274	0x00000017	NtFlushInstructionCache
0x0000428C	0x0000000E	LoadLibraryExA
0x000042A4	0x00000024	\FileSystem\FltMgr
0x000042CC	0x00000012	*\PRAGMA*
0x000042E0	0x0000001C	*\TEMP\PRAGMA*
0x00004300	0x00000030	*\SYSTEM32\CONFIG\SYSTEM
0x00004334	0x00000034	*\SYSTEM32\CONFIG\SOFTWARE
0x0000436C	0x0000000A	chkdsk.exe
0x00004378	0x00000026	\filesystem\fastfat
0x000043A0	0x00000020	\filesystem\ntfs
0x000043C4	0x0000001A	\driver\tcpip
0x000043E0	0x0000001C	\driver\ftdisk
0x00004400	0x00000018	\driver\disk
0x0000441C	0x0000001A	\driver\atapi
0x00004438	0x0000001E	\driver\volsnap
0x00004458	0x0000001E	\driver\partmgr
0x00004478	0x0000001E	\filesystem\raw
0x00004498	0x00000016	svchost.exe
0x000044B0	0x00000006	System
0x000044B8	0x00000012	ntdll.dll
0x000044CC	0x00000018	kernel32.dll
0x000044E8	0x00000005	.test
0x000044F0	0x00000072	\registry\machine\system\currentcontrolset\services\luafv
0x00004568	0x00000074	\registry\machine\system\currentcontrolset\services\wscsvc
0x000045E8	0x0000000E	modules
0x000045F8	0x00000016	PRAGMAc.dll
0x00004610	0x000000A8	\registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys000\control
0x000046C0	0x00000098	\registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys000
0x00004760	0x0000008E	\registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys
0x000047F8	0x0000002E	\systemroot\system32\%S
0x00004828	0x00000018	KeServiceDescriptorTable
0x00004992	0x00000007	wcsrchr
0x0000499C	0x00000007	wcsncpy
0x000049A6	0x00000014	RtlInitUnicodeString
0x000049BE	0x0000000A	ZwOpenFile
0x000049CC	0x00000007	ZwClose
0x000049D6	0x00000008	_stricmp
0x000049E2	0x00000008	_wcsicmp
0x000049EE	0x00000006	strstr
0x000049F8	0x00000007	strrchr
0x00004A02	0x00000006	strchr
0x00004A0C	0x00000009	_snprintf
0x00004A18	0x00000007	strncpy
0x00004A22	0x00000009	ZwOpenKey
0x00004A2E	0x0000000F	ZwQueryValueKey
0x00004A40	0x0000000A	_snwprintf
0x00004A4E	0x0000000B	ZwCreateKey
0x00004A5C	0x00000013	ZwSetSecurityObject
0x00004A72	0x00000014	RtlCreateRegistryKey
0x00004A8A	0x00000015	RtlWriteRegistryValue
0x00004AA2	0x00000017	ObReferenceObjectByName
0x00004ABC	0x00000012	IoDriverObjectType
0x00004AD2	0x00000014	ObfDereferenceObject
0x00004AEB	0x00000010	xFreePoolWithTag
0x00004AFE	0x00000017	ZwAllocateVirtualMemory
0x00004B18	0x00000007	sprintf
0x00004B22	0x00000012	KeGetCurrentThread
0x00004B38	0x00000016	KeDelayExecutionThread
0x00004B52	0x00000013	IoGetCurrentProcess
0x00004B68	0x00000017	FsRtlIsNameInExpression
0x00004B82	0x0000001C	MmMapLockedPagesSpecifyCache
0x00004BA2	0x00000015	RtlEqualUnicodeString
0x00004BBA	0x00000016	IoQueryFileInformation
0x00004BD4	0x00000010	IoCancelFileOpen
0x00004BE8	0x00000008	swprintf
0x00004BF5	0x0000000D	xAllocatePool
0x00004C06	0x00000012	IofCompleteRequest
0x00004C1C	0x0000000D	IofCallDriver
0x00004C2C	0x0000000E	ZwEnumerateKey
0x00004C3E	0x00000017	ZwFlushInstructionCache
0x00004C58	0x0000000D	ZwQueryObject
0x00004C68	0x00000010	RtlCompareMemory
0x00004C7C	0x0000001A	PsLookupProcessByProcessId
0x00004C9A	0x00000014	KeStackAttachProcess
0x00004CB2	0x00000016	KeUnstackDetachProcess
0x00004CCC	0x00000010	RtlImageNtHeader
0x00004CE0	0x0000000C	ZwCreateFile
0x00004CF0	0x0000000B	ZwWriteFile
0x00004CFE	0x00000018	PsLookupThreadByThreadId
0x00004D1A	0x00000018	KeServiceDescriptorTable
0x00004D36	0x00000012	ObfReferenceObject
0x00004D4C	0x00000015	ObMakeTemporaryObject
0x00004D64	0x0000001B	PsSetLoadImageNotifyRoutine
0x00004D83	0x0000000E	xQueueWorkItem
0x00004D92	0x0000000C	ntoskrnl.exe
0x00004DA2	0x0000000B	ZwDeleteKey
0x00004DB0	0x00000019	ZwQueryInformationProcess
0x00004DCC	0x00000018	ZwQuerySystemInformation
0x00004DE8	0x0000001C	RtlImageDirectoryEntryToData
0x00004E08	0x0000000F	KeInitializeApc
0x00004E1A	0x00000010	KeInsertQueueApc
0x00004E2E	0x0000000F	ZwCreateSection
0x00004E40	0x00000012	ZwMapViewOfSection
0x00004E56	0x00000014	ZwUnmapViewOfSection
0x00004E6F	0x0000000A	fLowerIrql
0x00004E7D	0x00000014	eRaiseIrqlToDpcLevel
0x00004E92	0x00000007	HAL.dll
0x00004E9C	0x00000006	memcpy
0x00004EA6	0x00000006	memset
0x000091B8	0x00000028	\systemroot\PRAGMAtisvbvxtng\PRAGMAd.sys
0x000092C0	0x00000010	PRAGMAtisvbvxtng
0x000093C8	0x0000000B	PRAGMAd.sys
0x000094D0	0x00000050	\systemroot\PRAGMAtisvbvxtng\PRAGMAd.sys
0x000096D8	0x00000020	PRAGMAtisvbvxtng
0x000098E0	0x00000016	PRAGMAd.sys
0x00009CF8	0x00000090	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PRAGMAtisvbvxtng\modules
0x00009F00	0x00000080	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PRAGMAtisvbvxtng
0x0000A108	0x00000028	\systemroot\PRAGMAtisvbvxtng\PRAGMAc.dll
0x0000A210	0x00000050	\systemroot\PRAGMAtisvbvxtng\PRAGMAc.dll
0x0000B1D0	0x00000005	.text
0x0000B1F7	0x00000009	`.datatxt
0x0000B21F	0x00000007	@.rdata
0x0000B247	0x00000007	@.ldata
0x0000B26F	0x00000007	@.rdsec
0x0000B298	0x00000005	.rsrc
0x0000B2BF	0x00000007	@.sdata
0x0000B2E7	0x00000007	@.mdata
0x0000B30F	0x00000007	@.kdata
0x0000B337	0x00000007	@.edata
0x0000FB0D	0x00000006	9^_t\`
0x000124A0	0x0000000C	kernel32.dll
0x000124AF	0x0000000F	GetCommandLineA
0x000124C1	0x0000000C	GetTempPathA
0x000124D0	0x0000000B	CloseHandle
0x000124DE	0x0000000F	GetStartupInfoA
0x000124F0	0x0000000E	VirtualProtect
0x00012501	0x00000009	FatalExit
0x0001250E	0x0000000A	user32.dll
0x0001251B	0x00000012	IsDlgButtonChecked
0x00012530	0x0000000C	GetUpdateRgn
0x00012832	0x0000000A	cseteo.exe
0x0001283D	0x00000007	Caokyjf
0x00015E60	0x00000005	.text
0x00015E87	0x00000007	`.rdata
0x00015EAF	0x00000006	@.data
0x00015ED8	0x00000005	.test
0x00015F00	0x00000006	.reloc
0x0001F3C9	0x00000005	}GijY

So in conclusion, FakeAV’s often download other nastiness, only use reputable applications and only download them from their creators websites.

Random Posts

Previous Posts