WORM_KILLAV.AB

Puede haberlo descargado otro malware/grayware/spyware desde sitios remotos. Puede haberlo descargado inadvertidamente un usuario mientras visitaba sitios Web maliciosos.

Modifica las entradas de registro para ocultar los archivos con atributos de sistema o de solo lectura. Crea determinadas entradas de registro para deshabilitar aplicaciones relativas a la seguridad.

Este malware infiltra copias de sí mismo en las unidades extraíbles. Estas copias infiltradas utilizan los nombres de las carpetas ubicadas en las mencionadas unidades para sus nombres de archivo.

Modifica los archivos HOSTS del sistema afectado. Esto impide el acceso de los usuarios a determinados sitios Web.

Detalles de entrada

Puede haberlo descargado otro malware/grayware/spyware desde sitios remotos.

Puede haberlo descargado inadvertidamente un usuario mientras visitaba sitios Web maliciosos.

Instalación

Este malware infiltra el/los siguiente(s) archivo(s):

• %Program Files%\Common Files\BOSC.dll - detected as SPYW_SPYMYPC

(Nota: %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).

Este malware infiltra los siguientes archivos no maliciosos:

• %All Users%\Desktop\Intennet Exploner.lnk
• %All Users%\Desktop\¸Ä±äÄãµÄÒ»Éú.url
• %All Users%\Desktop\ÌÔ±¦¹ºÎïA.url
• %All Users%\Desktop\Ãâ·ÑµçÓ°C.url
• %User Profile%\Favorites\&çÍ·×ÍøÖ·µ¼º½&.url

(Nota: %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).

Crea las siguientes copias de sí mismo en el sistema afectado:

• %System Root%\VSPS\VSPS.exe
• %Startup%\juahwcsweo.exe
• %System%\qdlajbhqqq\explorer.exe
• %System%\mohquqcbsv\smss.exe

(Nota: %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

Crea las carpetas siguientes:

• %System%\qdlajbhqqq
• %System Root%\VSPS
• %System%\mohquqcbsv

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows XP y Server 2003 en C:\Windows\System32).

Otras modificaciones del sistema

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_CLASSES_ROOT\exefile
NeverShowExt = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
HideDesktopIcons\NewStartPanel
{871C5380-42A0-1069-A2EA-08002B30309D} = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
ModRiskFileTypes = ".exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\StorageDevicePolicies
WriteProtect = 0

Agrega las siguientes claves de registro como parte de la rutina de instalación:

HKEY_CLASSES_ROOT\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}

Modifica las siguientes entradas de registro para ocultar los archivos con atributos de sistema o de solo lectura:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

Crea las siguientes entradas de registro para deshabilitar aplicaciones relativas a la seguridad:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvDetect.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvfwMcl.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP_1.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvolself.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvReport.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVScan.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVSrvXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVStub.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvupload.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvwsc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvXP_1.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatch.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatch9x.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatchX.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWSMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwstray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWSUpd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
loaddll.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
logogo.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MagicSet.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcconsol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mmqczj.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mmsk.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Navapsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Navapw32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
NAVSetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
niu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32krn.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32kui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
NPFMntor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pagefile.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pagefile.pif
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pfserver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
PFW.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
PFWLiveUpdate.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qheart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QHSET.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctorMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctorRtp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQKav.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCRTP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCSmashFile.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQSC.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qsetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Ras.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rav.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ravcopy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavStub.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RegClean.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwcfg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwmain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwsrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rsaupd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rsnetsvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rstrui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
runiep.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safeboxTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safelive.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
scan32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanFrm.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanU3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SDGames.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SelfUpdate.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
servet.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
shcfg32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SmartUp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sos.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SREng.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SREngPS.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stormii.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sxgame.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
symlcsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SysSafe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
tmp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TNT.Exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TrojanDetector.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Trojanwall.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TrojDie.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TxoMoU.Exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UFO.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UIHost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safebox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sdrun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
799d.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
adam.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AgentSvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AntiU.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AoYun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
appdllman.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AppSvc32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp2.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AST.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
atpup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
auto.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AutoRun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
autoruns.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
av.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastU3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avconsol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgrssvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvMonitor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.com
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvU3Launcher.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
CCenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ccSvcHst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
cross.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Discovery.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
DSMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
EGHOST.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FileDsty.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
filmst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FTCleanerShell.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FYFireWall.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ghost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
guangd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
HijackThis.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
IceSword.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
iparmo.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Iparmor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
irsetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
isPwdSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jisu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kabaload.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KaScrScn.SCR
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KASMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KASTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAV32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVDX.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVPF.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVPFW.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVSetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kavstart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kernelwind32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KISLnchr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kissvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KMailMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KMFilter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdave.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPFW32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPFW32X.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPfwSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KRegEx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KRepair.com
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KsLoader.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSWebShield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVCenter.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxAttachment.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxCfg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxFwHlp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxPol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
upiea.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UpLive.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
USBCleaner.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vsstat.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wbapp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
webscanx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
WoptiClean.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Wsyscheck.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
XDelBox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
XP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zhudongfangyu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zjb.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zxsweep.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
~.exe
Debugger = "ntsd -d"

Elimina las siguientes claves de registro:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}

Propagación

Este malware infiltra copias de sí mismo en las unidades extraíbles. Estas copias infiltradas utilizan los nombres de las carpetas ubicadas en las mencionadas unidades para sus nombres de archivo.

Modificar el archivo HOSTS

Modifica los archivos HOSTS del sistema afectado para que los usuarios no puedan acceder a los sitios Web siguientes:

• iq123.com
• yijidh.com
• 250dh.cn
• 223.la
• kuku123.com
• 930930.com
• 9123.com
• hao123e.com
• 020.com
• youxi777.com
• 1616.net
• 1188.com
• urldh.com
• daohang.la
• pp55.com
• 9605.com
• 05505.cn
• 7055.net
• 0056.com
• 6655.com
• 1166.com
• 5kip.com
• 114xia.com
• 265dh.com
• 3567.com
• 6565.cn
• 666t.com
• 9223.com
• dduu.com
• hao123.cn
• 5snow.com
• 2523.com
• 5599.net
• tt98.com
• zhaodao123.com
• kuhao123.com
• 5151la.net
• 6h.com.cn
• zeibi.com
• 6e8e.com
• th123.com
• 9991.com
• hao123ol.com
• wu123.com
• t220.cn
• ttver.net
• 188HI.com
• go2000.com
• 5igb.com
• bb2000.net
• 9wa.com
• qq5.com
• 365j.com
• 7345.com
• 2760.com
• 361la.com
• haojs.com
• 5zd.com
• i8866.com
• 100wz.com
• 114hi.com
• 234.la
• 657.com
• 339.la
• 365wz.net
• 7792.com
• 9495.com
• dazuimao.com
• 71314.com
• 265.com
• gouwo.com
• huai456.com
• ku256.com
• my180.com
• 2522.cn
• 405.cn
• 44244.com
• 111dh.com
• 115ku.com
• 13387.com
• 163yes.com
• 256s.com
• 2676.com
• 3355.net
• 365lo.com
• 4168.com
• 4545.cn
• 4688.com
• 566.net
• 5666.net
• 5733.com
• 6461.cn
• 7356.com
• 800186.com
• 85851.com
• asp51.com
• 361dh.com
• 5566.net
• yulinweb.com
• 6296.com.cn
• mianfeia.com
• ai1234.com
• k369.com
• msncn.com
• ss256.com
• min513.com
• 88-888.com
• lggg.cn
• 7771.cn
• leeboo.com
• jjol.cn
• 5566.com
• 9166.net
• hao253.com
• 7b.com.cn
• haoei.com
• 77114.com
• 21310.cn
• weiduomei.net
• kk3000.cn
• 7241.cn
• 44384.com
• daohang1234.com
• 131.cc
• 223224.com
• 537.com
• 9348.cn
• bju123.cn
• i4455.com
• jia123.com
• 0666.com.cn
• 553.la
• 5566.org
• 37021.com
• 88488.com
• 99986.net
• 37021.net
• k986.com
• cc62.com
• 5518.cn
• 55620.com
• 52416.com
• 7357.cn
• 8c8c.net
• 9999q.com
• 123shi123.com
• yl234.cn
• 3322.com
• hao222.com
• 6313.com
• f127.com
• 5599cn.cn
• 99499.com
• 2548.cn
• 133.net
• ie30.com
• 8751.com
• se:home
• haidaowan.net
• 160dh.com
• 114115.com
• 1322.cn
• hh361.com
• 2800.cc
• 52daohang.com
• 186.me
• diyidh.com
• zaodezhu.com
• 7832.com
• 3073.com
• 2058.cc
• 3456.cc
• 7771.com
• q6789.com
• 7k.cc
• dianzi88.com
• 7802.com
• xinbut.com
• 59688.com
• gjj.cc
• youla.com
• ok1616.com
• i2345.cn
• gg8000.com
• daohang12345.cn
• inina.cn
• dowei.com
• 1515.net
• 41119.cn
• 21230.cn
• 97youku.com
• fast35.net
• m32.cn
• tom155.cn
• 668yo.com
• online.cq.cn
• shagua.cn
• 007247.cn
• 603467.cn
• 197326.cn
• wwwoj.cn
• xp22.cn
• 84022.cn
• 520593.cn
• 448789.cn
• 141321.cn
• 36gggg.cn
• 427842.cn
• niubihao123.cn
• ovooo.cn
• rtys520.net
• rtxzw.com
• uurenti.cc
• bo.dy288.com
• renti11.com
• 123.cd
• 336655.com
• 9978.net
• 520.com
• 6l.cn
• 420.cn
• v989.com
• 16551.com
• 2tvv.com
• m4455.com
• mylovewebs.com
• 5987.net
• 7999.com
• caipopo.com
• wndhw.com
• henku123.com
• qu123.com
• 94176.com
• u526.com
• haokan123.com
• uusee.net
• 9733.com
• 173com
• qnrwz.com
• 999w.com
• h935.com
• 33250.com
• tz911.net
• 639e.com
• 920xx.cn
• 13393.com
• tncdh.com
• sou185.com
• 3566.cc
• 580so.com
• 2001.cc
• hnhao123.com
• zz5.net.cn
• abc123.name
• ekan123.com
• 1266.cc
• hao123.cc
• 126.cc
• ie1788.com
• 58daohang.com
• 6dh.com
• 991.cn
• 114la.me
• 1133.cc
• ads8.com
• haoz.com
• jsing.net
• 123.sogou.com
• 3321.com
• 1155.cc
• hao123.com
• hao123.net
• 6700.cn
• 168.com
• uu881.com
• 6264.cn
• 606600.com
• 2345.com
• 5607.cn
• 1111116.com
• v7799.com
• ie7.com.cn
• 365t.cc
• 89679.com
• se:blank
• 35029.com
• 8d9a.cn
• 400zm.com
• 58816.com
• 727dh.cn
• hao123w.com
• 114td.com
• 28101.cn
• 03336.cn
• 79001.cn
• 133132.com
• 3434.com.cn
• 828dh.cn
• 64500.cn
• 22q.cc
• jj77.com
• vvyy.net
• ie567.com
• 5d5e.com
• 212dh.cn
• 911g.cn
• 1616.la
• tomatolei.com
• 96nn.com
• 5543.com
• 2288.org
• 3322.org
• 9966.org
• 8800.org
• 8866.org
• 7766.org
• 22409.com
• se-se.info
• 26043.com
• 34414.com
• gaoav1.info
• 0558114.com
• 3333dh.cn
• zjialin.com
• 22dao.com
• soupay.com
• langlangdoor.com
• 99cu.com
• 5555dh.cn
• wang123.net
• hxdlink
• haaoo123.com
• 3645.com
• hao123q.com
• tvsooo.com
• gaituba.com
• 45566.net
• 2298.cn
• iexx.com
• dh115.com
• 97sp.cn
• 39r.cn
• f8f8.cn
• 391kk.cn
• 266.cc
• jysoso.net
• wg510.cn
• 114d.org
• ie3721.com
• 2142.cn
• go2000.cc
• go2000.cn
• 99521.com
• yeooo.com
• haha123.com
• hao.360.cn
• 07707.cn
• yy2000.net
• 1111118.com
• 26281.com
• 960dh.cn
• 300.cc
• 163333333.com.cn
• kz300.cn
• i3525.cn
• 67881.net
• t2t2.net
• mm4000.cn
• 669dh.cn
• k58n.com
• haoha123.com
• ab99.com
• i2255.com
• 054.cc
• fffggqq.cn
• k2345.net
• vv33.com
• tuku6.com
• mmpp654.com
• 228dh.cn
• seibb.com
• 14164.com
• 552dh.cn
• hao969.com
• lalamao.com
• 21225.cn
• 5k5.net
• 65630.cn
• at46.cn
• 98928.cn
• ads.eorezo.com
• 661dh.cn
• 6320.com
• henbianjie.com
• xiushe.com
• 5mqxmq.com
• 989228.com
• i8844.cn
• g1476.cn
• 4j4j.cn
• 1777zzw5.com
• 989228.cn
• henbucuo.com
• 886dh.cn
• 2255.net
• 160yes.com
• u8s.cn
• 16711.com
• 626dh.cn
• rfwow.cn
• baiyici.cn
• lalamao.cn
• 136s.com
• huhuyy.cn
• 8diq.com
• d2fs.cn
• 0229.com
• yy4000.com
• 9934.cn
• 3883.net
• 151dh.com
• 26dh.cn
• kkwwxx.com
• t67.net
• 29dao.cn
• 58ju.com
• dnc8.net
• yl177.com.cn
• xj.cn
• 950990.cn
• 114.com.cn
• xxxip.cn
• 3628.com
• 265.cc
• 26.la
• 5654.com
• zg115.com
• 969dh.cn
• 111555.com.cn
• pic.jinti.com
• kk8000.com
• wokaokao.cn
• duoxxppmmkoo.com
• kanlink.cn
• 91youa.com
• shinia.cn
• pp9pp9.cn
• ma80.com
• 556dh.cn
• bu4.cn
• 8555.com
• e23.la
• flash678.cn
• yy4000.cn
• wo333.com
• mv700.com
• xcwhgx.cn
• 3s11.cn
• sp16888.com
• k7k7.com
• zzw5.com
• okdianying.com
• 789bb.com
• antuoo.com
• so06.com
• 665532.cn
• 7f7f.com
• k261.com
• fanbaidu.org.cn
• iu888.cn
• 977k.com
• 93w.com
• 68566.com.cn
• zhidao163.cn
• it958.cn
• lx8000.cn
• sc.cn
• ucuc.cc
• kkdowns.com
• 189189.com
• 0002.com
• 4737.cn
• 226dh.cn
• bb115.cn
• 06000.cn
• u87.cn
• sohao123.com
• k887.com
• hao602.com
• t7t7.net
• ku4000.cn
• v6677.cn
• hong666.com
• 4000a.com
• kk4000.cn
• 7767.com
• 11227.cn
• u9u9.net
• 28113.cn
• rr55.com
• a4000.cn
• yunfujkw.cn
• 886.com
• 2800.cer.cn
• zyyu.com
• 49la.com
• hi3000.cn
• sogouliulanqi.com
• 888ge.com
• 00333.cn
• 29wz.com
• soso126.com
• 180wan.com
• kan888.com
• 4929.cn
• v2233.com
• m345.cn
• tt265.net
• 18ttt.com
• 153.cc
• 00664.cn
• gugogo.com
• kk4000.com
• 185b.com
• uuent.com
• 6666dh.cn
• 25dao.com
• shangla.com
• 77177.cn
• about:blank
• haoq123.com
• baiduo.org
• lejiu.net
• dianxin.cn
• u7758.com
• dao234.com
• 85692.com
• xiaosb.com
• soso313.cn
• 939dh.com
• 85952.com
• 31346.com
• 71528.com
• 788dh.com
• 91695.com
• 5566x.com
• 131u.com
• 1149.cn
• 9281.net
• my115.net
• 4119.cn
• 9m1.net
• dh818.com
• iehwz.com
• wa200.com
• hao234.cc
• 6781.com
• 652dh.com
• 16811.com
• zhongshu.net
• 992k.com
• 71628.com
• 6701.com
• diyou.net
• iehao123.com
• laidao123.com
• yinfen.net
• wz4321.com
• shangqu.info
• 5121.net
• 668g.com
• 51150.com
• 53ff.com
• dada123.com
• you2000.com
• 884599.cn
• kuaijiong.com
• 398.cn
• 32387.com
• 82vv.com
• 09tao.com
• 977dh.com
• 598.net
• 211dh.com
• 9365.info
• wblive.com
• e722.com
• v232.com
• 7400.net
• 62106.com
• ll4xi.com
• 3932.com
• puZeng.com
• 97199.com
• 447.cc
• 0749.com
• 6656.net
• niebai.com
• 447.com
• uuchina.net
• hao123cn.info
• dao666.com
• 9813.org
• 91kk.com
• freedh.info
• yidaba.com
• 161111111.com
• 009dh.com
• qsxx.cn
• geyuan.net
• 8t8.net
• xorg.pl
• bij.pl
• qqnz.com
• srpkw.com
• gggdu.com
• baiduo.com
• wys99.com
• leilei.cc
• 3633.net
• fjta.com
• so11.cn
• 522dh.com
• 9249.com
• 3110.cn
• 300cc.com
• 7669.cn
• 5c6.com
• 7993.cn
• 8336.cn
• 03m.net
• ou33.com
• bv0.net
• 163333333.cn
• 45575.com
• 2637.cn
• skyhouse.com.cn
• 98453.com
• 65642.net
• 776la.com
• 256.CC
• 114king.cn
• yyyqq.com
• huhu123.com
• gyyx.cn
• 2888.me
• 4444dh.cn
• 191pk.com
• 118.com
• 57xswz.com
• how18.cn
• sohu12333333.com
• xz26.com
• 654v.com
• 280580.cn
• fjgqw.com
• 49558.cn
• pp8000.cn
• 265it.com
• soolaa.com
• 9899.cn
• 18143.com
• haoxyz.com
• 4555.net
• 10du.net
• 528988.com
• wahahaha123.com
• c256.cn
• chinaih.com
• mnv.cn
• 633dh.com
• ncjxx.com
• 51721.net
• 556w.com
• 114cc.net
• 5go.com.cn
• pp4000.com
• 8844.com
• dd335.cn
• qu163.net
• itwenba.cn
• dou2game.cn
• h220.com
• neng123.com
• pleoc.cn
• 6006.cc
• 987654.com
• 39903.com
• ddoowwnn.cn
• 788111.com
• zhidao001.com
• 5hao123.com
• 978.la
• 135968.cn
• bb112.com
• r220.cn
• 365kong.com
• woainame.cn
• okgouwu.cn
• hao006.com
• jipinla.com
• 99467.com
• wawamm.cn
• qian14.cn
• ip27.cn
• 56dh.cn
• 2966.com
• game333.net
• kukuwz.com
• 1-xiu.cn
• 92hao123.com
• lian9.cn
• 222q.cn
• jj98.com
• 73vv.com
• mubanw.com
• t262.com
• x1258.cn
• weishi66.cn
• hao990.com
• 68la.com
• sowang123.cn
• 3929.cn
• 5665.cn
• 81sf.com
• kz123.cn
• qq806.cn
• ffwyt.com