32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.

reg
32788R22FWJFW\PEV.exe UZIP 32788R22FWJFW\License\pv_5_2_2.zip 32788R22FWJFW\
32788R22FWJFW\PV.exe -kf *.pif nircmd.* ANDRE.EXE TOLO.exe Merlin.scr jalang.exe
jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe
Killing '*.pif'
Killing 'nircmd.*'
"C:\32788R22FWJFW\nircmd.cfexe" cmdwait 1700 exec hide "~$folder.system$\cmd.exe
cf" /c 32788R22FWJFW\prep.cmd (680)
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
MOVE /Y 32788R22FWJFW\PV.exe 32788R22FWJFW\PV.cfexe
The system cannot find message text for message number 0x236e in the message fil
e for Application.
32788R22FWJFW\PV.cfexe -kf *.pif nircmd.* ANDRE.EXE TOLO.exe Merlin.scr jalang.e
xe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe
Killing '*.pif'
Killing 'nircmd.*'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found
PUSHD "C:\32788R22FWJFW"
IF NOT EXIST pev.cfexe COPY /Y pev.exe pev.cfexe
The system cannot find message text for message number 0x2336 in the message fil
e for Application.
IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfexe NircmdB.exe
The system cannot find message text for message number 0x2336 in the message fil
e for Application.
SET "Comspec=C:\Windows\system32\cmd.execf"
IF NOT EXIST C:\Windows\system32\cmd.exe GOTO Not_NT
IF EXIST OsVer EXIT
VER 1>OsVer
GREP.cfexe -F "5.2." OsVer
IF 1 == 0 GOTO Not_NT
GREP.cfexe -F "5.1.2" OsVer 1>XP.mac
IF 1 == 0 GOTO NT
DEL XP.mac
GREP.cfexe -F "6.0.6" OsVer 1>Vista.mac
IF 1 == 0 GOTO NT
DEL Vista.mac
GREP.cfexe -F "5.00.2" OsVer 1>W2K.mac
IF 1 == 0 GOTO NT
DEL W2K.mac
GREP.cfexe -sq "currentversion.* 6.0" OsVer00 && GOTO NT
GREP.cfexe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT
The system cannot find message text for message number 0x236e in the message fil
e for Application.
SED.CFEXE "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00
PEV.EXE -rtf -s+901 .\OriPath00 && (
SED.CFEXE -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\Windows\s
ystem32;C:\Windows;C:\Windows\system32\wbem;%G"
)
IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788
R22FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;%G"
SET "PATH=C:\32788R22FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wb
em;C:\Windows\system32;C:\Windows;C:\Windows\system32\Wbem;c:\Program Files (x86
)\NVIDIA Corporation\PhysX\Common;C:\Program Files (x86)\QuickTime\QTSystem\;C:\
Program Files (x86)\Common Files\DivX Shared\;C:\Windows\System32\WindowsPowerSh
ell\v1.0\"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found
PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or Win
NT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED "/.* /!d; s///" temp03 1>temp04
SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05
 FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G
)
CALL :MDCheck
The system cannot find message text for message number 0x40002712 in the message
file for Application.
PEV -rtf -md55B01B2EF0CAB2B124AB1B19AA62FCC6B .\md5sum.pif || CALL :MDFaiL Chk
Sum_Fail
.\md5sum.pif
PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat
GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat
GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL
GOTO :EOF
=============================================
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\FBI-SCANBOT\AppData\Roaming
CFLDR=32788R22FWJFW
Chksum=5B01B2EF0CAB2B124AB1B19AA62FCC6B
CLASSPATH=.;C:\Program Files (x86)\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=FBI-SCANBOT-H4X
ComSpec=C:\Windows\system32\cmd.execf
configsetroot=C:\Windows\ConfigSetRoot
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\FBI-SCANBOT
KMD=CF23159.exe
LOCALAPPDATA=C:\Users\FBI-SCANBOT\AppData\Local
LOGONSERVER=\\FBI-SCANBOT-H4X
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:
\Windows\system32;C:\Windows;C:\Windows\system32\Wbem;c:\Program Files (x86)\NVI
DIA Corporation\PhysX\Common;C:\Program Files (x86)\QuickTime\QTSystem\;C:\Progr
am Files (x86)\Common Files\DivX Shared\;C:\Windows\System32\WindowsPowerShell\v
1.0\
PATHEXT=.CFEXE;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 23 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1706
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
Qrntn=C:\Qoobox\Quarantine
QTJAVA=C:\Program Files (x86)\QuickTime\QTSystem\QTJava.zip
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
SAFEBOOT_OPTION=MINIMAL
SESSIONNAME=Console
sfxcmd="D:\FalconFour's Ultimate Boot CD v2.0\f4ubcd2\HBCD\WinTools\ComboFix.exe
"
sfxname=D:\FalconFour's Ultimate Boot CD v2.0\f4ubcd2\HBCD\WinTools\ComboFix.exe
SYSTEM=C:\Windows\system32
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\FBI-SC~1\AppData\Local\Temp
TMP=C:\Users\FBI-SC~1\AppData\Local\Temp
TRACE_FORMAT_SEARCH_PATH=\\NTREL202.ntdev.corp.microsoft.com\34FB5F65-FFEB-4B61-
BF0E-A6A76C450FAA\TraceFormat
USERDOMAIN=FBI-SCANBOT-H4X
USERNAME=FBI-SCANBOT
USERPROFILE=C:\Users\FBI-SCANBOT
windir=C:\Windows
=============================================

IF NOT DEFINED sfxname GOTO END

GREP -F \ temp01 && CALL :Aux
ATTRIB.EXE +R "D:\FalconFour's Ultimate Boot CD v2.0\f4ubcd2\HBCD\WinTools\Combo
Fix.exe"
GREP -Fi "C:\Windows\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\sof
tware\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\Windows\s
ystem32\userinit.exe," )
CALL LANG.bat
Active code page: 1252
SET SfxCmd 1>SET00
SED -r "/SfxCmd=/I!d; s///; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*D:\\Fa
lconFour's Ultimate Boot CD v2.0\\f4ubcd2\\HBCD\\WinTools\\ComboFix.exe\x22*//I;
s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>
sfx.cmd
DEL /A/F SET00
CALL sfx.cmd
CALL AV.cmd
SET /a AVCount+=1
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
IF NOT EXIST AvBlack00 GREP -Fisf AVBlack resident.txt 1>AvBlack00 && (
SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack
00 1>AvBlack01
FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5
wmi_rem.vbs "%~G"
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
)
GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk
&& (
SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanni
ng |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB
NIRCMD LOOP 2 80 BEEP 3000 200
IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has de
tected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and i
ntrusion prevention programs are known to interfere~nwith ComboFix's running. Th
is may lead to unpredictable results or~npossible machine damage.~n~nPlease disa
ble these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check
IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above
real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kind
ly note that this is at your own risk" "Warning !!" ""
)
DEL /A/F/Q AVChk? AvWhite AvBlack AvBlack0?
SET AVCount=
IF EXIST vista.mac CALL :Vista
IF NOT DEFINED RKEY_ GOTO :EOF
IF /I "" EQU "RKEYB" GOTO RKEYB
COPY /Y /B C:\Windows\system32\sc.exe C:\Windows\system32\swsc.exe
The system cannot find message text for message number 0x2336 in the message fil
e for Application.
HANDLE csrss.exe.mui 1>MUI00
SED -r "/.*(.:\\.*)\\[^\\]*$/!d; s//\1/" MUI00 1>MUI01
SED -r -n "G; s/\n/&&/; /^([ -~]*\n).*\n\1/d; s/\n//; h; P" MUI01 1>MUI
FOR /F "TOKENS=*" %G IN (MUI) DO (
IF EXIST "%~G\sc.exe.mui" COPY /Y /B "%~G\sc.exe.mui" "%~G\swsc.exe.mui"
IF EXIST "%~G\cmd.exe.mui" (
SWXCACLS "%~G\cmd.exe.mui" /OA /Q
SWXCACLS "%~G\cmd.exe.mui" /P /GA:F /GS:F /GP:X /GU:X /Q
COPY /Y "%~G\cmd.exe.mui" "%~G\CF23159.exe.mui"
SWXCACLS "%~G\cmd.exe.mui" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853
292631-2271478464:f /GA:X /GS:X /GP:X /GU:X /Q
SWXCACLS "%~G\cmd.exe.mui" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853
292631-2271478464 /Q
)
)
DEL /A/F/Q MUI0?
GOTO :EOF
GREP -Fx "REGEDIT4" Fin.dat || (
ECHO.1>"C:\Users\FBI-SC~1\AppData\Local\Temp\tdsstdss"
PEV -rtf "C:\Users\FBI-SC~1\AppData\Local\Temp\tdsstdss" || (
ECHO.1>wtf_tdssserv
CALL c.bat
GOTO END
)
 GOTO AbortD
)
REGEDIT4
IF /I "C:\32788R22FWJFW" NEQ "C:\32788R22FWJFW" GOTO Abort
IF EXIST "C:\Users\FBI-SC~1\AppData\Local\Temp\32788R22FWJFW32788R22FWJFW.log" D
EL /A/F "C:\Users\FBI-SC~1\AppData\Local\Temp\32788R22FWJFW32788R22FWJFW.log"
COPY /Y /B "C:\Windows\system32\cmd.execf" "C:\Windows\system32\CF23159.exe"
The system cannot find message text for message number 0x2336 in the message fil
e for Application.
SET "COMSPEC=C:\Windows\system32\CF23159.exe"
FOR /F "TOKENS=*" %G IN ("D:\FalconFour's Ultimate Boot CD v2.0\f4ubcd2\HBCD\Win
Tools\ComboFix.exe") DO (
SET "FileName=%~NG"
SET "FilePath=%~DPG"
)
(
SET "FileName=ComboFix"
SET "FilePath=D:\FalconFour's Ultimate Boot CD v2.0\f4ubcd2\HBCD\WinTools\"
)
SET FileName 1>FileName
GREP -ix "FileName=[-[:alnum:]@.]*" FileName || GOTO AbortB
FileName=ComboFix
DIR /AD/B C:\* 1>DirName00
GREP -ivx ComboFix DirName00 1>DirName01
GREP -Fisqx "ComboFix" DirName01 && CALL :NameChk
IF EXIST DirName0? DEL /A/F/Q DirName0?
IF EXIST Oldsfxname00 DEL /A/F Oldsfxname00
IF EXIST "\ComboFix" DIR /AD "\ComboFix" 1>N_\1748 && (
RD /S/Q "\ComboFix"
IF EXIST "\ComboFix" (
PV -kf *.cfexe
RD /S/Q "\ComboFix"
)
IF EXIST "\ComboFix" (
HANDLE "C:\ComboFix" 1>temp00
SED -R "/.* pid: (\d*) +(\S*):.*/I!d;s//@ECHO.y|Handle -c \2 -p \1/" temp00 1>
temp00.bat
CALL temp00.bat
DEL /A/F temp00.bat temp00
RD /S/Q "\ComboFix"
)
)
IF EXIST "\ComboFix" RD /S/Q "\ComboFix"
IF EXIST "\ComboFix" GOTO :EOF
PEV UZIP "License\streamtools.zip" License && MOVE /Y License\SF.exe 1>N_\924
8 2>&1
GREP -Fisq " /u" sfx.cmd && echo..1>ItsBeenPhun
CD ..
(
ECHO.MD "\ComboFix"
ECHO.ATTRIB -H -S "\32788R22FWJFW\*"
ECHO.MOVE /y "\32788R22FWJFW\*" "\ComboFix"
ECHO.RD /S/Q "\32788R22FWJFW"
IF EXIST "\32788R22FWJFW.0.tmp\" ECHO.RD /S/Q "\32788R22FWJFW.0.tmp"
IF EXIST "C:\32788R22FWJFW\ItsBeenPhun" ECHO.NIRCMD EXEC2 HIDE "C:\ComboFix" "C
:\Windows\system32\CF23159.exe" /c c.bat
IF NOT EXIST "C:\32788R22FWJFW\ItsBeenPhun" ECHO.START "." /d"C:\ComboFix" "C:\
Windows\system32\CF23159.exe" /k c.bat
ECHO.PV -kf cmd.exe cmd.execf
ECHO.DEL /A/F \Start_.cmd
) 1>Start_.cmd
SET "PATH=C:\ComboFix;C:\32788R22FWJFW;C:\Windows\system32;C:\Windows;C:\Windows
\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\system32\Wbem;c:\Progra
m Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files (x86)\QuickTime\Q
TSystem\;C:\Program Files (x86)\Common Files\DivX Shared\;C:\Windows\System32\Wi
ndowsPowerShell\v1.0\"
HIDEC "C:\Windows\system32\CF23159.exe" /F:OFF /D /C Start_.cmd
The system cannot find message text for message number 0x236c in the message fil
e for Application.