Haha, now i know what "XyliBoxed" means... Very nice! I always write a little "log" file, to keep track of my changes etc. The first thing i did was to get some strings out of it --> strings xylib0x.exe > xyl.txt I know, it's an old method, but hey, i like it Didn't found any usefull info. I fired up Process Monitor && Wireshark && Process Explorer, to see if it changes files, registry entries, connects to some servers etc. while i analyze.. Then i checked the file with PEiD, to see how / if it's packed and maybe in what language it is written. --> PEiD said: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo So, i unpacked it with UPX. --> upx -d xylib0x.exe -o out-xylibox.exe After unpacking, i let PEiD (v0.95) analyze it again. --> Microsoft Visual Basic 5.0 / 6.0 I fired up VB Decompiler Lite, to see the source code ( Jeah, it'S not the "real" source, but it makes the whole mess more readable [e.g. decompiled it]) Some parts catched my interest: loc_404F1E: LitStr "c:\Xylibox.vbs" loc_404F64: LitVarStr var_B8, "c:/Xylib0x.exe" loc_405023: ' Referenced from: 404FA5 loc_405023: ' Referenced from: 405020 This part is interesting, too. As you can see, reverse-strings are used. At first look, it appeared, those lines get into the Xylibox.vbs file. - I guess the reverse-string style is used to make it less readable and to prevent AV's to pop up. 405402, "metsysrid ,osf miD" = "Dim fso, dirsystem" means, a new variable has been made, with 'dirsystem' in it. (Dim is used in Visual Basic) loc_404ABB: LitStr "namgorP" loc_4053DF: LitStr "sbv.xobilyX\:c" loc_405402: LitStr "metsysrid ,osf miD" loc_40544C: LitStr "tcejbOmetsySeliF.gnitpircS" loc_40545D: LitStr "(tcejbOetaerC = osf teS" loc_40548D: LitStr "txeN emuseR rorrE nO" LitStr ")1(redloFlaicepSteG.osf = metsysrid teS" loc_4054FA: LitStr "llehS.tpircSW" etc etc... Its: Dim fso, dirsystem Set fso = CreateObject("Scripting.FileSystemObject") On Error Resume Next Set dirsystem = fso.GetSpecialFolder(1) Set regedit = CreateObject("WScript.Shell") regedit.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\b0x","wscript c:\Xylibox.vbs" Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run """c:\Xylib0x.exe""" Msgbox "Xylib0xed" In this part, the program access the registry database and changes / adds values. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\b0x |_ loc_4055A0: LitStr "x0b\nuR\noisreVtnerruC\swodniW\tfosorciM\e" |_ loc_4055A3: ConcatStr |_ loc_4055A4: FStStrNoPop var_B4 |_ loc_4055A7: LitStr "rawtfoS\ENIHCAM_LACOL_YEKH So, later it starts the newly created .vbScript , at every system start. |_ loc_404927: LitStr "sbv.xobilyX\:c tpircsw" The code got some more things in it, but they had no effect on my system: |_ loc_404DF2: LitStr "c:\windows\msKernel33" Public Sub copiedir() '404818 'Data Table: 403318 loc_404804: LitStr "c:\*.*" loc_404807: LitStr "c:\windows\*.*" loc_40480A: ImpAdCallFPR4 FileCopy After this pre-analysis i started the program (with Process Monitor etc. enabled) It did what i thought + some nice popUps Solution: - Delete the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \Xylibox entry (via an application or msconfig etc. etc.) - Delete the C:\Xylib0x.exe && C:\Xylibox.vbs file