Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'userinit' = '<SYSTEM32>\userinit.exe,%WINDIR%\apppatch\qgynznn.dat,'
- <SYSTEM32>\netsh.exe firewall set allowedprogram \??\<SYSTEM32>\winlogon.exe ENABLE
- <SYSTEM32>\svchost.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\spoolsv.exe
- opera.exe
- iexplore.exe
- firefox.exe
- ClassName: 'AVP.MainWindow' WindowName: ''
- %WINDIR%\Temp\D7EC.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\news[1].htm
- %WINDIR%\Temp\DA0F.tmp
- %TEMP%\espBAC2.tmp
- %WINDIR%\AppPatch\qgynznn.dat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\home[1].htm
- %WINDIR%\Temp\DA0F.tmp
- %WINDIR%\Temp\D7EC.tmp
- %TEMP%\espBAC2.tmp
- из <Полный путь к вирусу> в %TEMP%\1.tmp
- 'sp####nephric.com':80
- '74.##5.232.51':80
- sp####nephric.com/news.php
- sp####nephric.com/home.php
- DNS ASK wpad.localdomain
- DNS ASK sp####nephric.com
- DNS ASK google.com
- ClassName: '' WindowName: 'Kaspersky Virus Removal Tool 2010'
- ClassName: 'Malwarebytes' WindowName: 'ThunderRT6FormDC'
- ClassName: 'OSAM: Autorun Manager' WindowName: '#32770'
- ClassName: '' WindowName: '???????????? ??????? AVZ'
- ClassName: '' WindowName: 'random'
- ClassName: 'ThunderRT6FormDC' WindowName: ''