Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\tujwrd] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\kukrxw] 'Start' = '00000002'
- <SYSTEM32>\sc.exe stop kukrxw
- <SYSTEM32>\sc.exe create tujwrd type= kernel start= auto binpath= "%ALLUSERSPROFILE%\Application Data\UZXHUGE\tujwrd.bin"
- <SYSTEM32>\sc.exe start kukrxw
- <SYSTEM32>\sc.exe create kukrxw type= kernel binpath= "%ALLUSERSPROFILE%\Application Data\UZXHUGE\kukrxw.bin" start= auto
- <SYSTEM32>\sc.exe stop null
- %WINDIR%\msapps\vxb8100
- %WINDIR%\Web\ua3755.htt
- %WINDIR%\Help\xk7237.hlp
- %ALLUSERSPROFILE%\Application Data\UZXHUGE\tujwrd.bin
- %WINDIR%\msapps\xk8899.nfo
- %TEMP%\1.tmp
- %ALLUSERSPROFILE%\Application Data\UZXHUGE\xxr7970.tlb
- %ALLUSERSPROFILE%\Application Data\UZXHUGE\kukrxw.bin
- <SYSTEM32>\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\wpad[1].dat
- <SYSTEM32>\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\pab[1].php
- %ALLUSERSPROFILE%\Application Data\UZXHUGE\tujwrd.bin
- %ALLUSERSPROFILE%\Application Data\UZXHUGE\kukrxw.bin
- 'wpad.localdomain':80
- 'up##.21civ.com':80
- 'rp##.21civ.com':80
- wpad.localdomain/wpad.dat
- up##.21civ.com/pab.php?b=######################################
- rp##.21civ.com/az.php?st####################################
- DNS ASK wpad.localdomain
- DNS ASK up##.21civ.com
- DNS ASK rp##.21civ.com
- ClassName: 'Shell_TrayWnd' WindowName: ''