Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\wbem\internat.exe'
- %WINDIR%\srchasst\chars\vip.exe (загружен из сети Интернет)
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden" /F
- %WINDIR%\regedit.exe /s %WINDIR%\system\sy.reg
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" /F
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /F
- C:\internat.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\vip[1].exe
- %WINDIR%\srchasst\chars\vip.exe
- <SYSTEM32>\wbem\internat.exe
- %WINDIR%\system\sy.reg
- C:\AutoRun.inf
- C:\internat.exe
- C:\AutoRun.inf
- 'bt#.#qzone.net':80
- 'localhost':1039
- bt#.#qzone.net/post/c_editor/huo/vip.exe
- DNS ASK bt#.#qzone.net
- ClassName: 'ComboBox' WindowName: ''
- ClassName: 'Edit' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'ComboBoxEx32' WindowName: ''
- ClassName: '' WindowName: '????'
- ClassName: '' WindowName: ''
- ClassName: 'ReBarWindow32' WindowName: ''