Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\wbem\internat.exe'
- %WINDIR%\system\qd.exe
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden" /F
- %WINDIR%\regedit.exe /s %WINDIR%\system\sy.reg
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" /F
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /F
- %WINDIR%\system\qd.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\getpublicip[1].shtml
- C:\ip.txt
- <SYSTEM32>\wbem\internat.exe
- %WINDIR%\system\sy.reg
- 'vb###.mvps.org':80
- 'localhost':1035
- vb###.mvps.org/resources/tools/getpublicip.shtml
- DNS ASK vb###.mvps.org
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''