Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\ljhopu] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\lxuhqp] 'Start' = '00000002'
- <SYSTEM32>\sc.exe stop lxuhqp
- <SYSTEM32>\sc.exe create ljhopu type= kernel start= auto binpath= "%ALLUSERSPROFILE%\Application Data\LYAGGDP\ljhopu.bin"
- <SYSTEM32>\sc.exe start lxuhqp
- <SYSTEM32>\sc.exe create lxuhqp type= kernel binpath= "%ALLUSERSPROFILE%\Application Data\LYAGGDP\lxuhqp.bin" start= auto
- <SYSTEM32>\sc.exe stop null
- %WINDIR%\Web\dj6816.htt
- %WINDIR%\inf\tpl7742
- %WINDIR%\Help\bf9648.hlp
- %WINDIR%\Temp\{2bb18984-a2b4-466f-009c-076b84578719}
- %ALLUSERSPROFILE%\Application Data\LYAGGDP\ljhopu.bin
- %TEMP%\1.tmp
- %ALLUSERSPROFILE%\Application Data\LYAGGDP\oho7168.htt
- %ALLUSERSPROFILE%\Application Data\LYAGGDP\lxuhqp.bin
- %WINDIR%\Help\jz6589.hlp
- <SYSTEM32>\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6YQRA29M\pab[1].php
- %TEMP%\1.tmp
- %ALLUSERSPROFILE%\Application Data\LYAGGDP\ljhopu.bin
- %ALLUSERSPROFILE%\Application Data\LYAGGDP\lxuhqp.bin
- 'rp.##q88.com':80
- 'up##.21civ.com':80
- 'rp##.21civ.com':80
- up##.21civ.com/pab.php?b=######################################
- rp.##q88.com/rp.php?om###################################################################################
- rp##.21civ.com/az.php?st######################################################
- rp##.21civ.com/wb.php?o=############################################
- DNS ASK rp.##q88.com
- DNS ASK www.ba##u.com
- DNS ASK rp##.21civ.com
- DNS ASK up##.21civ.com