Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\qhnhtp] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\jsvplf] 'Start' = '00000002'
- '<SYSTEM32>\sc.exe' stop jsvplf
- '<SYSTEM32>\sc.exe' create qhnhtp type= kernel start= auto binpath= "%ALLUSERSPROFILE%\Application Data\RMKRVIY\qhnhtp.bin"
- '<SYSTEM32>\sc.exe' start jsvplf
- '<SYSTEM32>\sc.exe' create jsvplf type= kernel binpath= "%ALLUSERSPROFILE%\Application Data\RMKRVIY\jsvplf.bin" start= auto
- '<SYSTEM32>\sc.exe' stop null
- %WINDIR%\inf\tj7888.PNF
- %WINDIR%\Web\yk3545.htt
- %WINDIR%\Temp\{d5991fb9-9ee4-4402-0090-bbf4e1bbfdb9}
- %ALLUSERSPROFILE%\Application Data\RMKRVIY\qhnhtp.bin
- %WINDIR%\srchasst\ncn5769
- %TEMP%\1.tmp
- %ALLUSERSPROFILE%\Application Data\RMKRVIY\mao6949.lex
- %WINDIR%\Web\vh1364.htt
- %ALLUSERSPROFILE%\Application Data\RMKRVIY\jsvplf.bin
- %TEMP%\1.tmp
- %ALLUSERSPROFILE%\Application Data\RMKRVIY\qhnhtp.bin
- %ALLUSERSPROFILE%\Application Data\RMKRVIY\jsvplf.bin
- 'rp.##q88.com':80
- 'rp##.21civ.com':80
- rp.##q88.com/rp.php?om###################################################################################
- rp##.21civ.com/wb.php?o=############################################
- rp##.21civ.com/az.php?st######################################################
- DNS ASK rp.##q88.com
- DNS ASK www.ba##u.com
- DNS ASK up###.21civ.com
- DNS ASK rp##.21civ.com
- DNS ASK up##.21civ.com