Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnomlk] 'Logon' = 'Logon'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnomlk] 'DllName' = 'nnnomlk.dll'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] '{8CEFE835-8EBF-420F-AFA2-807008E32917}' = ''
- '%WINDIR%\retadpu1044.exe' 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257
- '%TEMP%\GUQF296\en.exe'
- '%TEMP%\is-Q4BHN.tmp\is-N5F7H.tmp' /SL4 $30092 %TEMP%\GUQF296\tvplayer4.0.0.exe 1451196 51200
- '%TEMP%\GUQF296\tvplayer4.0.0.exe'
- '%TEMP%\GUQF296\we.exe'
- '%WINDIR%\retadpu1044.exe' (загружен из сети Интернет)
- '<SYSTEM32>\cmd.exe' /c %TEMP%\removalfile.bat "%TEMP%\GUQF296\en.exe"
- <SYSTEM32>\winlogon.exe
- %WINDIR%\retadpu1044.exe
- %TEMP%\is-0ORBO.tmp\_shfoldr.dll
- %TEMP%\is-Q4BHN.tmp\is-N5F7H.tmp
- %TEMP%\removalfile.bat
- <SYSTEM32>\nnnomlk.dll
- %TEMP%\GUQF296\en.exe
- %TEMP%\GUQF296\we.dat
- %TEMP%\GUQF296\tvplayer4.0.0.exe
- %TEMP%\nsj2.tmp
- %TEMP%\GUQF296\we.exe
- %TEMP%\nsy3.tmp\DcryptDll.dll
- %TEMP%\GUQF296\en.dat
- %TEMP%\nsy3.tmp\DcryptDll.dll
- %TEMP%\GUQF296\en.exe
- %TEMP%\GUQF296\we.exe
- %TEMP%\GUQF296\we.dat
- %TEMP%\GUQF296\en.dat
- 'y2#.###44.wrs.mcboo.com':80
- y2#.###44.wrs.mcboo.com/retadpu.exe
- DNS ASK y2#.###44.wrs.mcboo.com
- ClassName: 'Shell_TrayWnd' WindowName: ''