Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '%TEMP%\opeB.exe ' = '%TEMP%\opeB.exe '
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'jkjijjsys' = 'rundll32.exe "vtrsss.dll",s'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'binfix7080010000.exe' = '"%TEMP%\binfix7080010000.exe"'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\tdl] 'Name' = '%TEMP%\F.tmp'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'urpqqqsys' = 'rundll32.exe "vtrsss.dll",s'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\sdra64.exe,'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'netw' = '%WINDIR%\svw.exe'
- [<HKLM>\SYSTEM\ControlSet001\Control\Lsa] 'Authentication Packages' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'netc' = '%WINDIR%\svc.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Follower] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\4_pinnew.exe' = '%TEMP%\4_pinnew.exe:*:Enabled:Enabled'
- '%TEMP%\xbvkj.exe'
- '%TEMP%\lxjyen.exe'
- '%TEMP%\hqkirnrr.exe'
- '%TEMP%\fFollower.exe' /install /silent
- '%TEMP%\-1998166001'
- '%TEMP%\ykylsto.exe'
- '%TEMP%\oscv.exe'
- '%TEMP%\jqrim.exe'
- '%TEMP%\nyahxty.exe'
- '%TEMP%\ofonplnw.exe'
- '%TEMP%\asdcds.exe'
- '%TEMP%\cftwye.exe'
- '%TEMP%\mbhrpj.exe'
- '%TEMP%\6_ldry3no.exe'
- '%TEMP%\4_pinnew.exe'
- '%TEMP%\miragge.exe'
- '%TEMP%\avto.exe'
- '%TEMP%\binfix7080010000.exe'
- '%TEMP%\fFollower.exe'
- '%TEMP%\avto1.exe'
- '%TEMP%\q1.exe'
- '%TEMP%\svchosty.exe'
- '%TEMP%\opeB.exe'
- '%TEMP%\1286622170.exe'
- '%TEMP%\1your_exe.exe'
- '%TEMP%\2_load.exe'
- '%TEMP%\jqrim.exe' (загружен из сети Интернет)
- '%TEMP%\mbhrpj.exe' (загружен из сети Интернет)
- '%TEMP%\nyahxty.exe' (загружен из сети Интернет)
- '%TEMP%\ofonplnw.exe' (загружен из сети Интернет)
- '%TEMP%\lxjyen.exe' (загружен из сети Интернет)
- '%TEMP%\xbvkj.exe' (загружен из сети Интернет)
- '%TEMP%\-1998166001' (загружен из сети Интернет)
- '%TEMP%\ykylsto.exe' (загружен из сети Интернет)
- '%TEMP%\cftwye.exe' (загружен из сети Интернет)
- '%TEMP%\asdcds.exe' (загружен из сети Интернет)
- '%TEMP%\hqkirnrr.exe' (загружен из сети Интернет)
- '%TEMP%\oscv.exe' (загружен из сети Интернет)
- '<SYSTEM32>\cmd.exe' /c del <SYSTEM32>\svchost.exe > nul
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\vtrsss.dll",s
- <SYSTEM32>\svchost.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\spoolsv.exe
- opera.exe
- firefox.exe
- chrome.exe
- [<HKCU>\SOFTWARE\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\Software\CoffeeCup Software\Internet\Profiles]
- [<HKLM>\SOFTWARE\FlashFXP\3]
- [<HKCU>\Software\FileZilla]
- [<HKLM>\Software\Ghisler\Total Commander]
- [<HKLM>\SOFTWARE\Miranda]
- [<HKCU>\SOFTWARE\Mirabilis\ICQ\NewOwners]
- [<HKCU>\SOFTWARE\RIT\The Bat!]
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
- [<HKLM>\Software\Ghisler\Windows Commander]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Ghisler\Windows Commander]
- ClassName: 'AVP.AhLearnDialog' WindowName: ''
- ClassName: 'AVP.Product_Notification' WindowName: ''
- ClassName: 'AVP.AlertDialog' WindowName: ''
- ClassName: 'AVP.AhAppChangedDialog' WindowName: ''
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
- %TEMP%\oscv.exe
- %TEMP%\hqkirnrr.exe
- %TEMP%\asdcds.exe
- %TEMP%\cftwye.exe
- %TEMP%\lxjyen.exe
- %TEMP%\ykylsto.exe
- %TEMP%\-1998166001
- %TEMP%\xbvkj.exe
- %TEMP%\60325cahp25ca2.exe
- %TEMP%\mbhrpj.exe
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[4].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[2].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[5].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[3].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[1].php
- %TEMP%\60325cahp25ca1.exe
- %TEMP%\jqrim.exe
- %TEMP%\ofonplnw.exe
- %TEMP%\nyahxty.exe
- %TEMP%\6_ldry3no.exe
- %TEMP%\avto.exe
- %WINDIR%\svw.exe
- %TEMP%\4_pinnew.exe
- %TEMP%\avto1.exe
- %TEMP%\miragge.exe
- %TEMP%\q1.exe
- %TEMP%\binfix7080010000.exe
- %TEMP%\fFollower.exe
- <SYSTEM32>\sdra64.exe
- %TEMP%\svchosty.exe
- %TEMP%\1286622170.exe
- %WINDIR%\Temp\10.tmp
- %TEMP%\E.tmp
- %TEMP%\opeB.exe
- <SYSTEM32>\vtrsss.dll
- %TEMP%\2_load.exe
- %WINDIR%\svc.exe
- %TEMP%\1your_exe.exe
- <SYSTEM32>\sdra64.exe
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[4].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[5].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[3].php
- <SYSTEM32>\svchost.exe
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[2].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[1].php
- %TEMP%\F.tmp
- %TEMP%\1your_exe.exe
- %TEMP%\2_load.exe
- %TEMP%\60325cahp25ca1.exe
- %TEMP%\60325cahp25ca2.exe
- %WINDIR%\Temp\10.tmp
- %TEMP%\1286622170.exe в %TEMP%\11.tmp
- %TEMP%\E.tmp в %TEMP%\F.tmp
- 'localhost':1056
- 'localhost':1058
- 'localhost':1054
- 'localhost':1055
- 'localhost':1060
- 'au####loaders.net':80
- 'mi##xen.in':80
- 'localhost':1061
- 'localhost':1064
- 'localhost':1053
- 'localhost':1040
- 'mo##tds.org':80
- '20#.#6.232.182':80
- 'localhost':1039
- 'ca##azy.com':80
- 'gi###irect.net':80
- 'localhost':1052
- 'gl##es.com':80
- 'localhost':1049
- http://ca##azy.com/pimuowecw/hytniqkszx.php?ad########
- http://ca##azy.com/pimuowecw/sjaipk.php?ad########
- http://ca##azy.com/pimuowecw/qdlsn.php?ad########
- http://ca##azy.com/pimuowecw/neipnvqx.php?ad########
- http://ca##azy.com/pimuowecw/lpkez.php?ad########
- http://au####loaders.net/massnews/tds2.php
- http://mi##xen.in/load/load.php?a=###################################################################
- http://ca##azy.com/pimuowecw/ffaucji.php?ad#################################################
- http://gi###irect.net/1/tds6.php
- http://ca##azy.com/pimuowecw/vvqkfy.php?ad########
- http://gl##es.com/imgX/fiske/r/r.php?r=#
- http://windowsupdate.microsoft.com/ via 20#.#6.232.182
- http://ca##azy.com/pimuowecw/vytxsmu.php?ad########
- http://ca##azy.com/pimuowecw/kxszhbwdcj.php?ad########
- http://ca##azy.com/pimuowecw/ofmupwryg.php?ad########
- http://ca##azy.com/pimuowecw/lpkezhfmu.php?ad########
- http://ca##azy.com/pimuowecw/jjdlsnvtov.php?ad########
- http://ca##azy.com/pimuowecw/neygn.php?ad########
- http://mo##tds.org/gate/site.php
- DNS ASK au####loaders.net
- DNS ASK s.###oxen.in
- DNS ASK mi##xen.in
- DNS ASK gi###irect.net
- DNS ASK mo##tds.org
- DNS ASK windowsupdate.microsoft.com
- DNS ASK gl##es.com
- DNS ASK ca##azy.com
- ClassName: '' WindowName: 'Warning: Components Have Changed'
- ClassName: '' WindowName: 'Внимание: некоторые компоненты изменились'
- ClassName: '' WindowName: '????????: ????????? ?????????? ??????????'
- ClassName: '' WindowName: '??????? ??????? ??????????? ??????? ??????'
- ClassName: 'MS_WINHELP' WindowName: ''
- ClassName: '' WindowName: 'Hidden Process Requests Network Access'
- ClassName: '' WindowName: 'Скрытый процесс запрашивает сетевой доступ'
- ClassName: '' WindowName: 'Kaspersky Anti-Hacker - Создать правило для 4_pinnew.exe'
- ClassName: '' WindowName: 'Kaspersky Anti-Hacker - ??????? ??????? ??? 4_pinnew.exe'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: 'Kaspersky Anti-Hacker - Create a rule for 4_pinnew.exe'
- ClassName: '' WindowName: 'Create rule for 4_PINNEW.EXE'
- ClassName: '' WindowName: 'Создать правило для 4_PINNEW.EXE'
- ClassName: '' WindowName: '??????? ??????? ??? 4_PINNEW.EXE'