Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Classes\HTTP\shell\open\command] '' = '"%PROGRAM_FILES%\InternetExplorer\iexplore.exe" -nohome'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.exe] 'Debugger' = 'ntsd -d'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Explorer' = '<DRIVERS>\suchost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] 'Debugger' = 'ntsd -d'
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\ЎЎЎЎЎЎ.exe
- hidden files
- <DRIVERS>\suchost.exe
- <SYSTEM32>\cmd.exe /c "%TEMP%\del3$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del41$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del33$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del49$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del77$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del1$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del99$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del45$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del28$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del21$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del71$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del23$$.bat"
- <SYSTEM32>\net1.exe share Z$ /del /y
- <SYSTEM32>\net1.exe share D$ /del /y
- <SYSTEM32>\cmd.exe /c "%TEMP%\del24$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del52$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del84$$.bat"
- <SYSTEM32>\net1.exe share C$ /del /y
- <SYSTEM32>\cmd.exe /c "%TEMP%\del17$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del2$$.bat"
- <SYSTEM32>\cmd.exe /c "%TEMP%\del67$$.bat"
- <SYSTEM32>\net1.exe share A$ /del /y
- <SYSTEM32>\net1.exe share admin$ /del /y
- AVP.EXE
- ClassName: '' WindowName: 'TRW2000 for Windows 9x'
- ClassName: '' WindowName: 'API-Log v1.2 by M.o.D. [F2F]'
- ClassName: 'OLLYDBG' WindowName: ''
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\tabview\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\tabbrowser\Desktop_.ini
- %TEMP%\del77$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\preferences\Desktop_.ini
- %TEMP%\del33$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\places\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\preferences\Desktop_.ini
- %TEMP%\del41$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\feeds\Desktop_.ini
- %TEMP%\del3$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\Desktop_.ini
- %TEMP%\del67$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\Desktop_.ini
- %TEMP%\del17$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\places\Desktop_.ini
- %TEMP%\del49$$.bat
- %TEMP%\del23$$.bat
- %TEMP%\del2$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\feeds\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\places\Desktop_.ini
- %TEMP%\del99$$.bat
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\migration\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\feeds\Desktop_.ini
- %TEMP%\del28$$.bat
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\preferences\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser-region\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\en-US\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\sidebar\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\safebrowsing\Desktop_.ini
- %TEMP%\del45$$.bat
- %TEMP%\del21$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\communicator\Desktop_.ini
- %TEMP%\del1$$.bat
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\tabbrowser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\tabview\Desktop_.ini
- %TEMP%\del71$$.bat
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\downloads\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\branding\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\Desktop_.ini
- C:\Far\Addons\Macros\Desktop_.ini
- C:\Far\Addons\SetUp\Desktop_.ini
- C:\autorun.inf
- C:\ЎЎЎЎЎЎ.exe
- %TEMP%\del24$$.bat
- C:\Far\Addons\Shell\Desktop_.ini
- C:\Far\Addons\Tables\Cyrillic\E-Mail Double Conversion\Desktop_.ini
- C:\Far\Addons\Tables\Hebrew\Desktop_.ini
- C:\Far\Addons\Tables\Cyrillic\Desktop_.ini
- C:\Far\Addons\Tables\Desktop_.ini
- C:\Far\Addons\Tables\Central European\Desktop_.ini
- %TEMP%\del52$$.bat
- C:\Far\Desktop_.ini
- <Current directory>\Desktop_.ini
- C:\qw.sys
- <DRIVERS>\suchost.exe
- C:\Far\Addons\Desktop_.ini
- %TEMP%\del84$$.bat
- C:\Far\Addons\Colors\Default Highlighting\Desktop_.ini
- C:\Far\Addons\Colors\Custom Highlighting\Desktop_.ini
- C:\Far\Addons\Archivers\Desktop_.ini
- C:\Far\Addons\Colors\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\history\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\migration\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\feeds\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\bookmarks\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\certerror\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\pageinfo\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\safebrowsing\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\search\Desktop_.ini
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\2[1].htm
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\places\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\preferences\Desktop_.ini
- <Auxiliary element>
- %PROGRAM_FILES%\Desktop_.ini
- C:\Far\Addons\XLat\Russian\Desktop_.ini
- C:\Far\Addons\Tables\Western European\Desktop_.ini
- C:\Far\Addons\XLat\Desktop_.ini
- %PROGRAM_FILES%\FireFox\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\branding\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\preferences\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\tabbrowser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\feeds\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\places\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\feeds\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\places\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\tabview\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\preferences\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\safebrowsing\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\pageinfo\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\places\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\aero\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\search\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\places\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\preferences\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\feeds\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\migration\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser-region\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\en-US\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\safebrowsing\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\sidebar\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\downloads\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\tabview\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\communicator\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\preferences\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\skin\classic\browser\tabbrowser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\branding\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\en-US\locale\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\migration\Desktop_.ini
- C:\Far\Addons\Macros\Desktop_.ini
- C:\Far\Addons\SetUp\Desktop_.ini
- C:\ЎЎЎЎЎЎ.exe
- C:\autorun.inf
- C:\Far\Addons\Tables\Central European\Desktop_.ini
- C:\Far\Addons\Tables\Cyrillic\Desktop_.ini
- C:\Far\Addons\Shell\Desktop_.ini
- C:\Far\Addons\Tables\Desktop_.ini
- C:\Far\Addons\Colors\Default Highlighting\Desktop_.ini
- C:\Far\Addons\Desktop_.ini
- C:\Far\Addons\Archivers\Desktop_.ini
- <Current directory>\Desktop_.ini
- C:\Far\Desktop_.ini
- <Drive name for removable media>:\ЎЎЎЎЎЎ.exe
- <Drive name for removable media>:\autorun.inf
- C:\Far\Addons\Colors\Desktop_.ini
- C:\Far\Addons\Colors\Custom Highlighting\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\branding\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\feeds\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\history\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\bookmarks\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\browser\content\browser\certerror\Desktop_.ini
- %PROGRAM_FILES%\FireFox\chrome\Desktop_.ini
- C:\Far\Addons\Tables\Western European\Desktop_.ini
- C:\Far\Addons\XLat\Desktop_.ini
- C:\Far\Addons\Tables\Cyrillic\E-Mail Double Conversion\Desktop_.ini
- C:\Far\Addons\Tables\Hebrew\Desktop_.ini
- %PROGRAM_FILES%\Desktop_.ini
- %PROGRAM_FILES%\FireFox\Desktop_.ini
- C:\Far\Addons\XLat\Russian\Desktop_.ini
- <Auxiliary element>
- C:\qw.sys
- 'www.xl##013.cn':80
- 'localhost':1078
- 'www.da###ng08.com':80
- '<Private IP address>':445
- '<Private IP address>':139
- 'www.9z##.com':80
- www.da###ng08.com/down/houmendown.txt
- www.da###ng08.com/2.htm
- www.9z##.com/down1.txt
- www.xl##013.cn/down.txt
- DNS ASK www.da###ng08.com
- DNS ASK www.xl##013.cn
- DNS ASK www.9z##.com
- ClassName: 'msctls_statusbar32' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: 'Cool Debugger for Win32'
- ClassName: 'VxDMonClass' WindowName: ''
- ClassName: '' WindowName: 'TrainerSpy XP + NT / 2000 / XP + Coded By BofeN'
- ClassName: '' WindowName: 'Hacked Spy'
- ClassName: '' WindowName: 'The Customiser'
- ClassName: '' WindowName: 'The Customiser Configuration Screen'