Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ewrgetuj' = '%TEMP%\geurge.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Inoyikotadoqev' = 'rundll32.exe "%WINDIR%\mstusumf.dll",Startup'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\tdl] 'Name' = '%TEMP%\5.tmp'
- %TEMP%\acbukeh.exe
- %TEMP%\-1998166001
- %TEMP%\sjvt.exe
- %TEMP%\abmniqsn.exe
- %TEMP%\ceye.exe
- %TEMP%\nphxdye.exe
- %TEMP%\isfbpt.exe
- %TEMP%\vbqaigb.exe
- %TEMP%\jgcj.exe
- %TEMP%\lpkosvi.exe
- %TEMP%\E4U.exe
- %TEMP%\ic1.exe
- %TEMP%\bpfull.exe
- %TEMP%\EuroP.exe
- %TEMP%\7za.exe x %TEMP%\a1.7z -aoa -o%HOMEPATH%\Local Settings\Temp -plolmilf
- %TEMP%\yypiwinp.exe
- %TEMP%\serjk.exe
- %TEMP%\Gi.exe
- %TEMP%\_tbp.exe
- %TEMP%\geurge.exe
- %TEMP%\-1998166001 (downloaded from the Internet)
- %TEMP%\acbukeh.exe (downloaded from the Internet)
- %TEMP%\isfbpt.exe (downloaded from the Internet)
- %TEMP%\abmniqsn.exe (downloaded from the Internet)
- %TEMP%\ceye.exe (downloaded from the Internet)
- %TEMP%\sjvt.exe (downloaded from the Internet)
- %TEMP%\serjk.exe (downloaded from the Internet)
- %TEMP%\yypiwinp.exe (downloaded from the Internet)
- %TEMP%\vbqaigb.exe (downloaded from the Internet)
- %TEMP%\nphxdye.exe (downloaded from the Internet)
- %TEMP%\jgcj.exe (downloaded from the Internet)
- %TEMP%\lpkosvi.exe (downloaded from the Internet)
- <SYSTEM32>\cmd.exe /c ""C:\tujserrew.bat""
- <SYSTEM32>\sc.exe config SharedAccess start= DISABLED
- <SYSTEM32>\net1.exe stop "Security Center"
- <SYSTEM32>\rundll32.exe "%WINDIR%\mstusumf.dll",iep
- <SYSTEM32>\net1.exe stop "Windows Firewall/Internet Connection Sharing (ICS)
- <SYSTEM32>\rundll32.exe "%WINDIR%\mstusumf.dll",Startup
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\net.exe stop "Security Center"
- <SYSTEM32>\net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)
- <SYSTEM32>\sc.exe config wscsvc start= DISABLED
- <SYSTEM32>\svchost.exe
- %WINDIR%\Explorer.EXE
- <SYSTEM32>\spoolsv.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
- C:\tujserrew.bat
- %TEMP%\lpkosvi.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ofmupwryg[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\kxszhbwdcj[1].php
- %TEMP%\vbqaigb.exe
- %TEMP%\sjvt.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\neipnvqx[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\hytniqkszx[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\jjdlsnvtov[1].php
- %TEMP%\jgcj.exe
- %TEMP%\-1998166001
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\vytxsmu[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\neygn[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ffaucji[1].php
- %TEMP%\acbukeh.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vvqkfy[1].php
- %TEMP%\nphxdye.exe
- %TEMP%\abmniqsn.exe
- %TEMP%\isfbpt.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\lpkezhfmu[1].php
- %TEMP%\ceye.exe
- %TEMP%\EuroP.exe
- %TEMP%\E4U.exe
- %TEMP%\Gi.exe
- %TEMP%\_tbp.exe
- %TEMP%\ic1.exe
- %TEMP%\7za.exe
- %TEMP%\nsd2.tmp
- %TEMP%\a1.7z
- %TEMP%\nsx3.tmp\ExecDos.dll
- %TEMP%\bpfull.exe
- %TEMP%\yypiwinp.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\qdlsn[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\sjaipk[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\lpkez[1].php
- %TEMP%\serjk.exe
- %TEMP%\4.tmp
- %WINDIR%\mstusumf.dll
- %TEMP%\geurge.exe
- %WINDIR%\Temp\6.tmp
- %WINDIR%\Temp\6.tmp
- %TEMP%\~DF74D1.tmp
- <SYSTEM32>\svchost.exe
- %TEMP%\E4U.exe
- %TEMP%\nsx3.tmp\ExecDos.dll
- %TEMP%\5.tmp
- from %TEMP%\ic1.exe to %TEMP%\7.tmp
- from %TEMP%\4.tmp to %TEMP%\5.tmp
- 'localhost':1044
- 'mu###bus.net':80
- 'cb##ase.com':80
- cb##ase.com/pimuowecw/lpkezhfmu.php?ad########
- cb##ase.com/pimuowecw/vvqkfy.php?ad########
- cb##ase.com/pimuowecw/kxszhbwdcj.php?ad########
- cb##ase.com/pimuowecw/ffaucji.php?ad#################################################
- cb##ase.com/pimuowecw/neygn.php?ad########
- cb##ase.com/pimuowecw/vytxsmu.php?ad########
- cb##ase.com/pimuowecw/ofmupwryg.php?ad########
- cb##ase.com/pimuowecw/lpkez.php?ad########
- cb##ase.com/pimuowecw/sjaipk.php?ad########
- cb##ase.com/pimuowecw/qdlsn.php?ad########
- cb##ase.com/pimuowecw/jjdlsnvtov.php?ad########
- cb##ase.com/pimuowecw/hytniqkszx.php?ad########
- cb##ase.com/pimuowecw/neipnvqx.php?ad########
- DNS ASK mu###bus.net
- DNS ASK co####.perfectexe.com
- DNS ASK 02######093a.koralda.com
- DNS ASK cb##ase.com
- DNS ASK go##le.it
- DNS ASK ma#l.ru
- DNS ASK 00########.########.##.###########F4FC08682CAF5232551C0.n.empty.1147.empty.5_1._t_i.ffffffff.<Auxiliary name>_exe.168.rc2.a4h9uploading.com
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'CSCHiddenWindow' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''