Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ewrgetuj' = '%TEMP%\geurge.exe'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\tdl] 'Name' = '%TEMP%\5.tmp'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lsdefrag' = '%TEMP%\dp.exe'
- '%TEMP%\hjxoqvo.exe'
- '%TEMP%\jncdrra.exe'
- '%TEMP%\kxqvxljp.exe'
- '%TEMP%\gknqoxn.exe'
- '%TEMP%\-1998166001'
- '%TEMP%\pswfgxw.exe'
- '%TEMP%\gqtfimml.exe'
- '%TEMP%\urfmk.exe'
- '%TEMP%\bdnnq.exe'
- '%TEMP%\oeddwuso.exe'
- '%TEMP%\E4U.exe'
- '%TEMP%\EuroP.exe'
- '%TEMP%\ic6.exe'
- '%TEMP%\dp.exe'
- '%TEMP%\7za.exe' x %TEMP%\a1.7z -aoa -o%HOMEPATH%\Local Settings\Temp -plolmilf
- '%TEMP%\yxtyx.exe'
- '%TEMP%\piwydxtu.exe'
- '%TEMP%\ic1.exe'
- '%TEMP%\Gi.exe'
- '%TEMP%\geurge.exe'
- '%TEMP%\jncdrra.exe' (downloaded from the Internet)
- '%TEMP%\hjxoqvo.exe' (downloaded from the Internet)
- '%TEMP%\gqtfimml.exe' (downloaded from the Internet)
- '%TEMP%\gknqoxn.exe' (downloaded from the Internet)
- '%TEMP%\-1998166001' (downloaded from the Internet)
- '%TEMP%\kxqvxljp.exe' (downloaded from the Internet)
- '%TEMP%\yxtyx.exe' (downloaded from the Internet)
- '%TEMP%\piwydxtu.exe' (downloaded from the Internet)
- '%TEMP%\urfmk.exe' (downloaded from the Internet)
- '%TEMP%\pswfgxw.exe' (downloaded from the Internet)
- '%TEMP%\bdnnq.exe' (downloaded from the Internet)
- '%TEMP%\oeddwuso.exe' (downloaded from the Internet)
- '<SYSTEM32>\cmd.exe' /c ""C:\tujserrew.bat""
- '<SYSTEM32>\net1.exe' stop "Security Center"
- '<SYSTEM32>\net1.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\sc.exe' config SharedAccess start= DISABLED
- '<SYSTEM32>\net.exe' stop "Security Center"
- '<SYSTEM32>\sc.exe' config wscsvc start= DISABLED
- '<SYSTEM32>\net.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- <SYSTEM32>\spoolsv.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
- %TEMP%\oeddwuso.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\cgaickiqk[1].php
- C:\tujserrew.bat
- %TEMP%\urfmk.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\cgxvqksq[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\aaidkfmhfa[1].php
- %TEMP%\-1998166001
- %TEMP%\kxqvxljp.exe
- %TEMP%\bdnnq.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\sjnvpnidk[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\jaucnvc[1].php
- %TEMP%\jncdrra.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\bsvqbwql[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ycweckemxs[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mqupaic[1].php
- %TEMP%\hjxoqvo.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\kofmhoahpk[1].php
- %TEMP%\pswfgxw.exe
- %TEMP%\gknqoxn.exe
- %TEMP%\gqtfimml.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\kbidlfdytr[1].php
- %TEMP%\E4U.exe
- %TEMP%\dp.exe
- %TEMP%\EuroP.exe
- %TEMP%\ic1.exe
- %TEMP%\Gi.exe
- %TEMP%\7za.exe
- %TEMP%\nsr2.tmp
- %TEMP%\a1.7z
- %TEMP%\nsi3.tmp\ExecDos.dll
- %TEMP%\ic6.exe
- %TEMP%\ls46.id
- %TEMP%\yxtyx.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\imhbjepxrz[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\jjelg[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\tkfzhs[1].php
- %TEMP%\piwydxtu.exe
- %TEMP%\4.tmp
- %WINDIR%\Temp\6.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\files[1].php
- %TEMP%\geurge.exe
- %TEMP%\~DF9234.tmp
- %TEMP%\E4U.exe
- %WINDIR%\Temp\6.tmp
- %TEMP%\nsi3.tmp\ExecDos.dll
- %TEMP%\5.tmp
- from %TEMP%\ic1.exe to %TEMP%\7.tmp
- from %TEMP%\4.tmp to %TEMP%\5.tmp
- 'co####.perfectexe.com':88
- 'ed##aim.net':80
- 'da###tub.com':80
- 'ab####gnostic.com':80
- ab####gnostic.com/djmdyf/kofmhoahpk.php?ad########
- ab####gnostic.com/djmdyf/jaucnvc.php?ad########
- ab####gnostic.com/djmdyf/cgxvqksq.php?ad########
- ab####gnostic.com/djmdyf/kbidlfdytr.php?ad########
- ab####gnostic.com/djmdyf/mqupaic.php?ad#################################################
- ab####gnostic.com/djmdyf/ycweckemxs.php?ad########
- ab####gnostic.com/djmdyf/bsvqbwql.php?ad########
- ab####gnostic.com/djmdyf/cgaickiqk.php?ad########
- ab####gnostic.com/djmdyf/imhbjepxrz.php?ad########
- da###tub.com/services/files.php?ui#############################################################
- da###tub.com/services/install.php?ui#############################
- ab####gnostic.com/djmdyf/jjelg.php?ad########
- ab####gnostic.com/djmdyf/sjnvpnidk.php?ad########
- ab####gnostic.com/djmdyf/aaidkfmhfa.php?ad########
- ab####gnostic.com/djmdyf/tkfzhs.php?ad########
- DNS ASK ms#.com
- DNS ASK google.com
- DNS ASK ed##aim.net
- DNS ASK da###tub.com
- DNS ASK ab####gnostic.com
- DNS ASK co####.perfectexe.com
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'CSCHiddenWindow' WindowName: ''