Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ewrgetuj' = '%TEMP%\geurge.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Inoyikotadoqev' = 'rundll32.exe "%WINDIR%\vslabarv.dll",Startup'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\tdl] 'Name' = '%TEMP%\5.tmp'
- '%TEMP%\olqrji.exe'
- '%TEMP%\wugerqbl.exe'
- '%TEMP%\thheieqh.exe'
- '%TEMP%\aaussr.exe'
- '%TEMP%\unne.exe'
- '%TEMP%\ykml.exe'
- '%TEMP%\oldsyhwp.exe'
- '%TEMP%\glagqif.exe'
- '%TEMP%\jpou.exe'
- '%TEMP%\maycps.exe'
- '%TEMP%\E4U.exe'
- '%TEMP%\Gi.exe'
- '%TEMP%\ctfmon.exe'
- '%TEMP%\EuroP.exe'
- '%TEMP%\7za.exe' x %TEMP%\a1.7z -aoa -o%HOMEPATH%\Local Settings\Temp -plolmilf
- '%TEMP%\ltcvgcfx.exe'
- '%TEMP%\-1998166001'
- '%TEMP%\ic1.exe'
- '%TEMP%\_tbp.exe'
- '%TEMP%\geurge.exe'
- '%TEMP%\wugerqbl.exe' (downloaded from the Internet)
- '%TEMP%\olqrji.exe' (downloaded from the Internet)
- '%TEMP%\oldsyhwp.exe' (downloaded from the Internet)
- '%TEMP%\aaussr.exe' (downloaded from the Internet)
- '%TEMP%\unne.exe' (downloaded from the Internet)
- '%TEMP%\thheieqh.exe' (downloaded from the Internet)
- '%TEMP%\ltcvgcfx.exe' (downloaded from the Internet)
- '%TEMP%\-1998166001' (downloaded from the Internet)
- '%TEMP%\glagqif.exe' (downloaded from the Internet)
- '%TEMP%\ykml.exe' (downloaded from the Internet)
- '%TEMP%\maycps.exe' (downloaded from the Internet)
- '%TEMP%\jpou.exe' (downloaded from the Internet)
- '<SYSTEM32>\net1.exe' stop "Security Center"
- '<SYSTEM32>\cmd.exe' /c ""C:\tujserrew.bat""
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\vslabarv.dll",iep
- '<SYSTEM32>\net1.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\sc.exe' config SharedAccess start= DISABLED
- '<SYSTEM32>\net.exe' stop "Security Center"
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\vslabarv.dll",Startup
- '<SYSTEM32>\net.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\sc.exe' config wscsvc start= DISABLED
- <SYSTEM32>\spoolsv.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\elpxep[1].php
- %TEMP%\jpou.exe
- %TEMP%\glagqif.exe
- %TEMP%\ykml.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\qhysq[1].php
- %TEMP%\thheieqh.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\dhojrcwrm[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vzgbidyje[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mqupjickr[1].php
- %TEMP%\maycps.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\cgbvd[1].php
- %TEMP%\wugerqbl.exe
- %TEMP%\olqrji.exe
- %TEMP%\Aqz..bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vadyjelgez[1].php
- %TEMP%\aaussr.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\nezgb[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\izqlfr[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\lctnltb[1].php
- %TEMP%\oldsyhwp.exe
- %TEMP%\unne.exe
- %TEMP%\EuroP.exe
- %TEMP%\E4U.exe
- %TEMP%\Gi.exe
- %TEMP%\_tbp.exe
- %TEMP%\ic1.exe
- %TEMP%\7za.exe
- %TEMP%\nsk2.tmp
- %TEMP%\a1.7z
- %TEMP%\nsc3.tmp\ExecDos.dll
- %TEMP%\ctfmon.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\pgaiqxwq[1].php
- %TEMP%\-1998166001
- %TEMP%\ltcvgcfx.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ycgrzgozub[1].php
- C:\tujserrew.bat
- %WINDIR%\Temp\6.tmp
- %TEMP%\4.tmp
- %WINDIR%\vslabarv.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ridxsdls[1].php
- %TEMP%\geurge.exe
- %WINDIR%\Temp\6.tmp
- %TEMP%\E4U.exe
- %TEMP%\nsc3.tmp\ExecDos.dll
- %TEMP%\5.tmp
- from %TEMP%\ic1.exe to %TEMP%\7.tmp
- from %TEMP%\4.tmp to %TEMP%\5.tmp
- 'localhost':1044
- 'cb##ase.com':80
- cb##ase.com/dimqlweyg/izqlfr.php?ad########
- cb##ase.com/dimqlweyg/nezgb.php?ad########
- cb##ase.com/dimqlweyg/qhysq.php?ad########
- cb##ase.com/dimqlweyg/vadyjelgez.php?ad#################################################
- cb##ase.com/dimqlweyg/cgbvd.php?ad########
- cb##ase.com/dimqlweyg/lctnltb.php?ad########
- cb##ase.com/dimqlweyg/elpxep.php?ad########
- cb##ase.com/dimqlweyg/ycgrzgozub.php?ad########
- cb##ase.com/dimqlweyg/pgaiqxwq.php?ad########
- cb##ase.com/dimqlweyg/ridxsdls.php?ad########
- cb##ase.com/dimqlweyg/mqupjickr.php?ad########
- cb##ase.com/dimqlweyg/vzgbidyje.php?ad########
- cb##ase.com/dimqlweyg/dhojrcwrm.php?ad########
- DNS ASK ch###oetry.net
- DNS ASK su###table.net
- DNS ASK ne###pbug.com
- DNS ASK 19######0737.gerborn.com
- DNS ASK co####.perfectexe.com
- DNS ASK 00########.########.##.###########6488FB53A726FC9BED9C6.n.empty.1147.empty.5_1._t_i.ffffffff.<Auxiliary name>_exe.165.rc2.a4h9uploading.com
- DNS ASK ms#.com
- DNS ASK google.com
- DNS ASK cb##ase.com
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'