Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ctfmon' = '%WINDIR%\ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'servicelayer' = '%WINDIR%\servicelayer.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'netx' = '%WINDIR%\svx.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '%TEMP%\ope7.exe ' = '%TEMP%\ope7.exe '
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'netw' = '%WINDIR%\svw.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Follower] 'ImagePath' = '%TEMP%\fFollower.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Follower] 'Start' = '00000002'
- '%TEMP%\lnriwi.exe' (downloaded from the Internet)
- '%TEMP%\itse.exe' (downloaded from the Internet)
- '%TEMP%\idrsnx.exe' (downloaded from the Internet)
- '%TEMP%\dqsxpguv.exe' (downloaded from the Internet)
- '%TEMP%\ncnxa.exe' (downloaded from the Internet)
- '%TEMP%\vdpsmlll.exe' (downloaded from the Internet)
- '%TEMP%\lvjhkt.exe' (downloaded from the Internet)
- '%TEMP%\-1998166001' (downloaded from the Internet)
- '%TEMP%\ydcg.exe' (downloaded from the Internet)
- '%TEMP%\ctidix.exe' (downloaded from the Internet)
- '%TEMP%\pkujnvv.exe' (downloaded from the Internet)
- '%TEMP%\yxtpctf.exe' (downloaded from the Internet)
- '%TEMP%\ctidix.exe'
- '%TEMP%\idrsnx.exe'
- '%TEMP%\pkujnvv.exe'
- '%TEMP%\lvjhkt.exe'
- '%TEMP%\yxtpctf.exe'
- '%TEMP%\itse.exe'
- '%TEMP%\dqsxpguv.exe'
- '<SYSTEM32>\cmd.exe' /c del %TEMP%\1YOUR_~1.EXE > nul
- '%TEMP%\ncnxa.exe'
- '%TEMP%\lnriwi.exe'
- '%TEMP%\vdpsmlll.exe'
- '%TEMP%\avto2.exe'
- '%TEMP%\avto1.exe'
- '%TEMP%\fFollower.exe'
- '%TEMP%\teste3_p.exe'
- '%TEMP%\teste2_p.exe'
- '%TEMP%\1your_exe.exe'
- '%TEMP%\-1998166001'
- '%TEMP%\fFollower.exe' /install /silent
- '%TEMP%\ydcg.exe'
- '%TEMP%\ope7.exe'
- '%TEMP%\svchosty.exe'
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mqupaic[1].php
- %TEMP%\ncnxa.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\sjnvpnidk[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\justimportant[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\greatinstant[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\lafastfind[1].php
- %TEMP%\dqsxpguv.exe
- %TEMP%\lnriwi.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\imhbjepxrz[1].php
- %TEMP%\itse.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\cgxvqksq[1].php
- %TEMP%\vdpsmlll.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\jaucnvc[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tds2[6].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tds2[5].php
- <LS_APPDATA>\Microsoft\Internet Explorer\MSIMGSIZ.DAT
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[4].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\theabbal[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tds2[4].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[2].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mysuperload[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tds2[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tds2[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tds2[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\bsvqbwql[1].php
- %WINDIR%\svx.exe
- %WINDIR%\svw.exe
- %TEMP%\svchosty.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\kofmhoahpk[1].php
- %WINDIR%\servicelayer.exe
- %WINDIR%\ctfmon.exe
- %TEMP%\ope7.exe
- %TEMP%\fFollower.exe
- %TEMP%\teste2_p.exe
- %TEMP%\teste3_p.exe
- %TEMP%\1your_exe.exe
- %TEMP%\avto1.exe
- %TEMP%\avto2.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ycweckemxs[1].php
- %TEMP%\pkujnvv.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\aaidkfmhfa[1].php
- %TEMP%\idrsnx.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\kbidlfdytr[1].php
- %TEMP%\ctidix.exe
- %TEMP%\yxtpctf.exe
- %TEMP%\-1998166001
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\tkfzhs[1].php
- %TEMP%\ydcg.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\jjelg[1].php
- %TEMP%\lvjhkt.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\cgaickiqk[1].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[1].php
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CJCTQ25G\tds6[2].php
- %TEMP%\1your_exe.exe
- 'au####loaders.net':80
- 'localhost':1056
- 'localhost':1052
- 'localhost':1053
- 'localhost':1059
- 'localhost':1065
- 'localhost':1066
- 'localhost':1061
- 'localhost':1063
- 'gr####nstant.net':80
- 'localhost':1044
- 'aa###rogen.com':80
- 'localhost':1041
- 'tr###blo.com':80
- 'gi###irect.net':80
- 'localhost':1051
- 'gr###taby.com':80
- 'localhost':1048
- http://gr####nstant.net/lafastfind.php
- http://gr####nstant.net/greatinstant.php
- http://aa###rogen.com/djmdyf/mqupaic.php?ad#################################################
- http://aa###rogen.com/djmdyf/cgxvqksq.php?ad########
- http://aa###rogen.com/djmdyf/sjnvpnidk.php?ad########
- http://au####loaders.net/massnews/tds2.php
- http://gr###taby.com/theabbal.php
- http://gi###irect.net/1/tds6.php
- http://tr###blo.com/justimportant.php
- http://gr###taby.com/mysuperload.php
- http://aa###rogen.com/djmdyf/jjelg.php?ad########
- http://aa###rogen.com/djmdyf/aaidkfmhfa.php?ad########
- http://aa###rogen.com/djmdyf/cgaickiqk.php?ad########
- http://aa###rogen.com/djmdyf/tkfzhs.php?ad########
- http://aa###rogen.com/djmdyf/kofmhoahpk.php?ad########
- http://aa###rogen.com/djmdyf/imhbjepxrz.php?ad########
- http://aa###rogen.com/djmdyf/jaucnvc.php?ad########
- http://aa###rogen.com/djmdyf/bsvqbwql.php?ad########
- http://aa###rogen.com/djmdyf/ycweckemxs.php?ad########
- http://aa###rogen.com/djmdyf/kbidlfdytr.php?ad########
- DNS ASK gr###taby.com
- DNS ASK gi###irect.net
- DNS ASK au####loaders.net
- DNS ASK aa###rogen.com
- DNS ASK gr####nstant.net
- DNS ASK tr###blo.com
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''