Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\sfdrv01] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\KupSvrLookup] 'Start' = '00000002'
- %PROGRAM_FILES%\FeixinMedia\mysetup.exe
- %PROGRAM_FILES%\Common\kupdata.exe
- <Current directory>\mzone-5427.exe
- %PROGRAM_FILES%\FeixinMedia\ipseccmd.exe -p Pass15 -r Pass15 -f 119.147.64.*+0 -n PASS -x -p Pass16 -r Pass16 -f 119.147.74.*+0 -n PASS -x -p Pass14 -r Pass14 -f 119.147.41.*+0 -n PASS -x -p Pass12 -r Pass12 -f 119.147.182.*+0 -n PASS -x -p Pass13 -r Pass13 -f 119.147.21.*+0 -n PASS -x -p Pass17 -r Pass17 -f 119.147.9.*+0 -n PASS -x -p Pass111 -r Pass111 -f 125.39.185.*+0 -n PASS -x -p Pass112 -r Pass112 -f 125.39.39.*+0 -n PASS -x -p Pass110 -r Pass110 -f 125.39.127.*+0 -n PASS -x -p Pass18 -r Pass18 -f 122.70.142.*+0 -n PASS -x -p Pass19 -r Pass19 -f 125.39.123.*+0 -n PASS -x -p Block4 -r BlockTHREE -f 124.238.*.*+0 -n BLOCK -x -p Block6 -r Block6 -f 125.39.*.*+0 -n BLOCK -x -p Block3 -r BlockTWO -f 122.70.*.*+0 -n BLOCK -x -p Block1 -r BlockTCP -f 119.147.*.*+0 -n BLOCK -x -p Block2 -r BlockNEW -f 119.188.*.*+0 -n BLOCK -x -p Block8 -r Block8 -f 220.181.*.*+0 -n BLOCK -x -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x -p Pass11 -r Pass11 -f 119.147.15.*+0 -n PASS -x -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x -p Block9 -r Block9 -f 221.194.*.*+0 -n BLOCK -x -p Block0 -r Block0 -f 118.145.*.*+0 -n BLOCK -x
- <SYSTEM32>\sc.exe start KupSvrLookup
- <SYSTEM32>\sc.exe create sfdrv01 binpath= <SYSTEM32>\starforce\sfdrv01.sys type= kernel start= system group= Base tag= yes
- <SYSTEM32>\sc.exe start sfdrv01
- <SYSTEM32>\sc.exe start PolicyAgent
- <SYSTEM32>\sc.exe create KupSvrLookup binpath= "%PROGRAM_FILES%\Common\kupdata.exe" type= share start= auto displayname= "ISATAP And Teredo To Cache Services"
- <SYSTEM32>\sc.exe description KupSvrLookup "К№УГ IPv6 ЧЄ»»јјКхМṩЅшРР»ҐБЄНшдЇААёьРВТФј°Ф¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- <SYSTEM32>\starforce\sfdrv01.sys
- %WINDIR%\yypro.pac
- %PROGRAM_FILES%\Common\pro.txt
- %TEMP%\nsvF.tmp\ns13.tmp
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0J2LM5OP\ol[1].asp
- %TEMP%\nsvF.tmp\ns14.tmp
- C:\tthread.txt
- %TEMP%\nsvF.tmp\System.dll
- %TEMP%\nsvF.tmp\AccessControl.dll
- %PROGRAM_FILES%\Common\sfdrv01.sys
- %TEMP%\nsvF.tmp\nsExec.dll
- %TEMP%\nsvF.tmp\ns12.tmp
- %TEMP%\nsvF.tmp\ns11.tmp
- %TEMP%\nsvF.tmp\ns10.tmp
- %TEMP%\nsh2.tmp\ns15.tmp
- %TEMP%\nsh2.tmp\ns1E.tmp
- %TEMP%\nsh2.tmp\ns1D.tmp
- %TEMP%\nsh2.tmp\ns1C.tmp
- %TEMP%\nsh2.tmp\ns1F.tmp
- %TEMP%\nsh2.tmp\ns22.tmp
- %TEMP%\nsh2.tmp\ns21.tmp
- %TEMP%\nsh2.tmp\ns20.tmp
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0J2LM5OP\wpad[1].dat
- %TEMP%\nsh2.tmp\ns17.tmp
- %TEMP%\nsh2.tmp\ns16.tmp
- %TEMP%\nsh2.tmp\ns18.tmp
- %TEMP%\nsh2.tmp\ns1B.tmp
- %TEMP%\nsh2.tmp\ns1A.tmp
- %TEMP%\nsh2.tmp\ns19.tmp
- %PROGRAM_FILES%\Common\suject.db
- %TEMP%\nsa4.tmp\modern-wizard.bmp
- %TEMP%\nsa4.tmp\ioSpecial.ini
- %TEMP%\nsh2.tmp\Internet.dll
- %TEMP%\nsa4.tmp\InstallOptions.dll
- %TEMP%\nsh2.tmp\nsExec.dll
- %PROGRAM_FILES%\FeixinMedia\ipseccmd.exe
- %TEMP%\nsh2.tmp\nsisplugin.dll
- <Current directory>\mzone-5427.exe
- %PROGRAM_FILES%\FeixinMedia\s0001.xml
- %PROGRAM_FILES%\FeixinMedia\menu.xml
- %TEMP%\nsh2.tmp\System.dll
- %TEMP%\nsh2.tmp\nsRandom.dll
- %PROGRAM_FILES%\FeixinMedia\un0213004000541.exe
- %PROGRAM_FILES%\FeixinMedia\temp0213004000541.ini
- %TEMP%\nsh2.tmp\ns5.tmp
- %PROGRAM_FILES%\Common\sqlite3.dll
- %PROGRAM_FILES%\FeixinMedia\mysetup.exe
- %TEMP%\nsh2.tmp\nsD.tmp
- %PROGRAM_FILES%\Common\ypac.txt
- %PROGRAM_FILES%\Common\kupdata.exe
- %PROGRAM_FILES%\Common\sfdrv01-nos.sys
- %PROGRAM_FILES%\Common\msxml2.dll
- %TEMP%\nsh2.tmp\ns8.tmp
- %TEMP%\nsh2.tmp\ns7.tmp
- %TEMP%\nsh2.tmp\ns6.tmp
- %TEMP%\nsh2.tmp\ns9.tmp
- %TEMP%\nsh2.tmp\nsC.tmp
- %TEMP%\nsh2.tmp\nsB.tmp
- %TEMP%\nsh2.tmp\nsA.tmp
- %TEMP%\nsh2.tmp\ns16.tmp
- %TEMP%\nsh2.tmp\ns15.tmp
- %TEMP%\nsh2.tmp\ns18.tmp
- %TEMP%\nsh2.tmp\ns17.tmp
- %PROGRAM_FILES%\FeixinMedia\mysetup.exe
- %TEMP%\nsvF.tmp\System.dll
- %PROGRAM_FILES%\FeixinMedia\menu.xml
- %PROGRAM_FILES%\FeixinMedia\s0001.xml
- %TEMP%\nsh2.tmp\ns19.tmp
- %TEMP%\nsh2.tmp\ns1F.tmp
- %TEMP%\nsh2.tmp\ns1E.tmp
- %TEMP%\nsh2.tmp\ns21.tmp
- %TEMP%\nsh2.tmp\ns20.tmp
- %TEMP%\nsh2.tmp\ns1B.tmp
- %TEMP%\nsh2.tmp\ns1A.tmp
- %TEMP%\nsh2.tmp\ns1D.tmp
- %TEMP%\nsh2.tmp\ns1C.tmp
- %TEMP%\nsvF.tmp\nsExec.dll
- %TEMP%\nsh2.tmp\nsA.tmp
- %TEMP%\nsh2.tmp\ns9.tmp
- %TEMP%\nsh2.tmp\nsC.tmp
- %TEMP%\nsh2.tmp\nsB.tmp
- %TEMP%\nsh2.tmp\ns6.tmp
- %TEMP%\nsh2.tmp\ns5.tmp
- %TEMP%\nsh2.tmp\ns8.tmp
- %TEMP%\nsh2.tmp\ns7.tmp
- %TEMP%\nsh2.tmp\nsD.tmp
- %PROGRAM_FILES%\Common\sfdrv01.sys
- %TEMP%\nsvF.tmp\ns14.tmp
- %TEMP%\nsvF.tmp\AccessControl.dll
- %PROGRAM_FILES%\Common\sfdrv01-nos.sys
- %TEMP%\nsvF.tmp\ns11.tmp
- %TEMP%\nsvF.tmp\ns10.tmp
- %TEMP%\nsvF.tmp\ns13.tmp
- %TEMP%\nsvF.tmp\ns12.tmp
- 'wpad.localdomain':80
- 'localhost':1036
- 'tj.#233.com':80
- wpad.localdomain/wpad.dat
- tj.#233.com/ol.asp?t=####################################
- tj.#233.com/svr.asp?c=########################################
- DNS ASK wpad.localdomain
- DNS ASK tj.#233.com
- ClassName: 'Shell_TrayWnd' WindowName: ''