Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmPlayer.exe] 'debugger' = 'rundll32'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WxCultureCLi.exe] 'debugger' = 'rundll32'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClientCore.exe] 'debugger' = 'rundll32'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmClient.exe] 'debugger' = 'rundll32'
- '<SYSTEM32>\20110603\RzxMonx.exe'
- 'C:\checkmd5\unsafe.EXE'
- 'C:\checkmd5\smss.exe'
- 'C:\checkmd5\ytsafe01.EXE'
- 'C:\checkmd5\ytsafe01.EXE' /pid=3468
- 'C:\checkmd5\ytsafe01.EXE' /S /D /c" echo y"
- 'C:\checkmd5\unsafe.EXE' /pid=2744
- '<SYSTEM32>\wx20110203\wxlockie.exe'
- '<SYSTEM32>\wx20110203\lockieinf.exe'
- '<SYSTEM32>\wx20110203\Loadexe.exe'
- '%PROGRAM_FILES%\rzx.185441\wxlockie.exe'
- '<SYSTEM32>\wx20110203\CheckMd5.exe'
- '<SYSTEM32>\20110603\svchost.exe'
- '<SYSTEM32>\wx20110203\instbho.exe'
- '<SYSTEM32>\taskkill.exe' /pid=3808
- '<SYSTEM32>\cacls.exe' /c ""<SYSTEM32>\wx20110203\killpro.cmd" "
- '<SYSTEM32>\cacls.exe' /pid=1484
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\ghome.exe /P everyone:N
- '<SYSTEM32>\taskkill.exe' /c ""<SYSTEM32>\wx20110203\killpro.cmd" "
- '<SYSTEM32>\taskkill.exe' /f /im rzxinfos.exe
- '<SYSTEM32>\taskkill.exe' /pid=492
- '<SYSTEM32>\taskkill.exe' /f /im ttlgmrcnt.exe
- '<SYSTEM32>\taskkill.exe' /pid=1368
- '<SYSTEM32>\cmd.exe' /c c:\checkmd5\enablesafe.cmd
- '<SYSTEM32>\cacls.exe' /S /D /c" echo y"
- '<SYSTEM32>\cacls.exe' /f /im i8gylive.exe
- '<SYSTEM32>\taskkill.exe' /pid=3560
- '<SYSTEM32>\cacls.exe' /pid=3476
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\msawd32.dll /e /p everyone:n
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\ttlgmrcnt.exe /P everyone:N
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\d3d8thk.dll.OCDW /e /p everyone:n
- '<SYSTEM32>\taskkill.exe' /f /im ghome.exe
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\dsound.dll.tmp /e /p everyone:n
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\ddraw.dll.tmp /e /p everyone:n
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\d3d8thk.dll.tmp /e /p everyone:n
- '<SYSTEM32>\taskkill.exe' /f /im sch.exe
- '<SYSTEM32>\taskkill.exe' /pid=2636
- '<SYSTEM32>\taskkill.exe' /pid=756
- '<SYSTEM32>\cacls.exe' %WINDIR%\system\svchost.exe /D everyone
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\20101013024835.dll /e /p everyone:n
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\20101013024823.dll /e /p everyone:n
- '<SYSTEM32>\cacls.exe' %WINDIR%\system\sch.exe /D everyone
- '<SYSTEM32>\taskkill.exe' /f /im WxCultureCLi.exe
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\temp /p everyone:f
- '<SYSTEM32>\cmd.exe' /c ""<SYSTEM32>\wx20110203\killpro.cmd" "
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\20110603\reload.bat
- '<SYSTEM32>\cacls.exe' <DRIVERS>\wxcliker3.sys /D everyone
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\g1123.sys /D everyone
- '<SYSTEM32>\taskkill.exe' /f /im rzxmonx.exe
- '<SYSTEM32>\taskkill.exe' /f /im IEXPLORE.EXE
- '%WINDIR%\regedit.exe' /s .\jyexe.reg
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\wx20110203\myrun.cmd
- '<SYSTEM32>\cmd.exe' /c c:\checkmd5\disablesafe.cmd
- '<SYSTEM32>\wscript.exe' "<SYSTEM32>\wx20110203\ok.VBS"
- '<SYSTEM32>\cacls.exe' c:\msvcr81.dll /D everyone
- '<SYSTEM32>\gpupdate.exe'
- '<SYSTEM32>\cacls.exe' <Имя диска съемного носителя>:\i8client\i8gylive.exe /P everyone:N
- '<SYSTEM32>\taskkill.exe' /f /im i8gylive.exe
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\x.exe /P everyone:N
- '<SYSTEM32>\cacls.exe' c:\i8client\i8gylive.exe /P everyone:N
- '%WINDIR%\regedit.exe' /pid=2976
- '<SYSTEM32>\taskkill.exe' /f /im ispushe.exe
- '<SYSTEM32>\cacls.exe' %WINDIR%\crsv.exe /P everyone:N
- '<SYSTEM32>\taskkill.exe' /f /im conime.exe
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\ispush.exe /P everyone:N
- '<SYSTEM32>\taskkill.exe' /f /im ispush.exe
- '<SYSTEM32>\cacls.exe' <SYSTEM32>\conime.exe /P everyone:N
- '<SYSTEM32>\cacls.exe' %WINDIR%\x.exe /P everyone:N
- '<SYSTEM32>\cacls.exe' c:\x.exe /P everyone:N
- '<SYSTEM32>\taskkill.exe' /f /im x.exe
- <SYSTEM32>\taskkill.exe
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cacls.exe
- iexplore.exe
- iexplore.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'StartMenuLogOff' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoLogoff' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoNetHood' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoSMHelp' = '00000001'
- <SYSTEM32>\GroupPolicy\Adm\wmplayer.adm
- <SYSTEM32>\GroupPolicy\Adm\system.adm
- <SYSTEM32>\GroupPolicy\Adm\inetres.adm
- <SYSTEM32>\GroupPolicy\Machine\Registry.pol
- <SYSTEM32>\GroupPolicy\gpt.ini
- <SYSTEM32>\GroupPolicy\Adm\wuau.adm
- <SYSTEM32>\GroupPolicy\Adm\conf.adm
- C:\checkmd5\Ytbaoan.dll
- C:\checkmd5\kill.exe
- <SYSTEM32>\GroupPolicy\Adm\admfiles.ini
- C:\safe.log
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ipsave[1].asp
- %HOMEPATH%\Desktop\Internet Explorer.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\wbgetip[1].asp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ytbaoan[1].dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\wbgetip[1].asp
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
- %HOMEPATH%\Start Menu\Programs\Internet Explorer.lnk
- <SYSTEM32>\20110603\Yhczku.dll
- %ALLUSERSPROFILE%\ntuser.pol
- <SYSTEM32>\runbat.exe
- <SYSTEM32>\GroupPolicy\User\Registry.pol
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\lockie[1].dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ipsave[1].asp
- %HOMEPATH%\ntuser.pol
- C:\checkmd5\MSWINSCK.OCX
- <SYSTEM32>\wx20110203\OpenHnadv.exe
- <SYSTEM32>\wx20110203\hnadvRar.exe
- <SYSTEM32>\wx20110203\JYexe.reg
- %PROGRAM_FILES%\rzx.185441\lockie.ini
- <SYSTEM32>\lockie.inf
- <SYSTEM32>\wx20110203\CheckMd5.exe
- <SYSTEM32>\wx20110203\killpro.cmd
- <SYSTEM32>\wx20110203\myrun.cmd
- <SYSTEM32>\wx20110203\Loadexe.exe
- <SYSTEM32>\wx20110203\wxlockie.exe
- <SYSTEM32>\wx20110203\ok.VBS
- <SYSTEM32>\wx20110203\instbho.exe
- <SYSTEM32>\wx20110203\lockieinf.exe
- C:\checkmd5\enablesafe.cmd
- C:\checkmd5\checkfile.ini
- C:\checkmd5\smss.exe
- C:\checkmd5\unsafe.EXE
- C:\checkmd5\disablesafe.cmd
- C:\checkmd5\ytsafe01.EXE
- C:\checkmd5\traycon.ocx
- <SYSTEM32>\20110603\svchost.exe
- <SYSTEM32>\20110603\RzxMonx.exe
- %PROGRAM_FILES%\rzx.185441\wxlockie.exe
- <SYSTEM32>\20110603\reload.bat
- <SYSTEM32>\20110603\lockie.dll
- <SYSTEM32>\20110603\antimon.dll
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
- %HOMEPATH%\Desktop\Internet Explorer.lnk
- <SYSTEM32>\GroupPolicy\Adm\admfiles.ini
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\wbgetip[1].asp
- <SYSTEM32>\CONFIG.TMP
- <SYSTEM32>\20110603\Yhczku.dll.log
- <SYSTEM32>\20110603\Yhczku.dll
- <SYSTEM32>\20110603\lockie.dll
- %HOMEPATH%\ntuser.pol
- %ALLUSERSPROFILE%\ntuser.pol
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\wbgetip[1].asp
- %HOMEPATH%\Desktop\Internet Explorer.lnk
- <SYSTEM32>\wx20110203\instbho.exe
- <SYSTEM32>\wx20110203\Loadexe.exe
- <SYSTEM32>\wx20110203\hnadvRar.exe
- <SYSTEM32>\20110603\antimon.dll
- <SYSTEM32>\wx20110203\CheckMd5.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ipsave[1].asp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ipsave[1].asp
- <SYSTEM32>\wx20110203\wxlockie.exe
- <SYSTEM32>\wx20110203\lockieinf.exe
- <SYSTEM32>\wx20110203\OpenHnadv.exe
- 'ch####ha.cswblm.com':80
- 'dh.##wblm.com':80
- 'localhost':1043
- 'localhost':1035
- 'www.cs##lm.com':80
- 'localhost':1038
- dh.##wblm.com/ytbaoan/ytbaoan.dll
- dh.##wblm.com/getip/wbgetip.asp
- www.cs##lm.com/ipsave.asp
- ch####ha.cswblm.com/myfile/lockie.dll
- DNS ASK dh.##wblm.com
- DNS ASK www.i8##.com
- DNS ASK ch####ha.cswblm.com
- DNS ASK www.cs##lm.com
- 'localhost':13331
- 'localhost':13332
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'SysListView32' WindowName: '(null)'
- ClassName: '(null)' WindowName: '(null)'
- ClassName: 'RegEdit_RegEdit' WindowName: '(null)'
- ClassName: '(null)' WindowName: 'www.baidu.com'
- ClassName: 'SHELLDLL_DefView' WindowName: '(null)'
- ClassName: '#32770' WindowName: 'Windows ?????'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Progman' WindowName: '(null)'
- ClassName: 'SysListView32' WindowName: '??'
- ClassName: '#32770' WindowName: '(null)'