Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\sr] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\srservice] 'Start' = '00000002'
- '%TEMP%\sed.exe' "s/^[ \t]*//;s/[ \t]*$//" input.txt
- '%TEMP%\sed.exe' "s/=/@/g" logje1.txt
- '%TEMP%\wget.exe' http://www.hi###kthis.nl/smeenk/samples/ZAScan.exe
- '%TEMP%\sed.exe' /I /M "emptyalltemp;"
- '%TEMP%\sed.exe' "s/!/----/g" delete.zoek
- '%TEMP%\sed.exe' /pid=3940
- '%TEMP%\wget.exe' /I /M "emptyclsid;"
- '%TEMP%\RarSFX0\PEVZ.EXE' PLIST
- '%TEMP%\RarSFX0\PEVZ.EXE' clist
- '%TEMP%\RarSFX0\PEVZ.EXE' exec cmd.exe /c zoek-install.bat
- '%TEMP%\RarSFX0\PEVZ.EXE' -rtd "%HOMEPATH%"
- '%TEMP%\sed.exe' "s/by Smeenk/by Smeenk. Updated 14-07-2014/g" zoekrun.hta
- '%TEMP%\sed.exe' "s/by Smeenk/by Smeenk. Updated 14-07-2014/g" zoek.hta
- '%TEMP%\wget.exe' http://www.hi###kthis.nl/smeenk/samples/download8.bat
- '<SYSTEM32>\findstr.exe' /I /M ";e"
- '<SYSTEM32>\findstr.exe' /I /M ";i"
- '<SYSTEM32>\findstr.exe' /I /M ";ff"
- '<SYSTEM32>\findstr.exe' /I /M "firefoxlook;"
- '<SYSTEM32>\findstr.exe' /I /M ";z"
- '<SYSTEM32>\findstr.exe' /I /M "chrdefaults;"
- '<SYSTEM32>\findstr.exe' /I /M "emptychrcache;"
- '<SYSTEM32>\findstr.exe' /M /I "installer-list;"
- '<SYSTEM32>\findstr.exe' /I /M "filesrcm;"
- '<SYSTEM32>\findstr.exe' /V " : "
- '<SYSTEM32>\findstr.exe' /I /M ";chr"
- '<SYSTEM32>\findstr.exe' /V /I ";chr"
- '<SYSTEM32>\findstr.exe' /V " \ "
- '<SYSTEM32>\findstr.exe' /I /M "chromelook;"
- '<SYSTEM32>\findstr.exe' /M /I "skipstartpage"
- '<SYSTEM32>\findstr.exe' /M /I "ffdefaults;"
- '<SYSTEM32>\findstr.exe' /I /V ";firefoxlook;"
- '<SYSTEM32>\findstr.exe' /I /V ";ff"
- '<SYSTEM32>\cscript.exe' /I /M "autoclean;"
- '<SYSTEM32>\cscript.exe' /S /D /c" type input.txt "
- '<SYSTEM32>\findstr.exe' /pid=3612
- '<SYSTEM32>\findstr.exe' /pid=3720
- '<SYSTEM32>\findstr.exe' /I /M "shortcutfix;"
- '<SYSTEM32>\findstr.exe' /I /M "emptyjava;"
- '<SYSTEM32>\findstr.exe' /pid=3608
- '<SYSTEM32>\findstr.exe' /pid=3404
- '<SYSTEM32>\findstr.exe' /I /M "symlinksfix;"
- '<SYSTEM32>\findstr.exe' /I /M "emptyflash;"
- '<SYSTEM32>\findstr.exe' /I /M "autoruns;"
- '<SYSTEM32>\findstr.exe' /I /M "emptyffcache;"
- '<SYSTEM32>\findstr.exe' /I /M "emptyiecache;"
- '<SYSTEM32>\findstr.exe' /I /M "hijackthis;"
- '<SYSTEM32>\findstr.exe' /I /M "silentrunners;"
- '<SYSTEM32>\reg.exe' /I /M "systemspecs;"
- '<SYSTEM32>\findstr.exe' /M /I ";u"
- '<SYSTEM32>\findstr.exe' /I /M "uninstall-list;"
- '<SYSTEM32>\findstr.exe' /i /v "m1"
- '<SYSTEM32>\findstr.exe' /I /M ";a"
- '<SYSTEM32>\findstr.exe' /i /v "m3"
- '<SYSTEM32>\findstr.exe' /i /v "m2"
- '<SYSTEM32>\findstr.exe' /I /M "resethosts;"
- '<SYSTEM32>\findstr.exe' /v /i ";m4d"
- '<SYSTEM32>\findstr.exe' /v /i ";m3d"
- '<SYSTEM32>\findstr.exe' /v /i ";m6d"
- '<SYSTEM32>\findstr.exe' /v /i ";m5d"
- '<SYSTEM32>\findstr.exe' /m /i "desktop.ini"
- '<SYSTEM32>\findstr.exe' /I /M "]"
- '<SYSTEM32>\findstr.exe' /M /I "AlternateShell"
- '%WINDIR%\regedit.exe' /e logme.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"
- '<SYSTEM32>\findstr.exe' /I /M "["
- '<SYSTEM32>\findstr.exe' /i /v "m5"
- '<SYSTEM32>\findstr.exe' /i /v "m4"
- '<SYSTEM32>\findstr.exe' /I /M ";ra"
- '<SYSTEM32>\findstr.exe' /i /v "m6"
- '<SYSTEM32>\findstr.exe' /I /M ";m3"
- '<SYSTEM32>\findstr.exe' /I /M ";m2"
- '<SYSTEM32>\findstr.exe' /I /M ";m5"
- '<SYSTEM32>\findstr.exe' /I /M ";m4"
- '<SYSTEM32>\findstr.exe' /I /M ";m1"
- '<SYSTEM32>\findstr.exe' /I /M ";c"
- '<SYSTEM32>\findstr.exe' /I /M ";f"
- '<SYSTEM32>\findstr.exe' /I /M services-list;
- '<SYSTEM32>\findstr.exe' /I /M ";s"
- '<SYSTEM32>\findstr.exe' /v /i ";m6f"
- '<SYSTEM32>\findstr.exe' /v /i ";m5f"
- '<SYSTEM32>\findstr.exe' /v /i ";m2d"
- '<SYSTEM32>\findstr.exe' /v /i ";m1d"
- '<SYSTEM32>\findstr.exe' /v /i ";m4f"
- '<SYSTEM32>\findstr.exe' /v /i ";m1f"
- '<SYSTEM32>\findstr.exe' /I /M ";m6"
- '<SYSTEM32>\findstr.exe' /v /i ";m3f"
- '<SYSTEM32>\findstr.exe' /v /i ";m2f"
- '<SYSTEM32>\findstr.exe' /pid=2868
- '<SYSTEM32>\findstr.exe' /M /I /C:"Common appdata"
- '<SYSTEM32>\reg.exe' export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" logje.txt
- '<SYSTEM32>\findstr.exe' /M /I /C:"Common Programs"
- '<SYSTEM32>\reg.exe' export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" logwww.tx#
- '<SYSTEM32>\findstr.exe' /M " ( "
- '<SYSTEM32>\findstr.exe' /M "="
- '<SYSTEM32>\reg.exe' export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" elog.txt
- '<SYSTEM32>\findstr.exe' /V " ( "
- '<SYSTEM32>\findstr.exe' /M /I /C:"Common Desktop"
- '<SYSTEM32>\findstr.exe' /V /I /C:"all users"
- '<SYSTEM32>\find.exe' "REG_SZ"
- '<SYSTEM32>\findstr.exe' /I /M ";r"
- '<SYSTEM32>\findstr.exe' /I /M ";virustotal"
- '<SYSTEM32>\reg.exe' query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Local AppData"
- '<SYSTEM32>\findstr.exe' /M /I /C:"Programs"
- '<SYSTEM32>\reg.exe' export "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" logje.txt
- '<SYSTEM32>\find.exe' "6."
- '<SYSTEM32>\findstr.exe' /M /I /C:"Programs@"
- '<SYSTEM32>\findstr.exe' /M /I ".pif"
- '<SYSTEM32>\findstr.exe' /M /I ".com"
- '<SYSTEM32>\findstr.exe' /M /I ".exe"
- '<SYSTEM32>\findstr.exe' /M /I ".scr"
- '<SYSTEM32>\findstr.exe' /M /I "z-analyse"
- '<SYSTEM32>\findstr.exe' -RIV "C:\\WINDOWS\\system32\\svchost.exe C:\\WINDOWS\\system32\\cmd.exe \\PEVZ.exe" ProcessList.txt
- '<SYSTEM32>\findstr.exe' /M /I "zoek.bat"
- '<SYSTEM32>\findstr.exe' /M /I "zoek"
- '<SYSTEM32>\findstr.exe' /M /I "mshta.exe"
- '<SYSTEM32>\cscript.exe' //I //nologo os.vbs
- '<SYSTEM32>\find.exe' /i "x86"
- '<SYSTEM32>\cscript.exe' //I //nologo drt.vbs
- '<SYSTEM32>\cscript.exe' //I //nologo test.vbs
- '<SYSTEM32>\reg.exe' Query HKLM\Hardware\Description\System\CentralProcessor\0
- '<SYSTEM32>\findstr.exe' /M /I "ZA-Scan"
- '<SYSTEM32>\cmd.exe' /c zoek.bat
- '<SYSTEM32>\attrib.exe' -r -s -h "%TEMP%\test.txt"
- '<SYSTEM32>\attrib.exe' -r -s -h "%TEMP%\test.txt\*.*"
- '<SYSTEM32>\findstr.exe' /pid=864
- '<SYSTEM32>\findstr.exe' /I /M ";v"
- '<SYSTEM32>\findstr.exe' /I /M "process;"
- '<SYSTEM32>\findstr.exe' /I /V ";v"
- '<SYSTEM32>\findstr.exe' /I /V ";vs"
- '<SYSTEM32>\find.exe' /pid=3472
- '<SYSTEM32>\reg.exe' /M /I "createsrpoint;"
- '<SYSTEM32>\findstr.exe' /I /M ";vs"
- '<SYSTEM32>\cscript.exe' /pid=3556
- '<SYSTEM32>\findstr.exe' /I /M "reboot;"
- '<SYSTEM32>\findstr.exe' /I /M "msconfigcheck;"
- '<SYSTEM32>\findstr.exe' /I /M "emptyfoldercheck;"
- '<SYSTEM32>\findstr.exe' /I /M "hostslook;"
- '<SYSTEM32>\findstr.exe' /I /M "startupall;"
- '<SYSTEM32>\findstr.exe' /I /M "installedprogs;"
- '<SYSTEM32>\findstr.exe' /I /M "zoekbackups;"
- '<SYSTEM32>\findstr.exe' /I /M "emptyrecycle.bin;"
- '<SYSTEM32>\findstr.exe' /I /M "resetIEproxy;"
- '<SYSTEM32>\findstr.exe' /I /M "quickscan;"
- '<SYSTEM32>\findstr.exe' /I /M "iedefaults;"
- '<SYSTEM32>\findstr.exe' /pid=2992
- '<SYSTEM32>\findstr.exe' /M /I "http:"
- '<SYSTEM32>\findstr.exe' /I /M "standardsearch;"
- '<SYSTEM32>\findstr.exe' /M /I "ffdefaults;http"
- '<SYSTEM32>\findstr.exe' /V /I "hijackthis;"
- '<SYSTEM32>\findstr.exe' /M /I " // "
- '<SYSTEM32>\findstr.exe' /M /I " : "
- '<SYSTEM32>\findstr.exe' /pid=3384
- '<SYSTEM32>\attrib.exe' /I /M ";p"
- '<SYSTEM32>\findstr.exe' /S /D /c" type input.txt "
- '<SYSTEM32>\findstr.exe' /I /M ";fp"
- '<SYSTEM32>\findstr.exe' /V /B ";"
- '<SYSTEM32>\findstr.exe' /M " ; "
- '<SYSTEM32>\findstr.exe' /V /I "http:"
- '<SYSTEM32>\findstr.exe' /I /M ";b"
- '<SYSTEM32>\findstr.exe' /V /I " / "
- <SYSTEM32>\cmd.exe
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\reg.exe
- <SYSTEM32>\attrib.exe
- <SYSTEM32>\findstr.exe
- %TEMP%\usercheck.zoek
- %TEMP%\users1.txt
- %TEMP%\users.txt
- %TEMP%\test1.txt
- %TEMP%\logje5.txt
- %TEMP%\logje6.txt
- %TEMP%\path1.txt
- %TEMP%\localappdata.zoek
- %TEMP%\tempfolders.txt
- %TEMP%\createsrpoint.zoek
- %TEMP%\localappdata.txt
- %TEMP%\users.zoek
- %TEMP%\appdata.txt
- %TEMP%\appdata.zoek
- %TEMP%\logje2.txt
- %TEMP%\logje3.txt
- %TEMP%\path.txt
- %TEMP%\logje1.txt
- %TEMP%\tmp.txt
- %TEMP%\zoekrun.bat
- %TEMP%\logje.txt
- %TEMP%\pathwww.txt
- %TEMP%\in-put.txt
- %TEMP%\logje4.txt
- %TEMP%\logwww3.txt
- %TEMP%\logwww.txt
- %TEMP%\logwww1.txt
- %TEMP%\logwww2.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\RestorePointSize
- %TEMP%\logme.txt
- %TEMP%\logme1.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
- C:\zoek-results.log
- %TEMP%\srp.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\rp.log
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
- %TEMP%\RarSFX0\clist.txt
- %TEMP%\RarSFX0\ProcessList.txt
- %TEMP%\RarSFX0\logje.txt
- %TEMP%\RarSFX0\chk.txt
- %TEMP%\RarSFX0\PEVZ.EXE
- %TEMP%\RarSFX0\zoek-install.bat
- %TEMP%\RarSFX0\zf.scf
- %TEMP%\zoek.bat
- %TEMP%\swreg.exe
- %TEMP%\wget.exe
- %TEMP%\zoek.hta
- %TEMP%\RarSFX0\test.txt
- %TEMP%\urlzoek
- %TEMP%\RarSFX0\log.txt
- %TEMP%\RarSFX0\z5.scf
- %TEMP%\RarSFX0\z6.scf
- %TEMP%\RarSFX0\z7.scf
- %TEMP%\RarSFX0\z3.scf
- %TEMP%\RarSFX0\z0.scf
- %TEMP%\RarSFX0\z1.scf
- %TEMP%\RarSFX0\z2.scf
- %TEMP%\RarSFX0\zc.scf
- %TEMP%\RarSFX0\zd.scf
- %TEMP%\RarSFX0\ze.scf
- %TEMP%\RarSFX0\zb.scf
- %TEMP%\RarSFX0\z8.scf
- %TEMP%\RarSFX0\z9.scf
- %TEMP%\RarSFX0\za.scf
- %TEMP%\StringCheck.txt
- %TEMP%\os.vbs
- %TEMP%\ostmp.tmp
- %TEMP%\checkOS.txt
- %TEMP%\log1
- %TEMP%\log2
- %TEMP%\log.txt
- %TEMP%\elog1.txt
- %TEMP%\exportit.txt
- %TEMP%\audesktop.txt
- %TEMP%\elog.txt
- %TEMP%\test.vbs
- %TEMP%\tmp1.txt
- %TEMP%\drt.vbs
- %TEMP%\sed.exe
- %TEMP%\swxcacls.exe
- %TEMP%\7za.exe
- %TEMP%\NirCmd.exe
- %TEMP%\remove.exe
- %TEMP%\zoekrun.hta
- %TEMP%\zoek-delete.exe
- %TEMP%\zoek1.hta
- %TEMP%\zoekrun1.hta
- %TEMP%\log3
- C:\runcheck.txt
- %TEMP%\hijackthis.exe
- %TEMP%\shortcut.exe
- %TEMP%\search.ico
- %TEMP%\logje3.txt
- %TEMP%\logje2.txt
- %TEMP%\logje1.txt
- %TEMP%\tmp.txt
- %TEMP%\logwww2.txt
- %TEMP%\logwww1.txt
- %TEMP%\logwww.txt
- %TEMP%\logje.txt
- %TEMP%\ostmp.tmp
- %TEMP%\drt.vbs
- %TEMP%\tmp1.txt
- %TEMP%\elog.txt
- %TEMP%\audesktop.txt
- %TEMP%\exportit.txt
- %TEMP%\elog1.txt
- %TEMP%\appdata.txt
- %TEMP%\users1.txt
- %TEMP%\users.txt
- %TEMP%\localappdata.txt
- %TEMP%\srp.txt
- %TEMP%\log.txt
- %TEMP%\tempfolders.txt
- %TEMP%\test1.txt
- %TEMP%\in-put.txt
- %TEMP%\pathwww.txt
- %TEMP%\logwww3.txt
- %TEMP%\logje4.txt
- %TEMP%\path4.txt
- %TEMP%\logje6.txt
- %TEMP%\logje5.txt
- %TEMP%\test.vbs
- %TEMP%\RarSFX0\z5.scf
- %TEMP%\RarSFX0\z3.scf
- %TEMP%\RarSFX0\z2.scf
- %TEMP%\RarSFX0\z6.scf
- %TEMP%\RarSFX0\z9.scf
- %TEMP%\RarSFX0\z8.scf
- %TEMP%\RarSFX0\z7.scf
- %TEMP%\RarSFX0\z1.scf
- %TEMP%\RarSFX0\test.txt
- %TEMP%\RarSFX0\ProcessList.txt
- %TEMP%\RarSFX0\clist.txt
- %TEMP%\RarSFX0\chk.txt
- %TEMP%\RarSFX0\z0.scf
- %TEMP%\RarSFX0\PEVZ.EXE
- %TEMP%\RarSFX0\logje.txt
- %TEMP%\log2
- %TEMP%\log1
- %TEMP%\zoekrun1.hta
- %TEMP%\log3
- %TEMP%\os.vbs
- %TEMP%\checkOS.txt
- %TEMP%\StringCheck.txt
- %TEMP%\zoek1.hta
- %TEMP%\RarSFX0\zc.scf
- %TEMP%\RarSFX0\zb.scf
- %TEMP%\RarSFX0\za.scf
- %TEMP%\RarSFX0\zd.scf
- %TEMP%\RarSFX0\log.txt
- %TEMP%\RarSFX0\zf.scf
- %TEMP%\RarSFX0\ze.scf
- %TEMP%\path1.txt в %TEMP%\path4.txt
- 'www.hi###kthis.nl':80
- www.hi###kthis.nl/smeenk/samples/ZAScan.exe
- www.hi###kthis.nl/smeenk/samples/download8.bat
- DNS ASK www.hi###kthis.nl
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''