Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ewrgetuj' = '%TEMP%\geurge.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Inoyikotadoqev' = 'rundll32.exe "%WINDIR%\msvileaz.dll",Startup'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\tdl] 'Name' = '%TEMP%\5.tmp'
- '%TEMP%\ebtgnwb.exe'
- '%TEMP%\rtrtne.exe'
- '%TEMP%\-1998166001'
- '%TEMP%\jmoiwy.exe'
- '%TEMP%\ptmm.exe'
- '%TEMP%\iuhikm.exe'
- '%TEMP%\gfdak.exe'
- '%TEMP%\qiumcsdf.exe'
- '%TEMP%\avqmnybb.exe'
- '%TEMP%\xnpw.exe'
- '%TEMP%\nsb3.tmp\E4U.exe'
- '%TEMP%\fhusq.exe'
- '%TEMP%\nsb3.tmp\EuroP.exe'
- '%TEMP%\nsb3.tmp\Gi.exe'
- '%TEMP%\nsb3.tmp\tbp.exe'
- '%TEMP%\ioujc.exe'
- '%TEMP%\geurge.exe'
- '%TEMP%\nsb3.tmp\ic9.exe'
- '%TEMP%\nsb3.tmp\ep.exe'
- '%TEMP%\gfdak.exe' (downloaded from the Internet)
- '%TEMP%\xnpw.exe' (downloaded from the Internet)
- '%TEMP%\qiumcsdf.exe' (downloaded from the Internet)
- '%TEMP%\iuhikm.exe' (downloaded from the Internet)
- '%TEMP%\jmoiwy.exe' (downloaded from the Internet)
- '%TEMP%\ptmm.exe' (downloaded from the Internet)
- '%TEMP%\ioujc.exe' (downloaded from the Internet)
- '%TEMP%\fhusq.exe' (downloaded from the Internet)
- '%TEMP%\rtrtne.exe' (downloaded from the Internet)
- '%TEMP%\avqmnybb.exe' (downloaded from the Internet)
- '%TEMP%\-1998166001' (downloaded from the Internet)
- '%TEMP%\ebtgnwb.exe' (downloaded from the Internet)
- '<SYSTEM32>\net1.exe' stop "Security Center"
- '<SYSTEM32>\cmd.exe' /c ""C:\tujserrew.bat""
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\msvileaz.dll",iep
- '<SYSTEM32>\net1.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\sc.exe' config SharedAccess start= DISABLED
- '<SYSTEM32>\net.exe' stop "Security Center"
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\msvileaz.dll",Startup
- '<SYSTEM32>\net.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\sc.exe' config wscsvc start= DISABLED
- <SYSTEM32>\spoolsv.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
- %TEMP%\rtrtne.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\gkbjdlwqlt[1].php
- %TEMP%\avqmnybb.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\iickf[1].php
- %TEMP%\ebtgnwb.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ptxfnhp[1].php
- %TEMP%\ptmm.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\jjaiqxsq[1].php
- %TEMP%\-1998166001
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\kksahc[1].php
- %TEMP%\gfdak.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\gxbjd[1].php
- %TEMP%\Aqz..bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vzdlfahpxe[1].php
- %TEMP%\iuhikm.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\kksaupwr[1].php
- %TEMP%\xnpw.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\wzdytaicxe[1].php
- %TEMP%\qiumcsdf.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ggbrzx[1].php
- %TEMP%\nsb3.tmp\tbp.exe
- %TEMP%\nsb3.tmp\Gi.exe
- %WINDIR%\Temp\6.tmp
- %TEMP%\4.tmp
- %TEMP%\nsb3.tmp\E4U.exe
- %TEMP%\nsb3.tmp\ep.exe
- %TEMP%\nsl2.tmp
- %TEMP%\nsb3.tmp\EuroP.exe
- %TEMP%\nsb3.tmp\ic9.exe
- %TEMP%\ioujc.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ffmhcw[1].php
- %TEMP%\jmoiwy.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\jwrlgbvd[1].php
- %TEMP%\fhusq.exe
- %TEMP%\geurge.exe
- %WINDIR%\msvileaz.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\uiptnmgovj[1].php
- C:\tujserrew.bat
- %TEMP%\nsb3.tmp\Gi.exe
- %WINDIR%\Temp\6.tmp
- %TEMP%\~DF856B.tmp
- %TEMP%\nsb3.tmp\EuroP.exe
- %TEMP%\5.tmp
- %TEMP%\nsb3.tmp\E4U.exe
- %TEMP%\nsb3.tmp\ep.exe
- from %TEMP%\nsb3.tmp\ic9.exe to %TEMP%\7.tmp
- from %TEMP%\4.tmp to %TEMP%\5.tmp
- 'localhost':1042
- 'ab####gnostic.com':80
- 'di#####artsaward.com':80
- ab####gnostic.com/yulgbvqk/kksaupwr.php?ad########
- ab####gnostic.com/yulgbvqk/kksahc.php?ad########
- ab####gnostic.com/yulgbvqk/iickf.php?ad########
- ab####gnostic.com/yulgbvqk/vzdlfahpxe.php?ad#################################################
- ab####gnostic.com/yulgbvqk/gxbjd.php?ad########
- ab####gnostic.com/yulgbvqk/wzdytaicxe.php?ad########
- ab####gnostic.com/yulgbvqk/gkbjdlwqlt.php?ad########
- ab####gnostic.com/yulgbvqk/jwrlgbvd.php?ad########
- ab####gnostic.com/yulgbvqk/ffmhcw.php?ad########
- ab####gnostic.com/yulgbvqk/uiptnmgovj.php?ad########
- ab####gnostic.com/yulgbvqk/jjaiqxsq.php?ad########
- ab####gnostic.com/yulgbvqk/ptxfnhp.php?ad########
- ab####gnostic.com/yulgbvqk/ggbrzx.php?ad########
- DNS ASK co####.perfectexe.com
- DNS ASK 01######0612.burrova.com
- DNS ASK ab####gnostic.com
- DNS ASK di#####artsaward.com
- DNS ASK 00########.########.##.###########34AAFAA4B0B0AB1938A1C.n.empty.1147.empty.5_1._t_i.ffffffff.<Auxiliary name>_exe.156.rc2.a4h9uploading.com
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'