Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\prvdisk] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\ianoSvrup] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\PolicyAgent] 'Start' = '00000002'
- %TEMP%\nsl2.tmp\nsC.tmp reclbviug.exe -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x
- %TEMP%\nsk7.tmp\nsB.tmp sc create prvdisk binpath= <SYSTEM32>\PrvMon\prvdisk.sys type= kernel start= system group= Base tag= yes
- %CommonProgramFiles%\Intel\ianotife.exe
- %TEMP%\nsl2.tmp\nsD.tmp reclbviug.exe -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x
- %TEMP%\~nsu.tmp\Au_.exe _?=%PROGRAM_FILES%\vrjablacjh\
- %PROGRAM_FILES%\vrjablacjh\un0520083200311.exe
- %TEMP%\nsl2.tmp\nsE.tmp reclbviug.exe -p Pass3 -r Pass3 -f 220.181.126.7+0 -n PASS -x
- %TEMP%\nsk7.tmp\nsA.tmp sc start ianoSvrup
- %PROGRAM_FILES%\vrjablacjh\reclbviug.exe -p Pass2 -r Pass2 -f 220.181.126.15+0 -n PASS -x -p Pass3 -r Pass3 -f 220.181.126.7+0 -n PASS -x -file hoafrne.txt -p Pass1 -r Pass1 -f 125.39.100.74+0 -n PASS -x
- %TEMP%\nsl2.tmp\ns4.tmp "reclbviug.exe" -file hoafrne.txt
- %TEMP%\nsl2.tmp\ns3.tmp sc start PolicyAgent
- %TEMP%\nsl2.tmp\ns5.tmp sc config PolicyAgent start= auto
- %TEMP%\nsk7.tmp\ns9.tmp sc description ianoSvrup "К№УГIanno Web CahceјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- %TEMP%\nsk7.tmp\ns8.tmp sc create ianoSvrup binpath= "%CommonProgramFiles%\Intel\ianotife.exe" type= share start= auto displayname= "Ianno Web Cache Services"
- %PROGRAM_FILES%\vrjablacjh\mysetup.exe
- <SYSTEM32>\sc.exe start ianoSvrup
- <SYSTEM32>\sc.exe create prvdisk binpath= <SYSTEM32>\PrvMon\prvdisk.sys type= kernel start= system group= Base tag= yes
- <SYSTEM32>\wscript.exe "%CommonProgramFiles%\Intel\note.vbs"
- <SYSTEM32>\sc.exe description ianoSvrup "К№УГIanno Web CahceјјКхМṩЅшРР»ҐБЄНшдЇААФ¤¶БјУЛЩ·юОсЎЈИз№ыНЈЦ№ёГ·юОсЈ¬ФтјЖЛг»ъЅ«І»ѕЯ±ёХвР©јјКхМṩµДјУЛЩ№¦ДЬЎЈ"
- <SYSTEM32>\sc.exe start PolicyAgent
- <SYSTEM32>\sc.exe config PolicyAgent start= auto
- <SYSTEM32>\sc.exe create ianoSvrup binpath= "%CommonProgramFiles%\Intel\ianotife.exe" type= share start= auto displayname= "Ianno Web Cache Services"
- %TEMP%\nsk7.tmp\System.dll
- %TEMP%\nsk7.tmp\AccessControl.dll
- %TEMP%\nsk7.tmp\nsExec.dll
- %TEMP%\nsk7.tmp\ns9.tmp
- %TEMP%\nsk7.tmp\ns8.tmp
- %CommonProgramFiles%\Intel\config-n.xml
- %CommonProgramFiles%\Intel\ianotife.exe
- %CommonProgramFiles%\Intel\vison.txt
- %CommonProgramFiles%\Intel\suject.db
- %CommonProgramFiles%\Intel\config-s.xml
- %CommonProgramFiles%\Intel\prvdisk.sys
- %TEMP%\nsk7.tmp\nsA.tmp
- %TEMP%\nsl2.tmp\nsD.tmp
- %TEMP%\nsl2.tmp\nsC.tmp
- %TEMP%\nsl2.tmp\nsE.tmp
- %TEMP%\~nsu.tmp\Au_.exe
- %CommonProgramFiles%\Intel\suject.db-journal
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0J2LM5OP\ol[1].asp
- %WINDIR%\tudouva.pac
- %CommonProgramFiles%\Intel\pro.txt
- <SYSTEM32>\PrvMon\prvdisk.sys
- %CommonProgramFiles%\Intel\note.vbs
- %TEMP%\nsk7.tmp\nsB.tmp
- %CommonProgramFiles%\Intel\note.txt
- %TEMP%\nsl2.tmp\nsRandom.dll
- %PROGRAM_FILES%\vrjablacjh\un0520083200311.exe
- %TEMP%\nsl2.tmp\InetLoad.dll
- %TEMP%\nsl2.tmp\nsplugin.dll
- %TEMP%\nsl2.tmp\Internet.dll
- %PROGRAM_FILES%\vrjablacjh\temp0520083200311.ini
- %PROGRAM_FILES%\vrjablacjh\s0001.xml
- %PROGRAM_FILES%\vrjablacjh\menu.xml
- %PROGRAM_FILES%\vrjablacjh\reginfo.xml
- %TEMP%\nsl2.tmp\System.dll
- %PROGRAM_FILES%\vrjablacjh\ser000.xml
- <Current directory>\op.ini
- %TEMP%\nsl2.tmp\ns5.tmp
- %PROGRAM_FILES%\vrjablacjh\info.reg
- %PROGRAM_FILES%\vrjablacjh\mysetup.exe
- %CommonProgramFiles%\Intel\ypac.txt
- %CommonProgramFiles%\Intel\sqlite3.dll
- %TEMP%\nsl2.tmp\ns4.tmp
- <Current directory>\tx.ini
- %PROGRAM_FILES%\vrjablacjh\reclbviug.exe
- %PROGRAM_FILES%\vrjablacjh\hoafrne.txt
- %TEMP%\nsl2.tmp\ns3.tmp
- %TEMP%\nsl2.tmp\nsExec.dll
- %PROGRAM_FILES%\vrjablacjh\reclbviug.exe
- %CommonProgramFiles%\Intel\suject.db-journal
- <Current directory>\op.ini
- <Current directory>\tx.ini
- %TEMP%\nsl2.tmp\nsD.tmp
- %TEMP%\nsl2.tmp\nsC.tmp
- %CommonProgramFiles%\Intel\note.vbs
- %TEMP%\nsl2.tmp\nsE.tmp
- %TEMP%\nsl2.tmp\InetLoad.dll
- %PROGRAM_FILES%\vrjablacjh\un0520083200311.exe
- %TEMP%\nsl2.tmp\System.dll
- %PROGRAM_FILES%\vrjablacjh\hoafrne.txt
- %PROGRAM_FILES%\vrjablacjh\temp0520083200311.ini
- %TEMP%\nsl2.tmp\nsExec.dll
- %TEMP%\nsl2.tmp\Internet.dll
- %TEMP%\nsl2.tmp\nsRandom.dll
- %TEMP%\nsl2.tmp\nsplugin.dll
- %TEMP%\nsk7.tmp\nsA.tmp
- %TEMP%\nsk7.tmp\ns9.tmp
- %CommonProgramFiles%\Intel\prvdisk.sys
- %TEMP%\nsk7.tmp\nsB.tmp
- %TEMP%\nsl2.tmp\ns4.tmp
- %TEMP%\nsl2.tmp\ns3.tmp
- %TEMP%\nsk7.tmp\ns8.tmp
- %TEMP%\nsl2.tmp\ns5.tmp
- %TEMP%\nsk7.tmp\AccessControl.dll
- %PROGRAM_FILES%\vrjablacjh\menu.xml
- %PROGRAM_FILES%\vrjablacjh\s0001.xml
- %PROGRAM_FILES%\vrjablacjh\info.reg
- %PROGRAM_FILES%\vrjablacjh\reginfo.xml
- %TEMP%\nsk7.tmp\System.dll
- %TEMP%\nsk7.tmp\nsExec.dll
- %PROGRAM_FILES%\vrjablacjh\ser000.xml
- %PROGRAM_FILES%\vrjablacjh\mysetup.exe
- 'localhost':1037
- 'tj.###mitogu.com':80
- 'm.###nong.com':888
- 'tj.##nzhuan.co':80
- tj.###mitogu.com/ps.txt
- tj.###mitogu.com/wl.txt
- tj.##nzhuan.co/svr.asp?c=#######################################
- tj.###mitogu.com/ol.asp?c=##########################
- DNS ASK tj.##nzhuan.co
- DNS ASK tj.###mitogu.com
- DNS ASK m.###nong.com
- '<Private IP address>':1034
- ClassName: 'Shell_TrayWnd' WindowName: ''