Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ewrgetuj' = '%TEMP%\geurge.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Inoyikotadoqev' = 'rundll32.exe "%WINDIR%\cmdapi32.dll",Startup'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\tdl] 'Name' = '%TEMP%\5.tmp'
- '%TEMP%\iuhikm.exe'
- '%TEMP%\ebtgnwb.exe'
- '%TEMP%\fhusq.exe'
- '%TEMP%\avqmnybb.exe'
- '%TEMP%\ptmm.exe'
- '%TEMP%\-1998166001'
- '%TEMP%\jmoiwy.exe'
- '%TEMP%\rtrtne.exe'
- '%TEMP%\gfdak.exe'
- '%TEMP%\xnpw.exe'
- '%TEMP%\EuroP.exe'
- '%TEMP%\Gi.exe'
- '%TEMP%\bogamdl.exe'
- '%TEMP%\ic9.exe'
- '%TEMP%\7za.exe' x %TEMP%\a1.7z -aoa -o%HOMEPATH%\Local Settings\Temp -plolmilf
- '%TEMP%\qiumcsdf.exe'
- '%TEMP%\ioujc.exe'
- '%TEMP%\E4U.exe'
- '%TEMP%\tbp.exe'
- '%TEMP%\geurge.exe'
- '%TEMP%\ebtgnwb.exe' (downloaded from the Internet)
- '%TEMP%\iuhikm.exe' (downloaded from the Internet)
- '%TEMP%\jmoiwy.exe' (downloaded from the Internet)
- '%TEMP%\avqmnybb.exe' (downloaded from the Internet)
- '%TEMP%\ptmm.exe' (downloaded from the Internet)
- '%TEMP%\fhusq.exe' (downloaded from the Internet)
- '%TEMP%\ioujc.exe' (downloaded from the Internet)
- '%TEMP%\qiumcsdf.exe' (downloaded from the Internet)
- '%TEMP%\rtrtne.exe' (downloaded from the Internet)
- '%TEMP%\-1998166001' (downloaded from the Internet)
- '%TEMP%\xnpw.exe' (downloaded from the Internet)
- '%TEMP%\gfdak.exe' (downloaded from the Internet)
- '<SYSTEM32>\net1.exe' stop "Security Center"
- '<SYSTEM32>\cmd.exe' /c ""C:\tujserrew.bat""
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\cmdapi32.dll",iep
- '<SYSTEM32>\net1.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\sc.exe' config SharedAccess start= DISABLED
- '<SYSTEM32>\net.exe' stop "Security Center"
- '<SYSTEM32>\rundll32.exe' "%WINDIR%\cmdapi32.dll",Startup
- '<SYSTEM32>\net.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\sc.exe' config wscsvc start= DISABLED
- <SYSTEM32>\spoolsv.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'currentlevel' = '00000000'
- C:\tujserrew.bat
- %TEMP%\xnpw.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\gkbjdlwqlt[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\ptxfnhp[1].php
- %TEMP%\rtrtne.exe
- %TEMP%\fhusq.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\uiptnmgovj[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\gxbjd[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\kksahc[1].php
- %TEMP%\gfdak.exe
- %TEMP%\-1998166001
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\wzdytaicxe[1].php
- %TEMP%\ebtgnwb.exe
- %TEMP%\iuhikm.exe
- %TEMP%\Aqz..bat
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vzdlfahpxe[1].php
- %TEMP%\avqmnybb.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\iickf[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\jwrlgbvd[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\jjaiqxsq[1].php
- %TEMP%\jmoiwy.exe
- %TEMP%\EuroP.exe
- %TEMP%\E4U.exe
- %TEMP%\Gi.exe
- %TEMP%\tbp.exe
- %TEMP%\ic9.exe
- %TEMP%\7za.exe
- %TEMP%\nsx2.tmp
- %TEMP%\a1.7z
- %TEMP%\nsz3.tmp\ExecDos.dll
- %TEMP%\bogamdl.exe
- %TEMP%\4.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\ffmhcw[1].php
- %TEMP%\qiumcsdf.exe
- %TEMP%\ioujc.exe
- %TEMP%\ptmm.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\ggbrzx[1].php
- %WINDIR%\Temp\6.tmp
- %WINDIR%\cmdapi32.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\kksaupwr[1].php
- %TEMP%\geurge.exe
- %TEMP%\~DF8D27.tmp
- %TEMP%\E4U.exe
- %TEMP%\EuroP.exe
- %TEMP%\5.tmp
- %TEMP%\nsz3.tmp\ExecDos.dll
- %WINDIR%\Temp\6.tmp
- from %TEMP%\ic9.exe to %TEMP%\7.tmp
- from %TEMP%\4.tmp to %TEMP%\5.tmp
- 'localhost':1043
- 'ab####gnostic.com':80
- ab####gnostic.com/yulgbvqk/jwrlgbvd.php?ad########
- ab####gnostic.com/yulgbvqk/iickf.php?ad########
- ab####gnostic.com/yulgbvqk/ptxfnhp.php?ad########
- ab####gnostic.com/yulgbvqk/vzdlfahpxe.php?ad#################################################
- ab####gnostic.com/yulgbvqk/wzdytaicxe.php?ad########
- ab####gnostic.com/yulgbvqk/jjaiqxsq.php?ad########
- ab####gnostic.com/yulgbvqk/gkbjdlwqlt.php?ad########
- ab####gnostic.com/yulgbvqk/ggbrzx.php?ad########
- ab####gnostic.com/yulgbvqk/ffmhcw.php?ad########
- ab####gnostic.com/yulgbvqk/kksaupwr.php?ad########
- ab####gnostic.com/yulgbvqk/kksahc.php?ad########
- ab####gnostic.com/yulgbvqk/gxbjd.php?ad########
- ab####gnostic.com/yulgbvqk/uiptnmgovj.php?ad########
- DNS ASK sa####eatarts.com
- DNS ASK re####et-arts.com
- DNS ASK 01######061a.lantzel.com
- DNS ASK co####.perfectexe.com
- DNS ASK ab####gnostic.com
- DNS ASK 00########.########.##.###########A42A3908E0B1AA3B8DF54.n.empty.1147.empty.5_1._t_i.ffffffff.<Auxiliary name>_exe.156.rc2.a4h9uploading.com
- DNS ASK be####rts-2010.com
- ClassName: 'MS_AutodialMonitor' WindowName: '(null)'
- ClassName: 'MS_WebcheckMonitor' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'
- ClassName: 'SystemTray_Main' WindowName: '(null)'
- ClassName: 'CSCHiddenWindow' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'