Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ewrgetuj' = '%TEMP%\geurge.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lsdefrag' = '%TEMP%\nsz3.tmp\dp.exe'
- [<HKLM>\SYSTEM\ControlSet001\Control\Print\Providers\tdl] 'Name' = '%TEMP%\5.tmp'
- '%TEMP%\vhkv.exe'
- '%TEMP%\pfckb.exe'
- '%TEMP%\ddci.exe'
- '%TEMP%\-1998166001'
- '%TEMP%\nsmaaujr.exe'
- '%TEMP%\lbri.exe'
- '%TEMP%\wsofx.exe'
- '%TEMP%\mhlhgpac.exe'
- '%TEMP%\tdvvjeva.exe'
- '%TEMP%\nllmkyh.exe'
- '%TEMP%\nsz3.tmp\EuroP.exe'
- '%TEMP%\nsz3.tmp\dp.exe'
- '%TEMP%\nsz3.tmp\bodvddl.exe'
- '%TEMP%\nsz3.tmp\E4U.exe'
- '%TEMP%\nsz3.tmp\DNU.exe'
- '%TEMP%\vigtq.exe'
- '%TEMP%\mrdkhn.exe'
- '%TEMP%\nsz3.tmp\Gi.exe'
- '%TEMP%\nsz3.tmp\cbwp.exe'
- '%TEMP%\geurge.exe'
- '%TEMP%\pfckb.exe' (downloaded from the Internet)
- '%TEMP%\vhkv.exe' (downloaded from the Internet)
- '%TEMP%\wsofx.exe' (downloaded from the Internet)
- '%TEMP%\-1998166001' (downloaded from the Internet)
- '%TEMP%\nsmaaujr.exe' (downloaded from the Internet)
- '%TEMP%\ddci.exe' (downloaded from the Internet)
- '%TEMP%\mrdkhn.exe' (downloaded from the Internet)
- '%TEMP%\vigtq.exe' (downloaded from the Internet)
- '%TEMP%\mhlhgpac.exe' (downloaded from the Internet)
- '%TEMP%\lbri.exe' (downloaded from the Internet)
- '%TEMP%\nllmkyh.exe' (downloaded from the Internet)
- '%TEMP%\tdvvjeva.exe' (downloaded from the Internet)
- '<SYSTEM32>\cmd.exe' /c ""C:\tujserrew.bat""
- '<SYSTEM32>\net1.exe' stop "Security Center"
- '<SYSTEM32>\net1.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- '<SYSTEM32>\sc.exe' config SharedAccess start= DISABLED
- '<SYSTEM32>\net.exe' stop "Security Center"
- '<SYSTEM32>\sc.exe' config wscsvc start= DISABLED
- '<SYSTEM32>\net.exe' stop "Windows Firewall/Internet Connection Sharing (ICS)
- <SYSTEM32>\spoolsv.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\gnemtrzxsn[1].php
- C:\tujserrew.bat
- %TEMP%\mhlhgpac.exe
- %TEMP%\lbri.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\yptozgozmu[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\fwelcx[1].php
- %TEMP%\ddci.exe
- %TEMP%\tdvvjeva.exe
- %TEMP%\nllmkyh.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\imwaic[1].php
- %TEMP%\vhkv.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\oriqbjdp[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\kkemu[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\txrzxs[1].php
- %TEMP%\pfckb.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\hyfahpxiq[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\files[1].php
- %TEMP%\-1998166001
- %TEMP%\wsofx.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\fjnvpk[1].php
- %TEMP%\nsz3.tmp\dp.exe
- %TEMP%\nsz3.tmp\Gi.exe
- %TEMP%\nsz3.tmp\cbwp.exe
- %TEMP%\4.tmp
- %TEMP%\nsz3.tmp\bodvddl.exe
- %TEMP%\nsj2.tmp
- %TEMP%\nsz3.tmp\DNU.exe
- %TEMP%\nsz3.tmp\EuroP.exe
- %TEMP%\nsz3.tmp\E4U.exe
- %TEMP%\mrdkhn.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\rvqxfn[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\hypwhc[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\wzdcjrp[1].php
- %TEMP%\nsmaaujr.exe
- %TEMP%\ls46.id
- %WINDIR%\Temp\6.tmp
- %TEMP%\geurge.exe
- %TEMP%\vigtq.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\fwevpovto[1].php
- %TEMP%\nsz3.tmp\Gi.exe
- %TEMP%\nsz3.tmp\EuroP.exe
- %TEMP%\~DF39F0.tmp
- %WINDIR%\Temp\6.tmp
- %TEMP%\nsz3.tmp\E4U.exe
- %TEMP%\nsz3.tmp\bodvddl.exe
- %TEMP%\5.tmp
- %TEMP%\nsz3.tmp\dp.exe
- %TEMP%\nsz3.tmp\cbwp.exe
- from %TEMP%\nsz3.tmp\DNU.exe to %TEMP%\7.tmp
- from %TEMP%\4.tmp to %TEMP%\5.tmp
- 'pi##pad.com':80
- 'co####.installstorm.com':88
- 'cr#####designlab.com':80
- 'ab####gnostic.com':80
- ab####gnostic.com/ufwnltbz/hyfahpxiq.php?ad########
- pi##pad.com/services/files.php?ui#############################################################
- ab####gnostic.com/ufwnltbz/yptozgozmu.php?ad########
- ab####gnostic.com/ufwnltbz/fjnvpk.php?ad########
- ab####gnostic.com/ufwnltbz/txrzxs.php?ad#################################################
- ab####gnostic.com/ufwnltbz/kkemu.php?ad########
- ab####gnostic.com/ufwnltbz/oriqbjdp.php?ad########
- ab####gnostic.com/ufwnltbz/gnemtrzxsn.php?ad########
- ab####gnostic.com/ufwnltbz/hypwhc.php?ad########
- ab####gnostic.com/ufwnltbz/rvqxfn.php?ad########
- ab####gnostic.com/ufwnltbz/fwevpovto.php?ad########
- ab####gnostic.com/ufwnltbz/wzdcjrp.php?ad########
- pi##pad.com/services/install.php?ui#############################
- ab####gnostic.com/ufwnltbz/imwaic.php?ad########
- ab####gnostic.com/ufwnltbz/fwelcx.php?ad########
- DNS ASK pi##pad.com
- DNS ASK co####.installstorm.com
- DNS ASK cr#####designlab.com
- DNS ASK ab####gnostic.com
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'SystemTray_Main' WindowName: ''
- ClassName: 'CSCHiddenWindow' WindowName: ''