Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg7' = 'J:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg6' = 'I:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg8' = 'K:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg10' = 'M:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg9' = 'L:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg5' = 'H:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg1' = '<Drive name for removable media>:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg' = '<SYSTEM32>\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg2' = 'E:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg4' = 'G:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg3' = 'F:\WINDOWS\system32\hlmm\start.cmd'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- '<SYSTEM32>\hlmm\google.exe' -hide -start
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hll\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls\start.cmd /f
- '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' http://av###.net.ua
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hlmm\start.cmd /f
- '<SYSTEM32>\attrib.exe' -h -s %WINDIR%\system\hll
- '<SYSTEM32>\cmd.exe' /c ""<SYSTEM32>\hlmm\msg.bat" "
- '<SYSTEM32>\netsh.exe' firewall set opmode disable
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hlmm\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls2\start.cmd /f
- <SYSTEM32>\hlmm\google.exe
- <SYSTEM32>\hlmm\config.txt
- <SYSTEM32>\hlmm\Config\slist.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\avril.net[1]
- <SYSTEM32>\hlmm\start.cmd
- <SYSTEM32>\hlmm\msg.bat
- <SYSTEM32>\hlmm\Config\rules.txt
- <SYSTEM32>\hlmm\Config\hostnames.txt
- <SYSTEM32>\hlmm\Config\clcmds.txt
- <SYSTEM32>\hlmm\Config\Advanced\masters.txt
- <SYSTEM32>\hlmm\Config\players.txt
- <SYSTEM32>\hlmm\Config\maps.txt
- <SYSTEM32>\hlmm\Config\mappings.txt
- 'av###.net.ua':80
- 'localhost':1038
- av###.net.ua/
- DNS ASK av###.net.ua
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''