Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe] 'Debugger' = '%WINDIR%\ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sriecli.exe] 'Debugger' = '%WINDIR%\ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] 'Debugger' = '%WINDIR%\ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = '%WINDIR%\ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'Debugger' = '%WINDIR%\ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PPLiveVA.exe] 'Debugger' = '<SYSTEM32>\avpx.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GreenBrowser.exe] 'Debugger' = '%WINDIR%\system3\iexplore.EXE'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VExplorer.exe] 'Debugger' = '<SYSTEM32>\kavy.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe] 'Debugger' = '<SYSTEM32>\kavy.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\theworld.exe] 'Debugger' = '<SYSTEM32>\iexplore.EXE'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe] 'Debugger' = '<SYSTEM32>\iexplore.EXE'
- [<HKLM>\SOFTWARE\Classes\HTTP\shell\open\command] '' = '"%PROGRAM_FILES%\Internet Explorer\IEXPLORE" ""'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Runonce] 'kacvc' = '<DRIVERS>\kavx.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe] 'Debugger' = '<SYSTEM32>\iexplore.EXE'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TTraveler.exe] 'Debugger' = '<SYSTEM32>\iexplore.EXE'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hsreg.exe] 'Debugger' = '%WINDIR%\ctfmon.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Maxthon.exe] 'Debugger' = '<SYSTEM32>\iexplore.EXE'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe] 'Debugger' = '<SYSTEM32>\iexplore.EXE'
- hidden files
- file extensions
- <SYSTEM32>\svhosgy.exe
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe" /v Debugger /t reg_sz /d %WINDIR%\ctfmon.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /v Debugger /t reg_sz /d %WINDIR%\ctfmon.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe" /v Debugger /t reg_sz /d %WINDIR%\ctfmon.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hsreg.exe" /v Debugger /t reg_sz /d %WINDIR%\ctfmon.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Maxthon.exe" /v Debugger /t reg_sz /d <SYSTEM32>\iexplore.EXE /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v Debugger /t reg_sz /d <SYSTEM32>\iexplore.EXE /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TTraveler.exe" /v Debugger /t reg_sz /d <SYSTEM32>\iexplore.EXE /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PPLiveVA.exe" /v Debugger /t reg_sz /d <SYSTEM32>\avpx.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GreenBrowser.exe" /v Debugger /t reg_sz /d %WINDIR%\system3\iexplore.EXE /f
- <SYSTEM32>\attrib.exe -H -R -S -A c:\GRLDR
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe" /v Debugger /t reg_sz /d <SYSTEM32>\kavy.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sriecli.exe" /v Debugger /t reg_sz /d %WINDIR%\ctfmon.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe" /v Debugger /t reg_sz /d %WINDIR%\ctfmon.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VExplorer.exe" /v Debugger /t reg_sz /d <SYSTEM32>\kavy.exe /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe" /v Debugger /t reg_sz /d <SYSTEM32>\iexplore.EXE /f
- <SYSTEM32>\reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 00000001 /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d 00000000 /f
- <SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v {871C5380-42A0-1069-A2EA-08002B30309D} /t reg_dword /d 00000001 /f
- <SYSTEM32>\reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t reg_dword /d 00000000 /f
- <SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000000 /f
- <SYSTEM32>\reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 00000000 /f
- <SYSTEM32>\reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t reg_dword /d 00000000 /f
- <SYSTEM32>\msiexec.exe /regserver
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\theworld.exe" /v Debugger /t reg_sz /d <SYSTEM32>\iexplore.EXE /f
- <SYSTEM32>\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe" /v Debugger /t reg_sz /d <SYSTEM32>\iexplore.EXE /f
- <SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce" /v kacvc /t reg_sz /d <DRIVERS>\kavx.exe /f
- %WINDIR%\regedit.exe /s %WINDIR%\jiantou.reg
- <SYSTEM32>\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInternetIcon /t reg_dword /d 00000001 /f
- %WINDIR%\regedit.exe /S "%HOMEPATH%\Local Settings\Temp.\DefOpen.reg"
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoInternetIcon' = '00000001'
- <SYSTEM32>\images\gl_1.gif
- <SYSTEM32>\images\funb.js
- <SYSTEM32>\images\sd_1.css
- <SYSTEM32>\images\logo.jpg
- <SYSTEM32>\i\zj_2.gif
- <SYSTEM32>\i\topbg05.gif
- <SYSTEM32>\images\css\sd_1.css
- <SYSTEM32>\images\banner.gif
- <SYSTEM32>\images\srh_1.gif
- %WINDIR%\jiantou.reg
- %TEMP%\bt57363.bat
- %WINDIR%\ctfmon.exe
- %TEMP%\DefOpen.reg
- %HOMEPATH%\Desktop\Internet Explore.lnk
- <SYSTEM32>\iexplore.exe
- %HOMEPATH%\Start Menu\Programs\Internet Explore.lnk
- %HOMEPATH%\Start Menu\Internet Explore.lnk
- <SYSTEM32>\i\topbg04.gif
- <SYSTEM32>\i\gl_2.gif
- <SYSTEM32>\i\gl_1.gif
- <SYSTEM32>\i\gl_4.gif
- <SYSTEM32>\i\gl_3.gif
- <SYSTEM32>\svhosgy.exe
- <SYSTEM32>\index.htm
- <SYSTEM32>\i\banner.gif
- <SYSTEM32>\Internet Explore.lnk
- <SYSTEM32>\i\gl_5.gif
- <SYSTEM32>\i\topbg01.gif
- <SYSTEM32>\i\srh_5.gif
- <SYSTEM32>\i\topbg03.gif
- <SYSTEM32>\i\topbg02.gif
- <SYSTEM32>\i\srh_2.gif
- <SYSTEM32>\i\srh_1.gif
- <SYSTEM32>\i\srh_4.gif
- <SYSTEM32>\i\srh_3.gif
- <SYSTEM32>\i\zj_2.gif
- <SYSTEM32>\images\banner.gif
- <SYSTEM32>\images\css\sd_1.css
- <SYSTEM32>\i\topbg05.gif
- <SYSTEM32>\i\topbg02.gif
- <SYSTEM32>\i\topbg03.gif
- <SYSTEM32>\i\topbg04.gif
- <SYSTEM32>\images\srh_1.gif
- <SYSTEM32>\iexplore.exe
- %TEMP%\bt57363.bat
- <SYSTEM32>\images\sd_1.css
- <SYSTEM32>\images\funb.js
- <SYSTEM32>\images\gl_1.gif
- <SYSTEM32>\images\logo.jpg
- <SYSTEM32>\i\gl_2.gif
- <SYSTEM32>\i\gl_3.gif
- <SYSTEM32>\i\gl_4.gif
- <SYSTEM32>\i\gl_1.gif
- <SYSTEM32>\index.htm
- <SYSTEM32>\svhosgy.exe
- <SYSTEM32>\i\banner.gif
- <SYSTEM32>\i\srh_4.gif
- <SYSTEM32>\i\srh_5.gif
- <SYSTEM32>\i\topbg01.gif
- <SYSTEM32>\i\srh_3.gif
- <SYSTEM32>\i\gl_5.gif
- <SYSTEM32>\i\srh_1.gif
- <SYSTEM32>\i\srh_2.gif
- %TEMP%\bt57363.bat
- %TEMP%\DefOpen.reg
- %WINDIR%\jiantou.reg
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''