Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'System' = '<SYSTEM32>\kernelwind32.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\mszstb] 'Start' = '00000002'
- Windows Task Manager (Taskmgr)
- %TEMP%\Setup.exe
- %WINDIR%\retadpu22.exe 61A847B5BBF72810308B2B27128065E9C084320161C4661227A755E9C2933154389A
- %TEMP%\wr-1-22.exe
- %TEMP%\3022.exe
- %TEMP%\win32.exe
- %WINDIR%\retadpu22.exe (downloaded from the Internet)
- <SYSTEM32>\ntvdm.exe -f -i4
- <SYSTEM32>\ntvdm.exe -f -i3
- <SYSTEM32>\ntvdm.exe -f -i6
- <SYSTEM32>\ntvdm.exe -f -i5
- <SYSTEM32>\ntvdm.exe -f -i2
- <SYSTEM32>\regsvr32.exe /s "<SYSTEM32>\MSURLPAR.dll"
- <SYSTEM32>\netsh.exe firewall set allowedprogram '%TEMP%\win32.exe' enable
- <SYSTEM32>\ntvdm.exe -f -i1
- <SYSTEM32>\rundll32.exe "<SYSTEM32>\mszstb.dll",Run
- %WINDIR%\Explorer.EXE
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\proxy[1].jpg
- <SYSTEM32>\dllh8jkd1q6.exe
- %TEMP%\6.dllb
- %WINDIR%\Temp\scs3.tmp
- <SYSTEM32>\dllh8jkd1q7.exe
- %TEMP%\7.dllb
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\tool[1].jpg
- %TEMP%\2.dllb
- <SYSTEM32>\dllh8jkd1q1.exe
- %TEMP%\1.dllb
- <SYSTEM32>\dllh8jkd1q5.exe
- %TEMP%\5.dllb
- <SYSTEM32>\dllh8jkd1q2.exe
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scsB.tmp
- %WINDIR%\Temp\scsA.tmp
- %WINDIR%\Temp\scs9.tmp
- %WINDIR%\Temp\scsE.tmp
- %WINDIR%\Temp\scsD.tmp
- %WINDIR%\Temp\scsC.tmp
- <SYSTEM32>\vx.tll
- %WINDIR%\Temp\scs7.tmp
- %WINDIR%\Temp\scs6.tmp
- %WINDIR%\Temp\scs5.tmp
- %TEMP%\3.dllb
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\adv114[1].php
- %WINDIR%\Temp\scs8.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\null[1].jpg
- <SYSTEM32>\mszstb.sys.tmp
- <SYSTEM32>\setup.tmp
- <SYSTEM32>\kernelwind32.exe
- <SYSTEM32>\allverx.dat
- <SYSTEM32>\allverx.dat.tmp
- <SYSTEM32>\mszstb.sys
- %HOMEPATH%\Local Settings\Temporary Internet Files\_dltime
- %TEMP%\Setup.exe
- %TEMP%\wr-1-22.exe
- %TEMP%\nsl2.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\_inimac
- %TEMP%\3022.exe
- %TEMP%\win32.exe
- <SYSTEM32>\mszstb.dll.zgx.tmp
- %TEMP%\4.dllb
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\adload[1].php
- %WINDIR%\retadpu22.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\rankstat[1].htm
- <SYSTEM32>\dllh8jkd1q8.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\32647543ygwvrhbjt3h4evjrbgnrt[1].php
- <DRIVERS>\mszstb.sys
- <SYSTEM32>\IP.dat
- <SYSTEM32>\IP.dat.tmp
- <SYSTEM32>\mszstb.dll.zgx
- <SYSTEM32>\_uninstall
- <SYSTEM32>\MSURLPAR.dll.zgx
- <SYSTEM32>\MSURLPAR.dll.zgx.tmp
- <SYSTEM32>\mszstb.dll
- %WINDIR%\Temp\scs5.tmp
- %WINDIR%\Temp\scs7.tmp
- %WINDIR%\Temp\scs3.tmp
- %WINDIR%\Temp\scs6.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\proxy[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\adv114[1].php
- %WINDIR%\Temp\scs4.tmp
- %WINDIR%\Temp\scsC.tmp
- %WINDIR%\Temp\scsA.tmp
- %WINDIR%\Temp\scsE.tmp
- %WINDIR%\Temp\scs9.tmp
- %WINDIR%\Temp\scs8.tmp
- %WINDIR%\Temp\scsB.tmp
- %WINDIR%\Temp\scsD.tmp
- <SYSTEM32>\MSURLPAR.dll.zgx.tmp
- <SYSTEM32>\setup.tmp
- <SYSTEM32>\allverx.dat
- <SYSTEM32>\IP.dat.tmp
- <SYSTEM32>\mszstb.sys.tmp
- <SYSTEM32>\allverx.dat.tmp
- <SYSTEM32>\mszstb.dll.zgx.tmp
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\rankstat[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\null[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\tool[1].jpg
- <SYSTEM32>\dllh8jkd1q8.exe
- <SYSTEM32>\_uninstall
- <SYSTEM32>\mszstb.sys
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\adload[1].php
- from <SYSTEM32>\MSURLPAR.dll.zgx to <SYSTEM32>\MSURLPAR.dll
- from <SYSTEM32>\mszstb.dll.zgx to <SYSTEM32>\mszstb.dll
- 'localhost':1040
- 'do#####d.zhongsou.com':80
- 'al###ount.net':80
- 'lo####.smartpv.cn':1207
- 'x2#.###.wrs.mcboo.com':80
- al###ount.net/pic/tool.jpg
- al###ount.net/pic/null.jpg
- al###ount.net/34gfrfdsfghgretytrer5t65rerfgjh/adv114.php?ad####################################
- al###ount.net/pic/proxy.jpg
- al###ount.net/adv/114/adload.php?a1############################################################################################################################################################################
- x2#.###.wrs.mcboo.com/retadpu.exe
- do#####d.zhongsou.com/adsys/rankstat.htm?In####################################################################
- al###ount.net/32647543ygwvrhbjt3h4evjrbgnrt.php?ad###########################
- DNS ASK al###ount.net
- DNS ASK do#####d.zhongsou.com
- DNS ASK lo####.smartpv.cn
- DNS ASK x2#.###.wrs.mcboo.com
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bb4.bb8.3c0007'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bbc.bc4.3d0008'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-bd0.bd4.3e0009'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b80.b84.390001'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b88.b90.3a0002'
- ClassName: 'ConsoleWindowClass' WindowName: 'ntvdm-b98.ba0.3b0006'