Техническая информация
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\wbem\internat.exe'
- %WINDIR%\system\qd.exe
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden" /F
- %WINDIR%\regedit.exe /s %WINDIR%\system\sy.reg
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot" /F
- <SYSTEM32>\reg.exe Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /F
- %WINDIR%\srchasst\chars\vip.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\vip[1].exe
- C:\ip.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\getpublicip[1].shtml
- <SYSTEM32>\wbem\internat.exe
- %WINDIR%\system\qd.exe
- %WINDIR%\system\sy.reg
- <SYSTEM32>\wbem\internat.exe
- 'vb###.mvps.org':80
- 'bt#.#qzone.net':80
- 'localhost':1036
- vb###.mvps.org/resources/tools/getpublicip.shtml
- bt#.#qzone.net/post/c_editor/huo/vip.exe
- DNS ASK vb###.mvps.org
- DNS ASK bt#.#qzone.net
- ClassName: 'RegEdit_RegEdit' WindowName: ''