Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}' = 'sthile.dll'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}' = 'csiddll'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\РЮёґ№¤ѕЯ.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe] 'Debugger' = 'ntsd -d'
- [<HKLM>\SYSTEM\ControlSet001\Services\AppMgmt] 'Start' = '00000002'
- <SYSTEM32>\appmgmts.dll
- hidden files
- file extensions
- '%PROGRAM_FILES%\Internet Explorer\mstcs.exe' Explorer\mstcs.exe %TEMP%\Qvod.exe
- '%TEMP%\small.exe'
- '<SYSTEM32>\Dofake.exe'
- '%PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe'
- '%TEMP%\dl_205423.exe'
- '%TEMP%\Qvod.exe'
- '%TEMP%\88.exe'
- '%TEMP%\yoyo1182.exe'
- '%TEMP%\2004.exe'
- '<SYSTEM32>\cmd.exe' /c 375519961O57540.bat
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\mpiabinfh.bat
- '<SYSTEM32>\ping.exe' -n 3 127.0.0.1
- '<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\sthile.dll
- '<SYSTEM32>\rundll32.exe' kml1893.dll , InstallMyDll
- '<SYSTEM32>\regsvr32.exe' /s %WINDIR%\PPLAYE~1.DLL
- <SYSTEM32>\cryptcom.dll
- <SYSTEM32>\c_30110.nls
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C95IJSZY\desktop.ini
- %HOMEPATH%\Desktop\Internet Explorer.lnk
- <SYSTEM32>\sthile.dll
- %HOMEPATH%\Local Settings\Temporary Internet Files\_inimac
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8RKRQJMV\desktop.ini
- %TEMP%\57540.aqq
- <SYSTEM32>\omarpv.bat
- <SYSTEM32>\mpiabinfh.bat
- %TEMP%\375519961O57540.bat
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVD8FUSQ\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PQFKTYZ\desktop.ini
- <SYSTEM32>\Dofake.exe
- %PROGRAM_FILES%\Microsoft Office\SYSTEM\31.exe
- %TEMP%\yoyo1182.exe
- %TEMP%\88.exe
- C:\DelInfo.bin
- %TEMP%\small.exe
- %TEMP%\2004.exe
- %TEMP%\dl_205423.exe
- %TEMP%\Qvod.exe
- %WINDIR%\PPlayer.2.1.58130.251.(508).dll
- <SYSTEM32>\Windows.ime
- <SYSTEM32>\kml1893.dll
- <SYSTEM32>\dllcache\kml1893.dll
- %WINDIR%\Temp\Oraber.sys
- %PROGRAM_FILES%\Internet Explorer\mstcs.exe
- %APPDATA%\d43sdf.dat
- <SYSTEM32>\s3s4312.dat
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVD8FUSQ\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PQFKTYZ\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C95IJSZY\desktop.ini
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8RKRQJMV\desktop.ini
- %TEMP%\57540.aqq
- <SYSTEM32>\Dofake.exe
- %TEMP%\small.exe
- <SYSTEM32>\drklpioqcc.bat
- %TEMP%\dl_205423.exe
- %PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe
- C:\DelInfo.bin
- %TEMP%\88.exe
- %APPDATA%\d43sdf.dat
- %TEMP%\Qvod.exe
- %WINDIR%\Temp\Oraber.sys
- from <SYSTEM32>\omarpv.bat to <SYSTEM32>\drklpioqcc.bat
- from %PROGRAM_FILES%\Microsoft Office\SYSTEM\31.exe to %PROGRAM_FILES%\Microsoft Office\SYSTEM\sysbar.exe
- 'localhost':1043
- 'www.de####ll-wz.com.cn':8080
- DNS ASK 88.##22down.com
- DNS ASK ro####.utorrent.com
- DNS ASK d.###1001.com
- DNS ASK 88.##11down.com
- DNS ASK c.###1001.com
- DNS ASK www.su###qqface.com
- DNS ASK ro####.bittorrent.com
- DNS ASK g.###1001.com
- DNS ASK i.###1001.com
- DNS ASK j.###1001.com
- DNS ASK e.###1001.com
- DNS ASK h.###1001.com
- DNS ASK f.###1001.com
- DNS ASK a2.##4736.com
- DNS ASK a.####ase.51edm.net
- DNS ASK d.###736.com
- DNS ASK www.EE######-9BCC-43a6-BE3.com
- DNS ASK www.de####ll-wz.com.cn
- DNS ASK www.xu##ei.com
- DNS ASK ro####.bitcomet.net
- DNS ASK a.###1001.com
- DNS ASK 88.##00down.com
- DNS ASK ro####.bitcomet.com
- DNS ASK b.###1001.com
- '89.##3.188.11':8957
- '62.##.208.112':9342
- '23#.#55.255.250':1900
- '65.#.163.4':50144
- '90.##.108.231':58856
- '21#.#7.13.11':22137
- '85.#1.66.73':38338
- '72.##2.20.73':16306
- '77.##.224.30':30478
- '58.##.39.204':40139
- '90.##1.190.208':25439
- ClassName: 'CicLoaderWndClass' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'