R3 - URLSearchHook: (no name) - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,\\?\globalroot\systemroot\system32\ihj6cag.exe,\\?\globalroot\systemroot\system32\NvUNmB7.exe,\\?\globalroot\systemroot\system32\2xVUXws.exe,
O24 - Desktop Component 0: (no name) - (no file)
begin
SearchRootkit(true, true);
SetAVZGuardStatus(true);
QuarantineFile('C:\DOCUME~1\ALASKA~1\LOCALS~1\Temp\esp4BF3.tmp','');
QuarantineFile('C:\DOCUME~1\ALASKA~1\LOCALS~1\Temp\esp680D.tmp','');
QuarantineFile('\\?\globalroot\systemroot\system32\NvUNmB7.exe','');
QuarantineFile('\\?\globalroot\systemroot\system32\ihj6cag.exe','');
QuarantineFile('\\?\globalroot\systemroot\system32\2xVUXws.exe','');
QuarantineFile('C:\Program Files\Microsoft IntelliPoint\dw15.exe','');
QuarantineFile('C:\WINDOWS\System32\Drivers\ai59m7k0.SYS','');
DeleteFile('\\?\globalroot\systemroot\system32\NvUNmB7.exe');
DeleteFile('\\?\globalroot\systemroot\system32\ihj6cag.exe');
DeleteFile('\\?\globalroot\systemroot\system32\2xVUXws.exe');
DeleteFile('C:\DOCUME~1\ALASKA~1\LOCALS~1\Temp\esp680D.tmp');
DeleteFile('C:\DOCUME~1\ALASKA~1\LOCALS~1\Temp\esp4BF3.tmp');
BC_ImportALL;
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
begin
RegSearch('HKLM', '', 'esp680D.tmp');
SaveLog(GetAVZDirectory + 'avz1.log');
RegSearch('HKLM', '', 'esp4BF3.tmp');
SaveLog(GetAVZDirectory + 'avz2.log');
end.
:Processes
explorer.exe
:Services
:Files
:Reg
[-HKEY_LOCAL_MACHINE\\SYSTEM\ControlSet001\Control\Print\Providers\BA4ED8B9]
[-HKEY_LOCAL_MACHINE\\SYSTEM\ControlSet008\Control\Print\Providers\BA4ED8B9]
[-HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Control\Print\Providers\BA4ED8B9]
[-HKEY_LOCAL_MACHINE\\SYSTEM\ControlSet001\Control\Print\Providers\BA4ED8B9]
[-HKEY_LOCAL_MACHINE\\SYSTEM\ControlSet008\Control\Print\Providers\BA4ED8B9]
[-HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Control\Print\Providers\BA4ED8B9]
[-HKEY_LOCAL_MACHINE\\SYSTEM\ControlSet001\Control\Print\Providers\A17599F7]
[-HKEY_LOCAL_MACHINE\\SYSTEM\ControlSet008\Control\Print\Providers\A17599F7]
[-HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Control\Print\Providers\A17599F7]
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,\\?\globalroot\systemroot\system32\ihj6cag.exe,\\?\globalroot\systemroot\system32\NvUNmB7.exe,\\?\globalroot\systemroot\system32\2xVUXws.exe,
begin
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Control\Print\Providers\BA4ED8B9');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\ControlSet008\Control\Print\Providers\BA4ED8B9');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Print\Providers\BA4ED8B9');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Control\Print\Providers\BA4ED8B9');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\ControlSet008\Control\Print\Providers\BA4ED8B9');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Print\Providers\BA4ED8B9');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Control\Print\Providers\A17599F7');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\ControlSet008\Control\Print\Providers\A17599F7');
RegKeyDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Print\Providers\A17599F7');
RebootWindows(false);
end.
begin
ExecuteStdScr(6);
RebootWindows(false);
end.
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,\\?\globalroot\systemroot\system32\ihj6cag.exe,\\?\globalroot\systemroot\system32\NvUNmB7.exe,\\?\globalroot\systemroot\system32\2xVUXws.exe,O24 - Desktop Component 0: (no name) - (no file)
begin
SearchRootkit(true, true);
SetAVZGuardStatus(true);
QuarantineFile('C:\DOCUME~1\ALASKA~1\LOCALS~1\Temp\pfliypoc.sys','');
DeleteFile('C:\DOCUME~1\ALASKA~1\LOCALS~1\Temp\pfliypoc.sys');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?
We use cookies and similar technologies for the following purposes:
Do you accept cookies and these technologies?