Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg7' = 'J:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg6' = 'I:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg8' = 'K:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg10' = 'M:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg9' = 'L:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg5' = 'H:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg1' = '<Drive name for removable media>:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg' = '<SYSTEM32>\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg2' = 'E:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg4' = 'G:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'msg3' = 'F:\WINDOWS\system32\hl5\start.cmd'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- '<SYSTEM32>\hl5\svchost.exe' -start -hide
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls3\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls4\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\attrib.exe' -h -s <SYSTEM32>\hl5
- '<SYSTEM32>\taskkill.exe' /FI svchost.exe
- '<SYSTEM32>\cmd.exe' /c ""<SYSTEM32>\hl5\msg.bat" "
- '<SYSTEM32>\netsh.exe' firewall set opmode disable
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hl5\start.cmd /f
- '%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' http://av###.net.ua
- '<SYSTEM32>\reg.exe' add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hl5\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg /t REG_SZ /d <SYSTEM32>\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg1 /t REG_SZ /d <Drive name for removable media>:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls2\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg10 /t REG_SZ /d M:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg4 /t REG_SZ /d G:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg5 /t REG_SZ /d H:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg2 /t REG_SZ /d E:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg3 /t REG_SZ /d F:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg8 /t REG_SZ /d K:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg9 /t REG_SZ /d L:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg6 /t REG_SZ /d I:\WINDOWS\system32\hls\start.cmd /f
- '<SYSTEM32>\reg.exe' DELETE HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v msg7 /t REG_SZ /d J:\WINDOWS\system32\hls\start.cmd /f
- <SYSTEM32>\hl5\msg.bat
- <SYSTEM32>\hl5\config.txt
- <SYSTEM32>\hl5\Config\slist.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\avril.net[1]
- <SYSTEM32>\hl5\svchost.exe
- <SYSTEM32>\hl5\start.cmd
- <SYSTEM32>\hl5\Config\rules.txt
- <SYSTEM32>\hl5\Config\hostnames.txt
- <SYSTEM32>\hl5\Config\clcmds.txt
- <SYSTEM32>\hl5\Config\Advanced\masters.txt
- <SYSTEM32>\hl5\Config\players.txt
- <SYSTEM32>\hl5\Config\maps.txt
- <SYSTEM32>\hl5\Config\mappings.txt
- 'av###.net.ua':80
- 'localhost':1038
- av###.net.ua/
- DNS ASK ga###.vipeburg.info
- DNS ASK av###.net.ua
- '72.##5.61.189':27010
- '72.##5.61.190':27010
- '72.##5.61.136':27010
- '77.##2.219.54':27016
- '72.##5.61.153':27015
- 'ga###.vipeburg.info':27010
- '92.##3.95.195':27010
- '20#.#97.20.34':27010
- '69.##.140.247':27010
- '69.##.140.245':27010
- '69.##.158.131':27010
- '69.##.151.162':27010
- '63.##4.149.83':27011
- '20#.#97.4.186':27010
- '68.##2.72.250':27012
- '63.##4.149.90':27011
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''