�� esetnod32.ru [��: �� Win32/Tofsee.AX]

�� Win32/Tofsee.AX

Thu, 13 Feb 2014 11:12:24 +0400

�� Win32/Tofsee.AX � �� .
�� , �� uVS �� .

�� ,

====quote====
�� : 2
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> ��: (1) ��: (0) -> �� .
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> ��: (1) ��: (0) -> �� .

=============
�� ...

��,
��
http://forum.esetnod32.ru/forum9/topic3998/
13.02.2014 11:12:24, santy.

�� Win32/Tofsee.AX

Thu, 13 Feb 2014 10:51:47 +0400

�� Win32/Tofsee.AX � �� .
�� , �� , �� :

�� C:\DOCUMENTS AND SETTINGS\��1\LOCAL SETTINGS\TEMP\LOYTUXN.EXE Win32/Tofsee.AX �� INGENER1\��1 �� : C:\temp\uvs_v3811\xyymyz.

�� :
MBAM-log-2014-02-13 (17-45-32).txt
13.02.2014 10:51:47, �� .

�� Win32/Tofsee.AX

Wed, 12 Feb 2014 05:51:31 +0400

�� Win32/Tofsee.AX � �� .
�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
�� - �� _�� "��"
====code====


;uVS v3.81.11 [http://dsrt.dyndns.org]
;Target OS: NTv5.1

OFFSGNSAVE
zoo %SystemDrive%\DOCUMENTS AND SETTINGS\�������1\LOCAL SETTINGS\APPLICATION DATA\YANDEX\UPDATER\PRAETORIAN.EXE
addsgn 1AD78B9A5583358CF42B254E3143FE547601B9FA0A3A13F1C03FA1374DD6714C239CC0339D559D492B0BC197CD4B457110236311A9255077E4B5AC2F9F5FA577 8 praetorian

delall /C ATTRIB -H C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS && COPY C:\DOCUME~1\10E25~1\LOCALS~1\TEMP\15703906 C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS /Y && ATTRIB +H C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS && ERASE C:\DOCUME~1\10E25~1\LOCALS~1\TEMP\4316350.EXE
delall %SystemDrive%\DOCUMENTS AND SETTINGS\�������1\NWTCTQOK.EXE
delall %Sys32%\SVCNET32.DLL
hide %SystemDrive%\PROGRAM FILES\BOLID\ARM_ORION_PRO1_11SKD\SERVERMANAGER.EXE
hide %SystemDrive%\PROGRAM FILES\TOTAL COMMANDER\PLUGINS\EXE\DECRYPTC.EXE
zoo %SystemDrive%\DOCUMENTS AND SETTINGS\�������1\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ILKB6RTF\6[2].EXE
delall %SystemDrive%\DOCUMENTS AND SETTINGS\�������1\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ILKB6RTF\6[2].EXE
del %SystemRoot%\TASKS\AT2.JOB
;------------------------autoscript---------------------------

chklst
delvir

setdns ������� ����\4\{82FBC813-8F10-402E-9570-ABB2E2C69DB5}\8.8.8.8,8.8.4.4
setdns Internet\4\{E208C4E6-BEF3-4EBD-9D49-A2E6E91072E7}\8.8.8.8,8.8.4.4
delref HTTP://BROWSERHELP2.RU

delref HTTP://QIP.RU

delref HTTP://SEARCH.QIP.RU

regt 9
REGT 14

; Java(TM) 6 Update 20
exec MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216020FF} /quiet

; Java(TM) 6 Update 7
exec MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} /quiet

deltmp
delnfr
;-------------------------------------------------------------
CZOO
restart

=============
��, �� .
�� uVS (�� : ZOO_2012-12-31_23-59-59.rar/7z) �� sendvirus2011@gmail.com, support@esetnod32.ru
------------
��,
��
http://forum.esetnod32.ru/forum9/topic682/
12.02.2014 05:51:31, santy.

�� Win32/Tofsee.AX

Wed, 12 Feb 2014 05:03:21 +0400

�� Win32/Tofsee.AX � �� .
�� .

NOD �� :

�� = C:\WINDOWS\system32\svchost.exe �� Win32/Tofsee.AX ��

�� :

C:\DOCUME~1\10E25~1\LOCALS~1\Temp\nnazog.exe �� Win32/Injector.AXNS �� INGENER1\��1 �� , �� : C:\WINDOWS\system32\svchost.exe.
INGENER1_2014-02-12_11-49-53.rar
12.02.2014 05:03:21, �� .

����� esetnod32.ru [����: ���������������� Win32/Tofsee.AX]

���������������� Win32/Tofsee.AX

���������������� Win32/Tofsee.AX

���������������� Win32/Tofsee.AX

���������������� Win32/Tofsee.AX

�� esetnod32.ru [��: �� Win32/Tofsee.AX]

�� Win32/Tofsee.AX

�� Win32/Tofsee.AX

�� Win32/Tofsee.AX

�� Win32/Tofsee.AX