�� esetnod32.ru [��: �� Win32/Qhost]

�� Win32/Qhost

Wed, 09 Jan 2013 20:38:30 +0400

�� Win32/Qhost � �� .
�� 
http://forum.esetnod32.ru/forum9/topic3998/
09.01.2013 20:38:30, zloyDi.

�� Win32/Qhost

Wed, 09 Jan 2013 20:36:41 +0400

�� Win32/Qhost � �� .
�� . �� .
09.01.2013 20:36:41, Hiperborean.

�� Win32/Qhost

Wed, 09 Jan 2013 20:30:42 +0400

�� Win32/Qhost � �� .
��

====quote====
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> ��: (1) ��: (0) -> �� .
=============

�� . �� . �� ?
09.01.2013 20:30:42, zloyDi.

�� Win32/Qhost

Wed, 09 Jan 2013 20:26:39 +0400

�� Win32/Qhost � �� .
�� - ��.
09.01.2013 20:26:39, Hiperborean.

�� Win32/Qhost

Wed, 09 Jan 2013 19:48:50 +0400

�� Win32/Qhost � �� .
��

====quote====
File size: 0 ��(�) ( 0 bytes )
=============

��
09.01.2013 19:48:50, santy.

�� Win32/Qhost

Wed, 09 Jan 2013 19:48:01 +0400

�� Win32/Qhost � �� .
��:

SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
MD5: d41d8cd98f00b204e9800998ecf8427e
File size: 0 ��(�) ( 0 bytes )
File name: carrxzxi.sys
File type: unknown
Detection ratio: 0 / 46
Analysis date: 2013-01-09 15:45:06 UTC ( 0 �� ago )

??

+ �� http://rghost.ru/private/42865729/7992fd0c0309cfa97d23846b6116450c
09.01.2013 19:48:01, Hiperborean.

�� Win32/Qhost

Wed, 09 Jan 2013 16:16:47 +0400

�� Win32/Qhost � �� .
+
�� http://virustotal.com
-----------

====quote====
�� C:\WINDOWS\SYSTEM32\DRIVERS\CARRXZXI.SYS
�� CARRXZXI.SYS
��. �� [SAFE_MODE]

��
�� [SAFE_MODE]
�� 100352 ��
�� 22.07.2011 � 21:40:27
�� 22.07.2011 � 21:40:28
��. ��

��
��
��

��
�� HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\carrxzxi\

�� HKLM\System\CurrentControlSet\Control\SafeBoot\Network\carrxzxi\

�� HKLM\System\CurrentControlSet\Services\carrxzxi\
carrxzxi �� : �� (2)

=============

09.01.2013 16:16:47, santy.

�� Win32/Qhost

Wed, 09 Jan 2013 16:13:15 +0400

�� Win32/Qhost � �� .
�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
====code====

;uVS v3.77.2 script [http://dsrt.dyndns.org]
;Target OS: NTv5.1
OFFSGNSAVE
delref HTTP://MAILGOSEARCH.RU
delall %Sys32%\MSUPDT.EXE
delall %Sys32%\SDRA64.EXE
delref %SystemDrive%\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VKSAVER\VKSAVER3.DLL
setdns ����������� �� ��������� ����\4\{2C3EC37A-BD50-41C3-88E8-F29266673C70}\
delall %SystemDrive%\DOCUMENTS AND SETTINGS\ADMIN\APPLICATION DATA\CCTE1TU.EXE
delall %SystemDrive%\PROGRAM FILES\INTERNET EXPLORER\SETUPAPI.DLL
delall %SystemDrive%\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VKSAVER\VKSAVER.EXE
delall %SystemDrive%\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\ICQ\ICQNEWTAB\NEWTAB.HTML
deltmp
delnfr
REGT 12
regt 14
EXEC cmd /c"ipconfig /flushdns"
restart

=============
��, �� .
------------
��,
��
http://forum.esetnod32.ru/forum9/topic682/
09.01.2013 16:13:15, santy.

�� Win32/Qhost

Wed, 09 Jan 2013 14:55:01 +0400

�� Win32/Qhost � �� .
�� Win32/Qhost.
�� Uvs �� - http://rghost.ru/42856239
�� !)
09.01.2013 14:55:01, Hiperborean.

����� esetnod32.ru [����: �������� ������� Win32/Qhost]

�������� ������� Win32/Qhost

�������� ������� Win32/Qhost

�������� ������� Win32/Qhost

�������� ������� Win32/Qhost

�������� ������� Win32/Qhost

�������� ������� Win32/Qhost

�������� ������� Win32/Qhost

�������� ������� Win32/Qhost

�������� ������� Win32/Qhost

�� esetnod32.ru [��: �� Win32/Qhost]

�� Win32/Qhost

�� Win32/Qhost

�� Win32/Qhost

�� Win32/Qhost

�� Win32/Qhost

�� Win32/Qhost

�� Win32/Qhost

�� Win32/Qhost

�� Win32/Qhost