Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe <SYSTEM32>\fservice.exe'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe <SYSTEM32>\fservice.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'DirectX For Microsoft® Windows' = '<SYSTEM32>\fservice.exe'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}] 'StubPath' = '%WINDIR%\system\sservice.exe'
- System Restore (SR)
- <SYSTEM32>\server.exe
- <SYSTEM32>\fservice.exe
- %WINDIR%\services.exe -XP
- %TEMP%\1.tmp\b2e.exe %TEMP%\1.tmp\b2e.exe <Current directory> <Full path to virus>
- %TEMP%\2.tmp\batchfile.bat
- <SYSTEM32>\AVKILLER.exe
- <SYSTEM32>\taskkill.exe /f /im mcvsshld.exe
- <SYSTEM32>\taskkill.exe /f /im norman.exe
- <SYSTEM32>\taskkill.exe /f /im mcvsrte.exe
- <SYSTEM32>\taskkill.exe /f /im mctool.exe
- <SYSTEM32>\taskkill.exe /f /im mcupdate.exe
- <SYSTEM32>\taskkill.exe /f /im normanav.exe
- <SYSTEM32>\taskkill.exe /f /im normist.exe
- <SYSTEM32>\taskkill.exe /f /im norman32.exe
- <SYSTEM32>\taskkill.exe /f /im norman_32.exe
- <SYSTEM32>\taskkill.exe /f /im norman_av.exe
- <SYSTEM32>\taskkill.exe /f /im mcshieldvvstat.exe
- <SYSTEM32>\taskkill.exe /f /im fsm32.exe
- <SYSTEM32>\taskkill.exe /f /im fsma32.exe
- <SYSTEM32>\taskkill.exe /f /im fsgk32.exe
- <SYSTEM32>\taskkill.exe /f /im fsav95.exe
- <SYSTEM32>\taskkill.exe /f /im fsave32.exe
- <SYSTEM32>\taskkill.exe /f /im mcmnhdlr.exe
- <SYSTEM32>\taskkill.exe /f /im mcshield.exe
- <SYSTEM32>\taskkill.exe /f /im mcagent.exe
- <SYSTEM32>\taskkill.exe /f /im fsmb32.exe
- <SYSTEM32>\taskkill.exe /f /im fwenc.exe
- <SYSTEM32>\taskkill.exe /f /im symtray.exe
- <SYSTEM32>\taskkill.exe /f /im sysedit.exe
- <SYSTEM32>\taskkill.exe /f /im symproxysvc.exe
- <SYSTEM32>\taskkill.exe /f /im Symantec Core LC.exe
- <SYSTEM32>\taskkill.exe /f /im symlcsvc.exe
- <SYSTEM32>\net1.exe STOP navapsvc
- <SYSTEM32>\cmd.exe /c <SYSTEM32>\server.exe.bat
- <SYSTEM32>\net1.exe STOP srservice
- <SYSTEM32>\net.exe STOP srservice
- <SYSTEM32>\net.exe STOP navapsvc
- <SYSTEM32>\taskkill.exe /f /im symantec.exe
- <SYSTEM32>\taskkill.exe /f /im notstart.exe
- <SYSTEM32>\taskkill.exe /f /im sofi.exe
- <SYSTEM32>\WBEM\WMIADAP.EXE /f /im nortonav.exe
- <SYSTEM32>\taskkill.exe /f /im Norton Auto-Protect.exe
- <SYSTEM32>\taskkill.exe /f /im norton_av.exe
- <SYSTEM32>\taskkill.exe /f /im spf.exe
- <SYSTEM32>\taskkill.exe /f /im sphinx.exe
- <SYSTEM32>\taskkill.exe /f /im sophosav.exe
- <SYSTEM32>\taskkill.exe /f /im sophos.exe
- <SYSTEM32>\taskkill.exe /f /im sophos_av.exe
- <SYSTEM32>\taskkill.exe /f /im norton.exe
- <SYSTEM32>\taskkill.exe /f /im antivirus.exe
- <SYSTEM32>\taskkill.exe /f /im antivir.exe
- <SYSTEM32>\taskkill.exe /f /im agvw.exe
- <SYSTEM32>\taskkill.exe /f /im agv.exe
- <SYSTEM32>\taskkill.exe /f /im atupdater.exe
- <SYSTEM32>\taskkill.exe /f /im atwatch.exe
- <SYSTEM32>\taskkill.exe /f /im atscan.exe
- <SYSTEM32>\taskkill.exe /f /im atguard.exe
- <SYSTEM32>\taskkill.exe /f /im ats.exe
- <SYSTEM32>\taskkill.exe /f /im avgserv9schedapp.exe
- <SYSTEM32>\taskkill.exe /f /im avg.exe
- <SYSTEM32>\taskkill.exe /f /im avgwdsvc.exe
- <SYSTEM32>\cmd.exe /c ""%TEMP%\selfdel0.bat" "
- <SYSTEM32>\rundll32.exe <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen <SYSTEM32>\foto.jpg
- <SYSTEM32>\taskkill.exe /f /im avgrsx.exe
- <SYSTEM32>\taskkill.exe /f /im avgserv.exe
- <SYSTEM32>\taskkill.exe /f /im avgserv9.exe
- <SYSTEM32>\taskkill.exe /f /im avgctrl.exe
- <SYSTEM32>\taskkill.exe /f /im avgtray.exe
- <SYSTEM32>\taskkill.exe /f /im avgcc32.exe
- <SYSTEM32>\taskkill.exe /f /im fnrb32.exe
- <SYSTEM32>\taskkill.exe /f /im fp -win.exe
- <SYSTEM32>\taskkill.exe /f /im flowprotector.exe
- <SYSTEM32>\taskkill.exe /f /im firewall.exe
- <SYSTEM32>\taskkill.exe /f /im fix-it.exe
- <SYSTEM32>\taskkill.exe /f /im fsaa.exe
- <SYSTEM32>\taskkill.exe /f /im fsav32.exe
- <SYSTEM32>\taskkill.exe /f /im frw.exe
- <SYSTEM32>\taskkill.exe /f /im fp -win_trial.exe
- <SYSTEM32>\taskkill.exe /f /im fprot.exe
- <SYSTEM32>\taskkill.exe /f /im findviru.exe
- <SYSTEM32>\taskkill.exe /f /im escanh95.exe
- <SYSTEM32>\taskkill.exe /f /im escanhnt.exe
- <SYSTEM32>\taskkill.exe /f /im esafe.exe
- <SYSTEM32>\taskkill.exe /f /im drwatson.exe
- <SYSTEM32>\taskkill.exe /f /im drweb32.exe
- <SYSTEM32>\taskkill.exe /f /im fch32.exe
- <SYSTEM32>\taskkill.exe /f /im fih32.exe
- <SYSTEM32>\taskkill.exe /f /im fast.exe
- <SYSTEM32>\taskkill.exe /f /im escanv95.exe
- <SYSTEM32>\taskkill.exe /f /im espwatch.exe
- <SYSTEM32>\WBEM\WMIADAP.EXE
- Handler for all processes: <SYSTEM32>\winkey.dll
- mpftray.exe
- NAVAPW32.EXE
- fsav.exe
- GUARD.EXE
- nod32.exe
- zapro.exe
- ZONEALARM.EXE
- outpost.exe
- smc.exe
- fsav32.exe
- MCAGENT.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVP.EXE
- AVPM.EXE
- AVSYNMGR.EXE
- AVP32.EXE
- AVPCC.EXE
- <SYSTEM32>\fservice.exe
- %HOMEPATH%\Recent\system32.lnk
- %HOMEPATH%\Recent\foto.lnk
- %WINDIR%\system\sservice.exe
- <SYSTEM32>\reginv.dll
- <SYSTEM32>\winkey.dll
- %WINDIR%\services.exe
- <SYSTEM32>\AVKILLER.exe
- %TEMP%\2.tmp\batchfile.bat
- %TEMP%\1.tmp\b2e.exe
- <SYSTEM32>\foto.jpg
- %TEMP%\selfdel0.bat
- %TEMP%\bt45041.bat
- <SYSTEM32>\server.exe
- %WINDIR%\system\sservice.exe
- %WINDIR%\services.exe
- %TEMP%\bt45041.bat
- <SYSTEM32>\fservice.exe
- %WINDIR%\system\sservice.exe
- <SYSTEM32>\server.exe
- <SYSTEM32>\Restore\MachineGuid.txt
- <SYSTEM32>\fservice.exe
- %TEMP%\2.tmp\batchfile.bat
- %TEMP%\1.tmp\b2e.exe
- %TEMP%\bt45041.bat
- 'sq####.no-ip.biz2':41100
- 'sq####.no-ip.biz':4112
- 'sq####.no-ip.biz':4112
- 'sq####.no-ip.biz':4110
- 'sq####.no-ip.biz':41100
- DNS ASK sq####.no-ip.biz
- DNS ASK sq####.no-ip.biz2
- DNS ASK sq####.no-ip.biz
- ClassName: '' WindowName: 'Windows Logon Service '
- ClassName: '' WindowName: 'Windows services '
- ClassName: '' WindowName: 'Windows services '
- ClassName: '' WindowName: 'ProConnective'
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''