Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\nlv3mod.exe.lnk
Modifies file system
Creates the following files
- %TEMP%\rarsfx0\eula.rtf
- %TEMP%\rarsfx0\appdatadir\updfiles\em002_32_l1.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em002_32_l0.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em001_32_l1.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em001_32_l0.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em000_32_l0.nup
- %TEMP%\rarsfx0\ess_nt32_enu.msi
- %TEMP%\rarsfx0\microsoft.vc80.mfcloc.manifest
- %TEMP%\rarsfx0\microsoft.vc80.mfc.manifest
- %TEMP%\rarsfx0\microsoft.vc80.crt.manifest
- %TEMP%\rarsfx0\eset.chm
- %TEMP%\rarsfx0\drivers\epfwtdi\epfwtdi.cat
- %TEMP%\rarsfx0\drivers\epfwndis\epfwndis.cat
- %TEMP%\rarsfx0\drivers\epfwndhk\epfwndhk.cat
- %TEMP%\rarsfx0\drivers\epfw\epfw.cat
- %TEMP%\rarsfx0\drivers\easdrv\easdrv.cat
- %TEMP%\rarsfx0\drivers\eamon\eamon.cat
- %TEMP%\rarsfx0\drivers\epfwtdi\epfwtdi.sys
- %TEMP%\rarsfx0\drivers\epfwndis\epfwndis.sys
- %TEMP%\rarsfx0\drivers\epfwndhk\epfwndhk.sys
- %TEMP%\rarsfx0\appdatadir\updfiles\em002_32_l2.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em003_32_l0.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em003_32_l1.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em004_32_l0.nup
- %TEMP%\is-pjph2.tmp\is-pnebj.tmp
- %ProgramFiles(x86)%\eset\eset nod32 antivirus\is-8t2br.tmp
- %ProgramFiles(x86)%\eset\eset nod32 antivirus\is-b9hg4.tmp
- %ProgramFiles(x86)%\eset\eset nod32 antivirus\is-qhl51.tmp
- %TEMP%\is-pjph2.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-pjph2.tmp\_isetup\_setup64.tmp
- %TEMP%\is-pjph2.tmp\_isetup\_regdll.tmp
- %TEMP%\is-aqmt9.tmp\nod32.fix.v3.0-arc-rexbr-nsane.tmp
- %TEMP%\msi451d7.log
- %TEMP%\rarsfx0\message.vbs
- %TEMP%\rarsfx0\appdatadir\ehttpsrv.xml
- %TEMP%\rarsfx0\appdatadir\updfiles\em010_32_l0.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em008_32_l2.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em008_32_l1.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em008_32_l0.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em005_32_l2.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em005_32_l1.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em005_32_l0.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em004_32_l2.nup
- %TEMP%\rarsfx0\appdatadir\updfiles\em004_32_l1.nup
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\eset\eset nod32 antivirus\uninstall nod32 fix.lnk
- %TEMP%\rarsfx0\drivers\epfw\epfw.sys
- %TEMP%\rarsfx0\drivers\easdrv\easdrv.sys
- %TEMP%\rarsfx0\drivers\eamon\eamon.sys
- %TEMP%\rarsfx0\eguiproduct.dll
- %TEMP%\rarsfx0\eguimailplugins.dll
- %TEMP%\rarsfx0\eguiepfw.dll
- %TEMP%\rarsfx0\eguiemon.dll
- %TEMP%\rarsfx0\eguiamon.dll
- %TEMP%\rarsfx0\nod32.fix.v3.0-arc-rexbr-nsane.exe
- %TEMP%\rarsfx0\ekrn.exe
- %TEMP%\rarsfx0\ehttpsrv.exe
- %TEMP%\rarsfx0\egui.exe
- %TEMP%\rarsfx0\ecmd.exe
- %TEMP%\rarsfx0\ecls.exe
- %TEMP%\rarsfx0\callmsi.exe
- %TEMP%\rarsfx0\drivers\epfwtdi\epfwtdi.inf
- %TEMP%\rarsfx0\drivers\epfwndis\epfwndis.inf
- %TEMP%\rarsfx0\drivers\epfwndhk\epfwndhk.inf
- %TEMP%\rarsfx0\drivers\epfwndis\epfwnd_m.inf
- %TEMP%\rarsfx0\drivers\epfw\epfw.inf
- %TEMP%\rarsfx0\drivers\easdrv\easdrv.inf
- %TEMP%\rarsfx0\drivers\eamon\eamon.inf
- %TEMP%\rarsfx0\eguiscan.dll
- %TEMP%\rarsfx0\eguismon.dll
- %TEMP%\rarsfx0\eguiupdate.dll
- %TEMP%\rarsfx0\ekrnamon.dll
- %TEMP%\rarsfx0\shellext.dll
- %TEMP%\rarsfx0\msvcr80.dll
- %TEMP%\rarsfx0\msvcp80.dll
- %TEMP%\rarsfx0\mfc80u.dll
- %TEMP%\rarsfx0\mfc80.dll
- %TEMP%\rarsfx0\http_dll.dll
- %TEMP%\rarsfx0\eplgoutlooksmon.dll
- %TEMP%\rarsfx0\eplgoutlookemon.dll
- %TEMP%\rarsfx0\eplgoutlook.dll
- %TEMP%\rarsfx0\eplgoeemon.dll
- %TEMP%\rarsfx0\eplgoesmon.dll
- %TEMP%\rarsfx0\eplgoe.dll
- %TEMP%\rarsfx0\eplghooks.dll
- %TEMP%\rarsfx0\ekrnupdate.dll
- %TEMP%\rarsfx0\ekrnsmonengine.dll
- %TEMP%\rarsfx0\ekrnsmon.dll
- %TEMP%\rarsfx0\ekrnscan.dll
- %TEMP%\rarsfx0\ekrnmailplugins.dll
- %TEMP%\rarsfx0\ekrnepfw.dll
- %TEMP%\rarsfx0\ekrnemon.dll
- %TEMP%\rarsfx0\updater.dll
- %ProgramFiles(x86)%\eset\eset nod32 antivirus\unins000.dat
Deletes the following files
- %TEMP%\is-pjph2.tmp\nod32.fix.v3.0-arc-rexbr-nsane.exe
- %TEMP%\is-pjph2.tmp\_isetup\_regdll.tmp
- %TEMP%\is-pjph2.tmp\_isetup\_setup64.tmp
- %TEMP%\is-pjph2.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-aqmt9.tmp\nod32.fix.v3.0-arc-rexbr-nsane.tmp
Moves the following files
- from %ProgramFiles(x86)%\eset\eset nod32 antivirus\is-qhl51.tmp to %ProgramFiles(x86)%\eset\eset nod32 antivirus\unins000.exe
- from %ProgramFiles(x86)%\eset\eset nod32 antivirus\is-b9hg4.tmp to %ProgramFiles(x86)%\eset\eset nod32 antivirus\nlv3mod.exe
- from %ProgramFiles(x86)%\eset\eset nod32 antivirus\is-8t2br.tmp to %ProgramFiles(x86)%\eset\eset nod32 antivirus\obsoletenodlogin.exe
- from %TEMP%\is-pjph2.tmp\is-pnebj.tmp to %TEMP%\is-pjph2.tmp\nod32.fix.v3.0-arc-rexbr-nsane.exe
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%TEMP%\rarsfx0\nod32.fix.v3.0-arc-rexbr-nsane.exe' /SILENT /SP- /NORESTART
- '%TEMP%\is-aqmt9.tmp\nod32.fix.v3.0-arc-rexbr-nsane.tmp' /SL5="$190186,294323,53248,%TEMP%\RarSFX0\NOD32.FiX.v3.0-aRC-ReXBR-nsane.exe" /SILENT /SP- /NORESTART
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\RarSFX0\Message.vbs"
Executes the following
- '%WINDIR%\syswow64\msiexec.exe' /i "%TEMP%\RarSFX0\ess_nt32_enu.msi" /quiet /passive /norestart
