Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{1982EF19-1044-9290-5FF4-D4C8A66A5DA1}] 'stubpath' = ''
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'wextract_cleanup0' = 'rundll32.exe <SYSTEM32>\advpack.dll,DelNodeRunDLL32 ""%TEMP%\IXP000.TMP\""'
- <Drive name for removable media>:\xnbaf.exe
- <Drive name for removable media>:\autorun.inf
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\Explorer.EXE' = '%WINDIR%\Explorer.EXE:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '"%TEMP%\IXP000.TMP\server.exe"' = '"%TEMP%\IXP000.TMP\server.exe:*:Enabled:ipsec"'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- hidden files
- User Account Control (UAC)
- Windows Security Center
- <SYSTEM32>\cscript.exe
- <SYSTEM32>\ctfmon.exe
- %WINDIR%\Explorer.EXE
- %TEMP%\winkilq.exe
- %TEMP%\fcxlh.exe
- C:\cifw.exe
- C:\autorun.inf
- %APPDATA%\addons.dat
- %TEMP%\IXP000.TMP\server.exe
- <DRIVERS>\eupor.sys
- %APPDATA%\svchost.exe\svchost.exe
- C:\cifw.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\xnbaf.exe
- %APPDATA%\svchost.exe\svchost.exe
- %APPDATA%\addons.dat
- C:\autorun.inf
- %TEMP%\fcxlh.exe
- %TEMP%\winkilq.exe
- %TEMP%\IXP000.TMP\server.exe
- <DRIVERS>\eupor.sys
- 'fa####30.no-ip.info':81
- DNS ASK fa####30.no-ip.info