Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /i'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /W'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /s'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /p'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /E'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /N'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /y'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /b'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /D'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /H'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /r'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /M'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /q'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /x'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /U'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /F'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /g'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /V'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /k'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /c'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /O'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /A'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /Z'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /j'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /L'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xoeva' = '%HOMEPATH%\xoeva.exe /t'
- %HOMEPATH%\Start Menu\Programs\Startup\svchost.exe
- <Drive name for removable media>:\RCX9.tmp
- <Drive name for removable media>:\Passwords_backup.exe
- <Drive name for removable media>:\RCX6.tmp
- <Drive name for removable media>:\Bloc-notes.exe
- <Drive name for removable media>:\RCXA.tmp
- <Drive name for removable media>:\Porn_backup.exe
- <Drive name for removable media>:\RCX11.tmp
- <Drive name for removable media>:\RCXB.tmp
- <Drive name for removable media>:\RCXE.tmp
- <Drive name for removable media>:\Secret.exe
- <Drive name for removable media>:\Sexy.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\xoeva.exe
- <Drive name for removable media>:\RCX3.tmp
- <Drive name for removable media>:\RCX5.tmp
- <Drive name for removable media>:\Passwords.exe
- <Drive name for removable media>:\Porn.exe
- <Drive name for removable media>:\RCX4.tmp
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\teuveaw.exe' = '%TEMP%\teuveaw.exe:*:Enabled:ipsec'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
- hidden files
- User Account Control (UAC)
- Windows Security Center
- '%HOMEPATH%\xoeva.exe'
- '%TEMP%\svchost.exe'
- '%TEMP%\teuveaw.exe'
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\ia5ctluw.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD.tmp" "%TEMP%\vbcC.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\c2e9mmhe.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES10.tmp" "%TEMP%\vbcF.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\upfnp-oh.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\vbc1.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\6-mzrker.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8.tmp" "%TEMP%\vbc7.tmp"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\lsl8nvas.cmdline"
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
- %TEMP%\jvnfu.exe
- %TEMP%\RESD.tmp
- %TEMP%\vbcC.tmp
- %TEMP%\E.resources
- %TEMP%\WgM.resources
- %TEMP%\ymrum.exe
- %TEMP%\upfnp-oh.0.vb
- <DRIVERS>\fmmmg.sys
- %TEMP%\lW.resources
- %TEMP%\winqjcup.exe
- %TEMP%\upfnp-oh.out
- %TEMP%\upfnp-oh.cmdline
- %TEMP%\LiK.resources
- %TEMP%\kgRGtL.resources
- %TEMP%\winmjwb.exe
- %TEMP%\c2e9mmhe.out
- %TEMP%\c2e9mmhe.cmdline
- %TEMP%\c2e9mmhe.0.vb
- %TEMP%\ia5ctluw.out
- %TEMP%\ia5ctluw.cmdline
- %TEMP%\ia5ctluw.0.vb
- %TEMP%\RES10.tmp
- %TEMP%\vbcF.tmp
- %TEMP%\winsrdlu.exe
- %TEMP%\CshEtX.resources
- %TEMP%\6-mzrker.out
- %TEMP%\6-mzrker.cmdline
- %TEMP%\6-mzrker.0.vb
- %TEMP%\6-mzrker.exe
- %TEMP%\RES2.tmp
- %TEMP%\vbc1.tmp
- %TEMP%\teuveaw.exe
- %TEMP%\svchost.exe
- %TEMP%\uRd.resources
- %TEMP%\MSNPSharp.dll
- %TEMP%\8b42uA3ND.resources
- %HOMEPATH%\xoeva.exe
- %TEMP%\lsl8nvas.out
- %TEMP%\lsl8nvas.cmdline
- %TEMP%\lsl8nvas.0.vb
- %TEMP%\windowsupdate.ico
- %TEMP%\RES8.tmp
- %TEMP%\vbc7.tmp
- C:\oonthd.exe
- C:\autorun.inf
- %TEMP%\mmbblq.exe
- %TEMP%\whatdafock.txt
- %TEMP%\cuSTbpJ.resources
- %TEMP%\FcSLyS.resources
- C:\oonthd.exe
- <Drive name for removable media>:\xoeva.exe
- C:\autorun.inf
- %HOMEPATH%\xoeva.exe
- <Drive name for removable media>:\autorun.inf
- %TEMP%\upfnp-oh.out
- %TEMP%\upfnp-oh.cmdline
- %TEMP%\CshEtX.resources
- %TEMP%\jvnfu.exe
- %TEMP%\lW.resources
- %TEMP%\winqjcup.exe
- <DRIVERS>\fmmmg.sys
- %TEMP%\RESD.tmp
- %TEMP%\upfnp-oh.0.vb
- %TEMP%\vbcC.tmp
- %TEMP%\ymrum.exe
- %TEMP%\WgM.resources
- %TEMP%\ia5ctluw.0.vb
- %TEMP%\E.resources
- <Drive name for removable media>:\Porn_backup.exe
- %TEMP%\winmjwb.exe
- %TEMP%\RES10.tmp
- %TEMP%\winsrdlu.exe
- %TEMP%\vbcF.tmp
- %TEMP%\ia5ctluw.out
- %TEMP%\ia5ctluw.cmdline
- %TEMP%\6-mzrker.exe
- %TEMP%\6-mzrker.0.vb
- %TEMP%\6-mzrker.out
- <Drive name for removable media>:\Sexy.exe
- %TEMP%\mmbblq.exe
- %TEMP%\teuveaw.exe
- %TEMP%\svchost.exe
- %TEMP%\RES2.tmp
- %TEMP%\6-mzrker.cmdline
- %TEMP%\vbc1.tmp
- <Drive name for removable media>:\Porn.exe
- %TEMP%\FcSLyS.resources
- %TEMP%\lsl8nvas.0.vb
- %TEMP%\cuSTbpJ.resources
- %TEMP%\windowsupdate.ico
- <Drive name for removable media>:\Passwords_backup.exe
- %TEMP%\RES8.tmp
- <Drive name for removable media>:\Passwords.exe
- %TEMP%\vbc7.tmp
- %TEMP%\lsl8nvas.out
- %TEMP%\lsl8nvas.cmdline
- 'www.ca###rdesk.org':80
- 'ar####.niria.biz':80
- 'am##mex.com':80
- '17#.#3.169.14':80
- 'ns#.###nsearcher.net':8000
- 'al###wry.org':80
- ar####.niria.biz/xs.jpg?4d###########
- am##mex.com/xs.jpg?4f###########
- al###wry.org/images/xs.jpg?4b###########
- www.ca###rdesk.org/images/xs.jpg?4c###########
- DNS ASK ar####.niria.biz
- DNS ASK am##mex.com
- DNS ASK ap###-pie.in
- DNS ASK ns#.###nsearcher.net
- DNS ASK al###wry.org
- DNS ASK www.ca###rdesk.org
- ClassName: 'Indicator' WindowName: '(null)'