<Drive name for removable media>:\RECYCLER\S-1-6-20-9723590193-0193865940-937593904-1600\avgregmon.exe
<Drive name for removable media>:\RECYCLER\S-1-6-20-9723590193-0193865940-937593904-1600\Desktop.ini
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
hidden files
blocks the following features:
System Restore (SR)
Creates and executes the following:
'<SYSTEM32>\avgcntl.exe'
Executes the following:
'<SYSTEM32>\ipconfig.exe' /flushdns
Injects code into
the following system processes:
%WINDIR%\Explorer.EXE
Terminates or attempts to terminate
the following user processes:
GUARD.EXE
fsav32.exe
nod32.exe
ntvdm.exe
spidernt.exe
fsav.exe
bdagent.exe
360tray.exe
bdss.exe
Drweb32w.exe
ClamWin.exe
Hides the following processes:
<SYSTEM32>\avgcntl.exe
Modifies file system :
Creates the following files:
<SYSTEM32>\avgcntl.exe
Sets the 'hidden' attribute to the following files:
<Drive name for removable media>:\RECYCLER\S-1-6-20-9723590193-0193865940-937593904-1600\avgregmon.exe
<SYSTEM32>\avgcntl.exe
Modifies the HOSTS file.
Deletes itself.
Network activity:
Connects to:
'25#.#55.255.255':6501
'25#.#55.255.255':6980
'25#.#55.255.255':22048
'25#.#55.255.255':7302
'25#.#55.255.255':31960
'or####.flash-adobe.info':9103
'da####.dwn-adobe.info':7302
'25#.#55.255.255':9103
'25#.#55.255.255':8764
UDP:
DNS ASK ho##.#wn-adobe.info
DNS ASK sp##.##ash-adobe.info
DNS ASK jo###.#rv-adobe.info
DNS ASK da####.dwn-adobe.info
DNS ASK or####.flash-adobe.info
Miscellaneous:
Searches for the following windows:
ClassName: 'Shell_TrayWnd' WindowName: '(null)'
Download Dr.Web for Android
Free three-month trial
All protection features available
Renew your trial license in AppGallery/on Google Pay
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more