Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'Windows Login Assistant' = '"%APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe"'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Windows Login Assistant' = '"%APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Login Assistant' = '"%APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe"'
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}] 'StubPath' = '"%APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe"'
- [<HKCU>\Software\Microsoft\Active Setup\Installed Components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}] 'StubPath' = '"%APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe"'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] 'Windows Login Assistant' = '"%APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe"'
- hidden files
- Registry Editor (RegEdit)
- System Restore (SR)
- '%APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe' /del <Full path to virus>
- '%APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe' <Full path to virus>
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- %WINDIR%\Explorer.EXE
- spidernt.exe
- nod32.exe
- fsav32.exe
- ntvdm.exe
- zlclient.exe
- MCAGENT.EXE
- fsav.exe
- bdss.exe
- bdagent.exe
- 360tray.exe
- GUARD.EXE
- Drweb32w.exe
- ClamWin.exe
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] 'NoFolderOptions' = '00000001'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] 'NoRun' = '00000001'
- %APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe
- %APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe
- %APPDATA%\S03-7323-GEYNAWT-2623-TGAW\Desktop.ini
- %APPDATA%\S03-7323-GEYNAWT-2623-TGAW\winlogon.exe
- %APPDATA%\S03-7323-GEYNAWT-2623-TGAW\Desktop.ini
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- 'ni####.iroxusux.com':60500
- 'je####.izthewiz.net':60500
- '20#.#6.232.182':80
- 's0####.crkrxer.net':60500
- http://windowsupdate.microsoft.com/ via 20#.#6.232.182
- DNS ASK ni####.iroxusux.com
- DNS ASK je####.izthewiz.net
- DNS ASK windowsupdate.microsoft.com
- DNS ASK s0####.crkrxer.net
- ClassName: '' WindowName: 'Registry Editor'
- ClassName: '' WindowName: 'System Configuration Utility'
- ClassName: 'HijackThis' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'Indicator' WindowName: ''