Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ccApm' = '%WINDIR%\msn.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Norton' = '%WINDIR%\msn.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\vdzones\cmss.exe' = '%WINDIR%\vdzones\cmss.exe:*:Enabled:cmss.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\msn.exe' = '%WINDIR%\msn.exe:*:Enabled:Transparent Proxy Server'
- hidden files
- %WINDIR%\msn.exe
- %WINDIR%\vdzones\lsass.exe
- %TEMP%\Compress0\desktop.exe
- %WINDIR%\vdzones\cmss.exe
- <SYSTEM32>\net1.exe localgroup %USERNAME%s /Add RemoteAdmin
- <SYSTEM32>\net1.exe localgroup users /Delete RemoteAdmin
- <SYSTEM32>\net1.exe localgroup "Remote Desktop Users" /Add RemoteAdmin
- <SYSTEM32>\cacls.exe %WINDIR%\vdzones /G Everyone:f
- <SYSTEM32>\cacls.exe %PROGRAM_FILES%\Accessories\Common /G Everyone:f
- <SYSTEM32>\net1.exe user RemoteAdmin ecotopia /add
- bdss.exe
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian]
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- %TEMP%\Compress0\winsyst32.exe
- %TEMP%\Compress0\msn.exe
- %TEMP%\Compress0\oem.dll
- %TEMP%\Compress0\ass.dll
- %TEMP%\Compress0\hpreg.dll
- %TEMP%\Compress0\unir.exe
- %TEMP%\Compress0\svers.dll
- %TEMP%\Compress0\MSWINSCK.OCX
- %TEMP%\Compress0\inmsg.dll
- %TEMP%\Compress0\port.dll
- %TEMP%\Compress0\dete.dll
- %TEMP%\Compress0\ftpa.dll
- %TEMP%\Compress0\ftde.dll
- %TEMP%\Compress0\update.dll
- %TEMP%\Compress0\inter.dll
- %TEMP%\Compress0\scan.dll
- %TEMP%\Compress0\inuser.dll
- %TEMP%\Compress0\desktop.exe
- %PROGRAM_FILES%\Accessories\Common\desktop.ini
- %WINDIR%\slog.dll
- %WINDIR%\hpreg.dll
- <SYSTEM32>\MSWINSCK.OCX
- %PROGRAM_FILES%\Accessories\Common\WebsitesDetail.txt
- %PROGRAM_FILES%\Accessories\Common\clog.txt
- %PROGRAM_FILES%\Accessories\Common\OnlineTime.txt
- %PROGRAM_FILES%\Accessories\Common\WebsitesSummary.txt
- %WINDIR%\ziplog.txt
- %WINDIR%\vdzones\lsass.exe
- %WINDIR%\vdzones\cmss.exe
- %TEMP%\Compress0\services.exe
- %WINDIR%\ruto32.exe
- %WINDIR%\refsdm.dll
- %WINDIR%\msn.exe
- %WINDIR%\svers.dll
- %TEMP%\Compress0\ftps.dll
- %TEMP%\Compress0\rvport.dll
- %TEMP%\Compress0\ushost.dll
- %TEMP%\Compress0\mail.dll
- %TEMP%\Compress0\rvhost.dll
- %TEMP%\Compress0\rwci.dll
- %TEMP%\Compress0\rwcs.dll
- %TEMP%\Compress0\pwhost.dll
- %TEMP%\Compress0\rwce.dll
- %TEMP%\Compress0\mailsc.dll
- %TEMP%\Compress0\picture.dll
- %TEMP%\Compress0\refsdm.dll
- %TEMP%\nsu2.tmp
- %TEMP%\Compress0\Blue hills.jpg
- %TEMP%\Compress0\mailkl.dll
- %TEMP%\Compress0\delkl.dll
- %TEMP%\Compress0\user.dll
- %TEMP%\Compress0\type.dll
- %TEMP%\Compress0\scen.dll
- %TEMP%\Compress0\seek.dll
- %TEMP%\Compress0\ziplog.txt
- %TEMP%\Compress0\resu.dll
- %TEMP%\Compress0\ssap.dll
- %TEMP%\Compress0\ftsv.dll
- %TEMP%\Compress0\ftus.dll
- %TEMP%\Compress0\seekil.dll
- %TEMP%\Compress0\ften.dll
- %TEMP%\Compress0\weben.dll
- %TEMP%\Compress0\scloc.dll
- %TEMP%\Compress0\sccle.dll
- %TEMP%\Compress0\scint.dll
- %TEMP%\Compress0\scint2.dll
- %TEMP%\Compress0\dunin.dll
- %TEMP%\Compress0\rmdesk.dll
- %TEMP%\Compress0\scday.dll
- %TEMP%\Compress0\unin.dll
- %WINDIR%\hpreg.dll
- '69.#6.18.49':37
- '69.#6.18.49':14001
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'
- ClassName: 'Shell_TrayWnd' WindowName: ''