adds value:
"winshost.exe"="%WINDIR%\system32\winshost.exe"
to the keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
to make sure it's run at startup.
and value:
"FirstRunRR"=1
to the key:
[HKEY_CURRENT_USER\Software\FirstRun]
as an infection marker.
Tries to delete the values:
APVXDWIN
avg7_cc
avg7_emc
ccApp
KAV50
McAfee Guardian
McAfee.InstantUpdate.Monitor
NAV CfgWiz
SSC_UserPrompt
Symantec NetDriver Monitor
Zone Labs Client
from the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
and tries to delete the keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec]
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Agnitum]
[HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software]
[HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs]
disables services by changing values to:
"Start"=4
in the keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%service_name%]
for following %service_name%:
Ahnlab task Scheduler
alerter
AlertManger
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
avpcc
AVPCC
AVUPDService
AvxIni
awhost32
backweb client - 4476822
BackWeb Client - 7681197
backweb client-4476822
BlackICE
CAISafe
ccEvtMgr
ccPwdSvc
ccSetMgr
ccSetMgr.exe
DefWatch
dvpapi
dvpinit
fsbwsys
FSDFWD
fsdfwd
F-Secure Gatekeeper Handler Starter
KAVMonitorService
kavsvc
KLBLMain
McAfee Firewall
McAfeeFramework
McShield
McTaskManager
mcupdmgr.exe
MCVSRte
MonSvcNT
navapsvc
Network Associates Log Service
NISSERV
NISUM
NOD32ControlCenter
NOD32Service
Norman NJeeves
Norman ZANDA
Norton Antivirus Server
NPFMntor
NProtectService
NSCTOP
nvcoas
NVCScheduler
nwclntc
nwclntd
nwclnte
nwclntf
nwclntg
nwclnth
NWService
Outbreak Manager
Outpost Firewall
OutpostFirewall
PASSRV
PAVFNSVR
Pavkre
PavProt
PavPrSrv
PAVSRV
PCCPFW
PersFW
PREVSRV
PSIMSVC
ravmon8
SAVFMSE
SAVScan
SBService
schscnt
sharedaccess
SharedAccess
SmcService
SNDSrvc
SPBBCSvc
SweepNet
SWEEPSRV.SYS
Symantec AntiVirus Client
Symantec Core LC
Tmntsrv
V3MonNT
V3MonSvc
VexiraAntivirus
VisNetic AntiVirus Plug-in
vsmon
wuauserv
XCOMM
