Remove W32.Spybot.AVEO

W32.Spybot.AVEO also performs the following payloads:

It will modify Windows Registry and add the following entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Windows Firewall Updater” = “windowsupdate.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\”Windows Firewall Updater” = “windowsupdate.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\”EnableRemoteConnect” = “N”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server\”Enabled” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\”AutoShareWks” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\”AutoShareServer” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\”windowsupdate.exe” = “C:\WINDOWS\system32\windowsupdate.exe:*:Enabled:Windows Firewall Updater”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”AllowUnqualifiedQuery” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”PrioritizeRecordData” = “1”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”TCP1320Opts” = “3”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”KeepAliveTime” = “23280”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”BcastQueryTimeout” = “2EE”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”BcastNameQueryCount” = “1”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”CacheTimeout” = “EA60”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”Size/Small/Medium/Large” = “3”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”LargeBufferSize” = “1000”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”SynAckProtect” = “2”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”PerformRouterDiscovery” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”EnablePMTUBHDetect” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”FastSendDatagramThreshold ” = “400”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”StandardAddressLength ” = “18”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DefaultReceiveWindow ” = “4000”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DefaultSendWindow” = “4000”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”BufferMultiplier” = “200”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”PriorityBoost” = “2”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”IrpStackSize” = “4”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”IgnorePushBitOnReceives” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DisableAddressSharing” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”AllowUserRawAccess” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DisableRawSecurity” = “0”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”DynamicBacklogGrowthDelta” = “32”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”FastCopyReceiveThreshold” = “400”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”LargeBufferListDepth” = “A”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”MaxActiveTransmitFileCount” = “2”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”MaxFastTransmit” = “40”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”OverheadChargeGranularity” = “1”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”SmallBufferListDepth” = “20”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\”SmallerBufferSize” = “80”
• HKEY_CURRENT_USER\Software\Microsoft\OLE\”Windows Firewall Updater” = “windowsupdate.exe”

The threat will drop the following malicious file:

• %System%\windowsupdate.exe