Yes, avast! detects this spyware as Win32:FinSpy-B [Trj] coming with the firefox executable firefox.exe
You are being protected...
FinFisher manual removal
1. Stop the related process in task manager to force this system to exit
dotnetchk.exe
2. Discover the subsequent registry values in registry editor and take away them one by one (First back up the registry and save this back up)
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\???FinFisher??? = ???C:\progra~1\common~1\cmx1\start.exe???
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CBDCB339-21C1-4834-9572-51ECC329ABD7}
HKEY_LOCAL_MACHINE\SOFTWARE\FinFisher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\2FABB6478E3EAB84C98C6D8AB6155523
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM SID]\Components\858132C493B23D11E8D0000CF486730D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM SID]\Products\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS\[RANDOM SID]\Software\Microsoft\Installer\Features\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS\[RANDOM SID]\Software\Microsoft\Installer\Products\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS\[RANDOM SID]\Software\Microsoft\Installer\UpgradeCodes\2FABB6478E3EAB84C98C6D8AB6155523
3.
%UserProfile%\\Local Settings\\Temp\\cmx1\\FinFisherR_SCREEN.DATETIME.[RANDOM DATE AND TIME].png
%UserProfile%\\Local Settings\\Application Data\\Protexis\\UserSettings.xml %UserProfile%\\Local Settings\\Temp\\CFGD.tmp
%UserProfile%\\Local Settings\\Temp\\cmx1\\FinFisherR_KEY.klog.html %UserProfile%\\Local Settings\\Temp\\VSDB.tmp\\DotNetFX\\dotnetchk.exe %UserProfile%\\Local Settings\\Temp\\VSDB.tmp\\install.log
%UserProfile%\\Start Menu\\Programs\\FinFisher.lnk
C:\\Documents and Settings\\All Users\\Application Data\\Protexis\\DL\\[RANDOM NAME].dlf C:\\Documents and Settings\\All Users\\Application Data\\Protexis\\State\\[RANDOM NAME].dls
%CommonProgramFiles%\\cmx1\\FinFisher.ico
%CommonProgramFiles%\\cmx1\\cmx1.dat %CommonProgramFiles%\\cmx1\\setup_dot_net_checker.msi
%Windir%\\Installer\\[RANDOM NAME].msi
Notice that av solutions may detects this as Win32/Belesak.D and avast detects this as Win32:FinSpy-B [Trj]
But some may not detect likewise Government trojans (in Skype) as like with other security companies, av companiers will actively cooperate with law enforcement agencies to not detect Government Trojans...so they might have agreed not to flag official government backdoors....
polonus
P.S. On FinSpy's proliferation:
https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/link article authors: Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton.