Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.DownLoader11.25851

Added to the Dr.Web virus database: 2014-08-06

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • %WINDIR%\Tasks\Flash Update.job
Malicious functions:
Creates and executes the following:
  • '%TEMP%\KMSpico\AutoPico.exe'
  • '%TEMP%\KMSpico.exe'
Executes the following:
  • '<SYSTEM32>\msiexec.exe' -Embedding 05240024F3181BD05946D9B103E192DF M Global\MSI0000
  • '<SYSTEM32>\cmd.exe' /c ""%TEMP%\KMSpico\portable.cmd" "
  • '<SYSTEM32>\msiexec.exe' -Embedding 7D54C02024A55181745E5CF1AA27D9DC
  • '<SYSTEM32>\msiexec.exe' /i "%APPDATA%\KMSpico 9.3.1\KMSpico 9.3.1 1.0.1\install\KMSpico 9.3.1.msi" AI_SETUPEXEPATH=<Full path to virus> SETUPEXEDIR=<Current directory>\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
  • '<SYSTEM32>\msiexec.exe' /V
Terminates or attempts to terminate
the following user processes:
  • iexplore.exe
  • chrome.exe
Modifies file system :
Creates the following files:
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\LicenseSetData._B067E965_7521_455B_B9F7_C740204578A2.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\LicenseSetData._B13AFB38_CD79_4AE5_9F7F_EED058D750CA.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\LicenseSetData._B13AFB38_CD79_4AE5_9F7F_EED058D750CA.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\LicenseSetData._B067E965_7521_455B_B9F7_C740204578A2.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\LicenseSetData._AC4EFAF0_F81F_4F61_BDF7_EA32B02AB117.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\LicenseSetData._B067E965_7521_455B_B9F7_C740204578A2.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\LicenseSetData._B067E965_7521_455B_B9F7_C740204578A2.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\LicenseSetData._B13AFB38_CD79_4AE5_9F7F_EED058D750CA.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\LicenseSetData._D9F5B1C6_5386_495A_88F9_9AD6B41AC9B3.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\LicenseSetData._D9F5B1C6_5386_495A_88F9_9AD6B41AC9B3.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\LicenseSetData._E1264E10_AFAF_4439_A98B_256DF8BB156F.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\LicenseSetData._D9F5B1C6_5386_495A_88F9_9AD6B41AC9B3.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\LicenseSetData._B322DA9C_A2E2_4058_9E4E_F59A6970BD69.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\LicenseSetData._B322DA9C_A2E2_4058_9E4E_F59A6970BD69.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\LicenseSetData._B322DA9C_A2E2_4058_9E4E_F59A6970BD69.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\LicenseSetData._A24CCA51_3D54_4C41_8A76_4031F5338CB2.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\LicenseSetData._A24CCA51_3D54_4C41_8A76_4031F5338CB2.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\LicenseSetData._A30B8040_D68A_423F_B0B5_9CE292EA5A8F.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\LicenseSetData._A24CCA51_3D54_4C41_8A76_4031F5338CB2.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\LicenseSetData._9E016989_4007_42A6_8051_64EB97110CF2.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\LicenseSetData._9E016989_4007_42A6_8051_64EB97110CF2.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\LicenseSetData._A24CCA51_3D54_4C41_8A76_4031F5338CB2.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\LicenseSetData._A30B8040_D68A_423F_B0B5_9CE292EA5A8F.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\LicenseSetData._AC1AE7FD_B949_4E04_A330_849BC40638CF.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\LicenseSetData._AC4EFAF0_F81F_4F61_BDF7_EA32B02AB117.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\LicenseSetData._AC4EFAF0_F81F_4F61_BDF7_EA32B02AB117.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\LicenseSetData._AC1AE7FD_B949_4E04_A330_849BC40638CF.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\LicenseSetData._A30B8040_D68A_423F_B0B5_9CE292EA5A8F.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\LicenseSetData._AC1AE7FD_B949_4E04_A330_849BC40638CF.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\LicenseSetData._AC1AE7FD_B949_4E04_A330_849BC40638CF.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\LicenseSetData._E1264E10_AFAF_4439_A98B_256DF8BB156F.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\LicenseSetData._F7461D52_7C2B_43B2_8744_EA958E0BD09A.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\LicenseSetData._EFE1F3E6_AEA2_4144_A208_32AA872B6545.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\LicenseSetData._F7461D52_7C2B_43B2_8744_EA958E0BD09A.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\LicenseSetData._F7461D52_7C2B_43B2_8744_EA958E0BD09A.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNote_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\LicenseSetData._E13AC10E_75D0_4AFF_A0CD_764982CF541C.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\LicenseSetData._E40DCB44_1D5C_4085_8E8F_943F33C4F004.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\LicenseSetData._E40DCB44_1D5C_4085_8E8F_943F33C4F004.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\LicenseSetData._E13AC10E_75D0_4AFF_A0CD_764982CF541C.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\LicenseSetData._E1264E10_AFAF_4439_A98B_256DF8BB156F.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\LicenseSetData._E1264E10_AFAF_4439_A98B_256DF8BB156F.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\LicenseSetData._E13AC10E_75D0_4AFF_A0CD_764982CF541C.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\LicenseSetData._E40DCB44_1D5C_4085_8E8F_943F33C4F004.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\LicenseSetData._ED34DC89_1C27_4ECD_8B2F_63D0F4CEDC32.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\LicenseSetData._EFE1F3E6_AEA2_4144_A208_32AA872B6545.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\LicenseSetData._EFE1F3E6_AEA2_4144_A208_32AA872B6545.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\LicenseSetData._ED34DC89_1C27_4ECD_8B2F_63D0F4CEDC32.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\LicenseSetData._E40DCB44_1D5C_4085_8E8F_943F33C4F004.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\LicenseSetData._ED34DC89_1C27_4ECD_8B2F_63D0F4CEDC32.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\LicenseSetData._ED34DC89_1C27_4ECD_8B2F_63D0F4CEDC32.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\LicenseSetData._2B9E4A37_6230_4B42_BEE2_E25CE86C8C7A.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\LicenseSetData._38EA49F6_AD1D_43F1_9888_99A35D7C9409.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\LicenseSetData._38EA49F6_AD1D_43F1_9888_99A35D7C9409.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\LicenseSetData._2B9E4A37_6230_4B42_BEE2_E25CE86C8C7A.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\LicenseSetData._2B88C4F2_EA8F_43CD_805E_4D41346E18A7.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\LicenseSetData._2B9E4A37_6230_4B42_BEE2_E25CE86C8C7A.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\LicenseSetData._2B9E4A37_6230_4B42_BEE2_E25CE86C8C7A.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\LicenseSetData._38EA49F6_AD1D_43F1_9888_99A35D7C9409.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\LicenseSetData._3E4294DD_A765_49BC_8DBD_CF8B62A4BD3D.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\LicenseSetData._427A28D1_D17C_4ABF_B717_32C780BA6F07.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\LicenseSetData._427A28D1_D17C_4ABF_B717_32C780BA6F07.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\LicenseSetData._3E4294DD_A765_49BC_8DBD_CF8B62A4BD3D.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\LicenseSetData._38EA49F6_AD1D_43F1_9888_99A35D7C9409.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\LicenseSetData._3E4294DD_A765_49BC_8DBD_CF8B62A4BD3D.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\LicenseSetData._3E4294DD_A765_49BC_8DBD_CF8B62A4BD3D.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\LicenseSetData._00C79FF1_6850_443D_BF61_71CDE0DE305F.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\LicenseSetData._00C79FF1_6850_443D_BF61_71CDE0DE305F.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\LicenseSetData._2B88C4F2_EA8F_43CD_805E_4D41346E18A7.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\LicenseSetData._2B88C4F2_EA8F_43CD_805E_4D41346E18A7.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\LicenseSetData._2B88C4F2_EA8F_43CD_805E_4D41346E18A7.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\LicenseSetData._1B9F11E3_C85C_4E1B_BB29_879AD2C909E3.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\LicenseSetData._00C79FF1_6850_443D_BF61_71CDE0DE305F.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\LicenseSetData._1B9F11E3_C85C_4E1B_BB29_879AD2C909E3.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\LicenseSetData._1B9F11E3_C85C_4E1B_BB29_879AD2C909E3.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\LicenseSetData._427A28D1_D17C_4ABF_B717_32C780BA6F07.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\LicenseSetData._8C762649_97D1_4953_AD27_B7E2C25B972E.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\LicenseSetData._8D577C50_AE5E_47FD_A240_24986F73D503.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\LicenseSetData._8D577C50_AE5E_47FD_A240_24986F73D503.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\LicenseSetData._8C762649_97D1_4953_AD27_B7E2C25B972E.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\LicenseSetData._771C3AFA_50C5_443F_B151_FF2546D863A0.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\LicenseSetData._771C3AFA_50C5_443F_B151_FF2546D863A0.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\LicenseSetData._8C762649_97D1_4953_AD27_B7E2C25B972E.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\LicenseSetData._8D577C50_AE5E_47FD_A240_24986F73D503.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\LicenseSetData._9CEDEF15_BE37_4FF0_A08A_13A045540641.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\LicenseSetData._9E016989_4007_42A6_8051_64EB97110CF2.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\LicenseSetData._9E016989_4007_42A6_8051_64EB97110CF2.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\LicenseSetData._9CEDEF15_BE37_4FF0_A08A_13A045540641.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\LicenseSetData._8D577C50_AE5E_47FD_A240_24986F73D503.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\LicenseSetData._9CEDEF15_BE37_4FF0_A08A_13A045540641.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\LicenseSetData._9CEDEF15_BE37_4FF0_A08A_13A045540641.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\LicenseSetData._44A1F6FF_0876_4EDB_9169_DBB43101EE89.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\LicenseSetData._44A1F6FF_0876_4EDB_9169_DBB43101EE89.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\LicenseSetData._44A1F6FF_0876_4EDB_9169_DBB43101EE89.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\LicenseSetData._4374022D_56B8_48C1_9BB7_D8F2FC726343.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\LicenseSetData._4374022D_56B8_48C1_9BB7_D8F2FC726343.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\LicenseSetData._4374022D_56B8_48C1_9BB7_D8F2FC726343.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\LicenseSetData._4374022D_56B8_48C1_9BB7_D8F2FC726343.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\LicenseSetData._44A1F6FF_0876_4EDB_9169_DBB43101EE89.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\LicenseSetData._6EE7622C_18D8_4005_9FB7_92DB644A279B.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\LicenseSetData._6EE7622C_18D8_4005_9FB7_92DB644A279B.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\LicenseSetData._771C3AFA_50C5_443F_B151_FF2546D863A0.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\LicenseSetData._6EE7622C_18D8_4005_9FB7_92DB644A279B.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\LicenseSetData._4A5D124A_E620_44BA_B6FF_658961B33B9A.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\LicenseSetData._4A5D124A_E620_44BA_B6FF_658961B33B9A.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\LicenseSetData._4A5D124A_E620_44BA_B6FF_658961B33B9A.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPrem_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\StandardAcad_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\Standard_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\StandardAcad_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\StandardAcad_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\StandardAcad_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\logs\AutoPico.log
  • %TEMP%\dw.log
  • %TEMP%\47DA8.dmp
  • %TEMP%\KMSpico\driver\tap-windows-9.9.2_3.exe
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\Word_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\AutoPico.exe
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioPro_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioStd_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectPro_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\Outlook_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPoint_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasics_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\Publisher_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_MAK2.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_MAK2.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlusAcad_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_MAK2.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStd_MAK2.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlusAcad_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlusAcad_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlusAcad_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlus_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPointVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPointVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\PowerPoint\PowerPointVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\OutlookVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNoteVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\OutlookVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Outlook\OutlookVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectProVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStdVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\proplus.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlusVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStdVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectProVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectPro\ProjectProVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProjectStd\ProjectStdVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\ExcelVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\ExcelVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\ExcelVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Access\AccessVLRegWOW.reg
  • %TEMP%\KMSpico\nova-s.txt
  • %TEMP%\KMSpico\cert\kmscert2010\Access\AccessVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Access\AccessVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\GrooveVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPathVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNoteVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\OneNote\OneNoteVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPathVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\GrooveVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\GrooveVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPathVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlusVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Word\WordVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Word\WordVLRegWOW.reg
  • %TEMP%\KMSpico\driver\OpenVPN.cer
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Access\Access_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasicsVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasicsVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\SmallBusBasics\SmallBusBasicsVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\PublisherVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\ProPlus\ProPlusVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\PublisherVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Publisher\PublisherVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\StandardVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Word\WordVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Visio\VisioVLReg32.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\StandardVLReg64.reg
  • %TEMP%\KMSpico\cert\kmscert2010\Standard\StandardVLRegWOW.reg
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\visio.reg
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\drivetable.txt
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP15\drivetable.txt
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
  • %WINDIR%\Installer\MSI2.tmp
  • %WINDIR%\Installer\MSI3.tmp
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\rp.log
  • %WINDIR%\Installer\MSI1.tmp
  • %APPDATA%\KMSpico 9.3.1\KMSpico 9.3.1 1.0.1\install\KMSpico 9.3.1.msi
  • %TEMP%\30c26.msi
  • %WINDIR%\Installer\33356.msi
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
  • %WINDIR%\Installer\MSI4.tmp
  • %TEMP%\KMSpico\sounds\enterauthorizationcode.mp3
  • %TEMP%\KMSpico\sounds\incomingtransmission.mp3
  • %TEMP%\KMSpico\sounds\inputfailed.mp3
  • %TEMP%\KMSpico\sounds\diagnostic.mp3
  • %TEMP%\KMSpico\sounds\affirmative.mp3
  • %TEMP%\KMSpico\sounds\begin.mp3
  • %TEMP%\KMSpico\sounds\complete.mp3
  • %TEMP%\KMSpico\sounds\inputok.mp3
  • %TEMP%\KMSpico\cert\installAll.cmd
  • %TEMP%\KMSpico\portable.cmd
  • %TEMP%\KMSpico\driver\UnInstallDriver.cmd
  • %TEMP%\KMSpico\sounds\warning.mp3
  • %TEMP%\KMSpico\sounds\processing.mp3
  • %TEMP%\KMSpico\sounds\transfer.mp3
  • %TEMP%\KMSpico\sounds\verified.mp3
  • %WINDIR%\Installer\MSI7.tmp
  • %WINDIR%\Installer\MSI8.tmp
  • %WINDIR%\Installer\MSI9.tmp
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\RestorePointSize
  • %WINDIR%\Installer\MSI5.tmp
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
  • %WINDIR%\Installer\MSI6.tmp
  • C:\Config.Msi\33359.rbs
  • %WINDIR%\Installer\MSID.tmp
  • %WINDIR%\update.js
  • %WINDIR%\Installer\MSIE.tmp
  • %TEMP%\KMSpico.exe
  • %WINDIR%\Installer\MSIB.tmp
  • %WINDIR%\Installer\MSIC.tmp
  • %APPDATA%\KMSpico 9.3.1\KMSpico 9.3.1 1.0.1\install\disk1.cab
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\Licenses.sl.ISSUANCE.CLIENT_STIL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\Licenses.sl.PKEYCONFIG.SIGNED.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\Licenses.sl.ISSUANCE.CLIENT_UL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\Licenses.sl.ISSUANCE.CLIENT_UL_OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_KMS_Client.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Excel\Excel_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_KMS_Client.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_MAK.PL.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_MAK.PPDLIC.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\InfoPath\InfoPath_KMS_Client.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_MAK.PHN.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_KMS_Client.RAC_Priv.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_KMS_Client.RAC_Pub.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2010\Groove\Groove_MAK.OOB.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\Licenses.sl.ISSUANCE.CLIENT_ROOT_BRIDGE_TEST.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Publisher\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioStd\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Word\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProPlus\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectPro\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\PowerPoint\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\VisioPro\Licenses.sl.ISSUANCE.CLIENT_BRIDGE_OFFICE.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Standard\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Access\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Excel\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Lync\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\Outlook\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\ProjectStd\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\InfoPath\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
  • %TEMP%\KMSpico\cert\kmscert2013\OneNote\Licenses.sl.ISSUANCE.CLIENT_ROOT.xrm-ms
Deletes the following files:
  • C:\Config.Msi\33359.rbs
  • %WINDIR%\Installer\MSI6.tmp
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\prefs.js.back
  • %WINDIR%\Installer\MSIE.tmp
  • %WINDIR%\Installer\MSI5.tmp
  • %APPDATA%\KMSpico 9.3.1\KMSpico 9.3.1 1.0.1\install\KMSpico 9.3.1.msi
  • %APPDATA%\KMSpico 9.3.1\KMSpico 9.3.1 1.0.1\install\disk1.cab
  • %WINDIR%\Installer\33356.msi
  • %TEMP%\30c26.msi
  • %WINDIR%\Installer\MSI4.tmp
  • %WINDIR%\Installer\MSI3.tmp
  • %WINDIR%\Installer\MSI7.tmp
  • %WINDIR%\Installer\MSI1.tmp
  • %WINDIR%\Installer\MSI2.tmp
  • %WINDIR%\Installer\MSI8.tmp
  • %WINDIR%\Installer\MSIC.tmp
  • %WINDIR%\Installer\MSID.tmp
  • %WINDIR%\Installer\MSI9.tmp
  • %WINDIR%\Installer\MSIB.tmp
Network activity:
Connects to:
  • '1.###l.ntp.org':123
UDP:
  • DNS ASK 1.###l.ntp.org
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Shell_TrayWnd' WindowName: '(null)'
Adds a root certificate
Modifies value of AutoConfigURL parameter

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android