用户服务中心

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

CN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
服务
扫描仪
Dr.Web vxCube
试用
计算机病毒事件调查
病毒知识库
知识库

技术

术语

教育培训

误区

新闻

Trojan.Hosts.47233

Added to the Dr.Web virus database: 2020-02-17

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ntoskrnl' = '"%APPDATA%\WISInternal\ntoskrnl.exe" '
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'EcxKQKRUDlmZgDtnhmIvn' = '"D:\ZfZAxADtKlhYhQZfDImSRU.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DhltRSthIDZYQAZfnovKtQcotchcolInEIY' = '"E:\KclgARYgYD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZhEZohmIURcPBlvWAAJIQUgtAoQmEmJl' = '"<Drive name for removable media>:\YmRJScYoEIvDYhPhl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'KKtDBnoxWttgEEQ' = '"G:\goxPRURtY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SUYvKKJoPlmZDcAKPJvoZImhxxQhDU' = '"H:\mlhcZtctYPhmEQ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PnEDKSDgPmhhDAQ' = '"I:\QEDlngWgooo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'oEcQQnlEmKI' = '"J:\SQRfPDRSYKhBUtSnUWJPPgDEEBJgSDY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vKmYWJxEShoIhmlgvxI' = '"K:\IPEcEhlBtmBWnKDxYmEclSS.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fPhIfUBttnWnPhDBYtWoDclRJPRS' = '"L:\JvWllfPnJZYWcPAmEvWtY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WWBtJQUJRmc' = '"M:\QWRDWSvYncgfRAZZAoDgg.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZUhWQQSlDZcS' = '"N:\PomJRYlEDhUfhWKhZKtnKYtgJPmmgvxJcnJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AAgIBPvtxDonPEAShnRohU' = '"O:\oJSWRQcnBQY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mWAfco' = '"P:\oglDxhSPRngSoQDJfQtExYRWIZZoEoWAQEZD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fZnmAomAfSYvYRQPIZtEUoxg' = '"B:\fZvtvhWY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RWPSURSgWthhIlgD' = '"C:\hfxSmx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xKPIclQlJtKvnBImPDKYEBcWlfK' = '"Q:\vQcIEWgKEKfgRcYvZSAhPSZoBRIx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'KIDxhoAfYESYv' = '"R:\fRlZZmKvmhnlcIvWhWZtZRBxJcRtUvtx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QWxtBf' = '"<Drive name for removable media>:\UgBIDvBxRnS.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'KtQJD' = '"E:\glmvlYQxIxIPvWoQlnKAEQmARvxUmKRnJcoKv.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IERtlPBJcSxQlg' = '"D:\EoPSZRnKvnEhRJStZflvYAhoRKtKmgYco.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZRPhZlcEPAYtfA' = '"C:\tKnRSPRtKRlKJAPYm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RgRtDxvDKocSAEhfcIlQJoEvAJnJ' = '"B:\UZtEYctmUIfEfYgAIAIoIIEDBY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tQBKDBmvhBSnJBtvJtQnBchIWfUQlZSmxvfJtvQ' = '"Q:\mSDBUhvhfQtDvtnlEWfQUUhtAInKEBBvZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tvYcIcYZAlWU' = '"A:\vEEREnlA.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'EKtUAtPRWSKxZcZnfDIUEhUWYmtxDRnK' = '"Y:\ZxfJQovERScJZBKmZDnDoSIYhtYAvoxhtAP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cSfAcx' = '"X:\ctBfJtPQDlJhEhJoBmARgUQWSoKlDZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'KAQUEhJfcE' = '"W:\AAAYmoIvfhJlRWYAxAWgEURBRnBERAZSx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hBtUSWZUmSQoYKIIDfWfx' = '"V:\IYDlxDJohnSc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lcQmSSYghWDvAEQJKZm' = '"U:\WfPDtlKhPEKhJnc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mDWSYxhgScZhYJgDfg' = '"T:\KYcPmJtglUDhRBEfJJfYtKxlBn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'YffUvKoUKDWJcvxQglSchJAgQUEhPn' = '"S:\ZvoZSQoRQmQlESIxRnERZooWRvWPmIBh.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'moEvlWlRxPWPZhSv' = '"A:\RKxIYQUfotIAJmWhYIlt.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QPohYgJSJtAKZRSoSYQhQUhKJcJYUgtEDogf' = '"Z:\QvnfJxxvKcZfKZZJQn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JZSnAclmnUQnBDIfZlU' = '"Y:\WlExRQxISBfnhJZQvoxKUKYlZcRUPmIBAc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RQPJJWAKnKxtl' = '"U:\lxnKEofmnIUmJcAfcUYvDcUEt.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fUWohZvPhJBJYovDlnBfRKvBEmWYtfJYnQm' = '"V:\QflJnWKxgKfYlnUKBIYSPlKhJU.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'EKKoUxDcYnKhtoSfYtlUcEntoIlfUlDvRxlon' = '"W:\ZAgBK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PAUDvKxgllISAAmBovJKDQRKDoRJfnYghhh' = '"X:\KxZEcxEPKmZZgxlUAhmJYEcSlDJESDcPJIK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cvKcAoDAKJAcQAUZYoWDZSfQhK' = '"Y:\tZIfAWftZQgEmnhPQYIctmoYf.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mJYDAxYJ' = '"Z:\lfBYZmnImDl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IKPPZhDhfQSgBxIISYZWnhxYfvYD' = '"A:\EcxSJJBhIQnvocDEnQmWIlxxZoQfotPIKPQUDmo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SgQSxDJPlW' = '"B:\mPDWomcIUDcnYnDgcnfJItPPmYmxIISnEBPY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'UUffBRWhPEvcoQRgRQWZhIBnoRKh' = '"C:\fmJooPYYIfvKmWWPgPlJEAWPvAPIho.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PfgAxZgfltlSxBtUmIlocltgcoZgtZIUfUZ' = '"D:\mlBZfhxUnRKlIBvPSZZn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AolSvUBPY' = '"E:\mxEEKWnYSBIcRfxDIogcSEoZPScRhJotYcZcWmB.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SPPWWPlhxtgYBvmAJEYfAxEgSEIJIK' = '"<Drive name for removable media>:\onmWAJgxZgYZAovEnfvocIKQJtxgvEn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'oISSISIYPPnZDUBPtSAvE' = '"G:\mDUclAA.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WPtfvovUJIUWBmIBRUcttmRvZnJRch' = '"H:\ZSIPPQmotJhKUDnvQZBKAtnEfUlgExKtRmhDDAP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QlWhQnghlvlZgPPxooEoQxPPBPm' = '"T:\tQvZQAtxlgIBYZZKIAJxmBhm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RDWRoAocQPKtlmWxWtnUAmQ' = '"I:\WZWmoZEcRZnJKfRvKR.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZtgJcmhxlhASQKAUQlnfhggtAgRnffmnPI' = '"X:\gDvhcfmc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lPBhYffhBAvhfUAhlInDJDfPEKxglIxlAxx' = '"J:\lRWBgBIJIlnhIIUlltovBEfl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cUUgnRotlotcPBnYfhEJEgcmfPtQmvEghm' = '"K:\olhglvWxKYvUlcYJEflloQZhltmgtUJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gUoKQDAUPtYvJAfZZKQtAxJlRBRUKKKIgJmxQ' = '"L:\BmvKlSQfUBvxctEPvmlJohZxxoolnvlA.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IvlQPIRQvWQQUYxPIxQIREUQAmffSvvntgUxE' = '"M:\BAZlPDEvPEZPBWShvPcKlDQ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cgUBKUREhRQBBxAJEfBf' = '"N:\IDRnWWtQKDoZfPKDUUlIfZDPo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BSZYSPDA' = '"O:\KZBPKA.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'YBlWmPARmJDSPxYWxERftZlKoRIEBSUPcPxcJWK' = '"Z:\SmDUSKvUtKfIUB.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JhUDPEtSgRZUIgUSnWlYRvfnK' = '"P:\oxRAoJotJUfStUR.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ttlnKZnQDQIAU' = '"G:\QSnPAvYtoDPJDPvYQxKSUvZWZtJRWo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lhxEEocmERJmZIUDtSQQ' = '"S:\xWglIUEJoBcfPvnYRRPKEgEQP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WWQKnnRmQmJccPAoWAZfEURgP' = '"T:\ZvEJnRtIBvnJEPfQDSmvStmm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RltmYmhYSoIcWUohfEREBEAcAZU' = '"U:\fRYEDQ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fJIWlcfYWx' = '"V:\JoxYIPmSg.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fBBJJYfSvKvSAPDShA' = '"W:\EYYQDhxWJhIUDghYxYoxBScEftDRQElxfv.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'oEBcgnSQfZ' = '"R:\ItIvYhZPxcDJWIKfAtcAnchxSSJlUhl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PEnEUxflgBDWJmhJgUZPEUDDfE' = '"H:\PWKcZxRx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SSccRIfWQBhxYE' = '"I:\moZYfRQmfoZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tfRAmUQgBDnRSmBxRv' = '"J:\KtUSDgZxlAEYKExQgQoEv.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WEBgElZB' = '"T:\gognWYUnRnUmfolBAlEZRoKnKJnW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tYJSllQKEhtlIAUYIccQDmfIEJRQnRnA' = '"U:\IQDScWtSBxxZKghSKgExlEvgxnYDQ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'chDDWEQDohSPJ' = '"V:\cRfhPBJmRfBYQmhDABAlhtIgPQmWfontEP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SWIBUBAQvotcA' = '"W:\gvlZmJBmWEoIlEJRPKSBxEEStgPSmnmAlP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tWSYSJRvRWgIxZhxWhIUh' = '"X:\tBtUZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QlfWZJfQvBEnl' = '"Y:\QtKJPQZYYhhtxmJf.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BtYZgEWxcchSWmWghBBAncUEJv' = '"Z:\RlKYAWol.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vRKcoYtxKcWEAgYDmhRPYQUImW' = '"A:\WgSffvoWDlRYInxfIWfhtlDYtYgQKxRW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RQhvAPgYSggxDoRKvmvQEx' = '"B:\BvEZZvvJPgIhcYfQZvADtDfYEmfQvYnBD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JBvolBmcgBRRvKUPtAnlZoSctfnYS' = '"C:\JfgvPIfYIDttggSD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'InhPlxgxWUlgxhlm' = '"D:\KlRnZRKUxYJPWW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DPSmWIWxxDvIPoUxtl' = '"E:\BZRQUAJUAx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IlPoxBIPWWEghtfIQ' = '"<Drive name for removable media>:\QWWoWRQEAtQBm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SoYKmvAYQBn' = '"G:\QKBnJhxDKUnEBQgRIZKEKgERQQlYYf.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'YlnonchIgmtfBoURZhmfffSRcBDZDfBEoStfv' = '"H:\StmDEfRmtW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZKRghtS' = '"I:\KREBtlJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lIWcxKgoQv' = '"J:\BBDhlSIcUtfmmJoUtfvExDcZSchYtBcR.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JRmgSxocKDRAAUAc' = '"X:\cYUZUtZYPIRocYYUcclQZcxtAWhxKhAlPU.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IExgRJxJmDWBQYUIPxARRBPhnZWKBclgBv' = '"W:\ltvnBmvWthJSvhBxSEWQYcKWExZP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IvovxmRAWZSWPfncnfYtmcfvWnRmfZgPZP' = '"V:\YPchhgfmIZRcKlYhBPJJZRRUgoflUI.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xvUfY' = '"U:\oRQcJKQZZPInoQlUIBJgnQQlfEWIoAmgmRcEmo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mKAPSPBmYKoYlPnZoIPZWDmKRBhDntDKvPDE' = '"T:\UBQQDofEhhJtZYQKt.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ASIxvWoQYJvxKhcQPQIA' = '"S:\tUcRoRYSmgtxcfZlBJBIPfImUnEZPQAQ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fEKRcIhhxJEIgU' = '"Q:\ZSSBxJvotJvJQcfQPtBZgKEtQKIttRhYUBKE.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'oWlvDJYDDYctcocKmgZvARPfoBgmhPAoJoIQPQt' = '"R:\WIgDBBDxRBWmBRmBvg.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DgZSJEWSQRm' = '"P:\lcEonIYvQvURDIAQmSRtfgWtPEPUnUgEA.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BvQQIJQlgJYcJPKPx' = '"O:\WKZEBcJAED.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hmPoAQYDDQRxnvKIYADvloYEmcYcfcPY' = '"N:\mYovRtEPQtIBDv.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'UhEvoIxRWlmxWgcnoYZ' = '"M:\UBnSPBmEWWhgPmPRKcYfDxKm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xffnoPfYmRmQhUcgomDIUxEmxBZYSlvlIt' = '"L:\DgffcEgtPcYBQvRQUSQSYDYmvPEIB.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gWDYAfAWQgQB' = '"K:\fYogvfRnYmoPfWPnfUZEIhxYxAnSPR.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gQmYhJmJtImDSPIZhWZIZcYUcEglmmBgYgf' = '"S:\ScJKc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IYZvoBxUoJoRAWURhJoPPnnctEhR' = '"H:\ZRfRZZE.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lgUQcn' = '"R:\DmZEIEgQcJtSJhQKmvWZEDAlKJDvmZgRxoKchgo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lmSlEBfIIARgfmUABIZmYQPt' = '"Q:\nWEmocI.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tZQWZggtlBhRoPKWKBBWvnAKWvvDYcxcZoZQI' = '"K:\tfgloWffctU.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'oQmQhcAlYZvQnKcxEKJQZvUESWQKnZPYvYSDKhS' = '"L:\oRvPW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lEWtZUWBSUvSEnEIQ' = '"M:\IcmhcZohEfnASlxWxll.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZPYfmDl' = '"N:\hnEZoJKxhoRYESUgDhtJcKQJDfgnRDo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fInZYhcEJcJoJ' = '"O:\lWQIoDcWfYgKIvBU.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZxtgfPmUScRlDUREnnlQKWhhYIP' = '"P:\nhgUStQJfnEcolocmfh.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lQvUIZfSoAYxZIlJZEgBlcAtmvEfQRZx' = '"Q:\ZEvBYKtBvtPWvttgEcAJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vKhDJ' = '"R:\KtnDPBBZDRWlPhlgDYWDofnZxQl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ngoDnlxhlSxShhtIfx' = '"S:\AlhvvPA.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fgRJmARWUPAYBnQgUDBEWKgWgtoc' = '"T:\cKoBIxBBDUZvngQIAggc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZIBhQUfQQxvl' = '"U:\lxJEccgQhB.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IoUYmhlZcltJUDoBfUoIWUBgEID' = '"V:\vmtZhfmBEZPlhQAKBmmvAfQYxJYExDSSWB.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ccASDxDAZcRtvllKfvtEZAZZcSctlEgEnlltvKZ' = '"W:\mvKhoZhKDUcomlgltlvEInncAIKnSUgJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PQUnvKWxRYKxtlxYPPfmAJfhQYUDWtIgBJtmQm' = '"X:\QoWgolJPDSYQncSDJSDcxxYRghRWPQInxmRIDxP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cWWIARUhIIB' = '"Y:\ltcQZgcAIWSWfYRY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gnvxESfRfIEfAABRADQEElKPKEcvPSDWElPD' = '"Z:\JoPgRQnPIUgKDQtESoJAcQhnWD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'EgvfJZBDWKBEvKgDWUBtJvtoQothggtD' = '"A:\mmBPDUPZvtvJxYDKDncUgghonUc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QmAJAgfhZZfBDvfUYU' = '"O:\ltJfRQcocQxYlUttlWhtZASnQEoYJBxK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZngKPmvQthEJJRBZhRcggoEWvRxBWYSZBlQgPWJ' = '"N:\KJfSWcxWcUJWhEPDBSgtffKBYKEUhn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mhDvKZEBnlI' = '"M:\fmcPmfDcDccmoDlQJQgWJofnUQn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZnPgKSDfPDJoBIcQfQmfStQh' = '"L:\fSmQhIBngJtgRKPfERAYx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DUooERctEEQDvDlRWAmnKYxJSxPfDlZEhBgKvYP' = '"K:\RJxRxW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JAlQlRcEZJfxchWDDxonZmnJv' = '"J:\otPxJWocJEUmcJDQSZRRRUgImnJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RhDSgEUEIvKRnEZUmcIRZfQxoZfcUhcn' = '"Y:\KPmRflSPDlQKEWYQJftfWAhgQohKQnKttIQf.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'EmhQPYIoWmnlQAEfZS' = '"I:\lPgKoZUYWmoBcDlBofBJEJAZSRUlvQtAm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'EYKIQZAhfAv' = '"G:\lPQlKUKAhmlIvZAPRotlQDIUo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QQEvcPcJPmJhPUAcSIASPtSKQYhItAUZfA' = '"<Drive name for removable media>:\KgQtUf.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JvIRElEhlgEctnAZvQPSoUUBcPYf' = '"E:\QRcoPnnPKUnKKcPoEnvPKvYgUnPABo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xohDvRBnlBlSEEnDUBKxAoRtEJlRcmcvovR' = '"D:\WWoEDKlQEnAfBcfnhWRhDKJc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vgYmhlWDxloZmcQmvhtcExAmEYKvIxDAQvSS' = '"C:\cgltmJtmRcJIvhSYtnWmQQJvmohfYESQxDvRJg.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fZfgYKZmUcWWPDYJvctvfA' = '"B:\DolgJmfUBZZPnhJAQWotZQBlhm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BvRASUcUvIvoWlZIvlIIcZPUSSWAfK' = '"P:\lvURnWRAmcADUnWUgtUEShxmgZvSRmcI.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SQBJWIPloxDERKlgB' = '"S:\YRoKQmJSZJWSDgcofglcQgDnDBYPQQIDclZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ggAtfIEKIxEYRfcP' = '"R:\WKfDJPYEEv.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'YtKWWQQtmIUUY' = '"J:\WvAPtgRgDfn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hngYcDRUDmPhm' = '"U:\DPtPcclIfKElJYtIhRcQAYBnEfxnxvgZEDY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mDcASZSgovSoDKJghcWmBmxRmhUYfYQgAJQ' = '"V:\cKotRWoSPofghfoZQvlQfxWWKmfxDYY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PKhKtKYDZIv' = '"W:\cKlZnAYxQKQoYZWmYUBZAZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AfYRARxSvKhtQDIhERSIgBhZJZUJxmmYSPn' = '"X:\UYPURfmBISgEKYRgZvxDhPoAm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ootgPKnfPfYcgfIEoWQRWWWP' = '"Y:\RAEWKEgJccvhhRJvBJtSQD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hSEcDWRA' = '"Z:\SQmEtogEPSPxnvJIUPAlYYnmKmnUvK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WIQPUoQhImvfvUZWYvIJgfUllKJDUhSJ' = '"A:\gfmZKgIPDfoDKJmJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'YIWxgcJWlgRSmEAEARWtvJSJB' = '"B:\fBtlKmfQRmYJfJnhhSSQctYDtEAmDcJBPRhtnE.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hYPnvRUIhoSWKIfYgtYDhAcWYhSgEWZmtgon' = '"C:\oIoJl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IhREQgJfWKJ' = '"D:\ltJhgAUh.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fIvDRcYgURQDREDAKUBnfgUPRoQYloBcWQxKZm' = '"E:\mtPJhAEfQZAAUlDRchJccDYRfvvRIvUYEE.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vgRZKKlDAclltEoJomonxRQYJZgInRnnZWAcxx' = '"<Drive name for removable media>:\USJgmhcmhgDnmPhnQKAmhURKtRffAc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'EWJtBoxvYnfhK' = '"G:\EDRWUDxZRfU.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ABfcvKDZEZtoIDUKUhJZEfcZZZBf' = '"S:\cUDhnEfnJhAImUcZfSKUIDUBURISWtBREcUY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hxDJgKJElRlPAxAmcERoSWI' = '"T:\QDPQZIKfoBUcDh.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'toBBgQngvvPJgoJo' = '"H:\tcEnAUmnDDxfDmvZcAUtDccKxAAYDZSx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'voBtWhxgInfgfRcclmZnmJ' = '"I:\lmKxgBfcPYPcKQchBDDZWRxBZmQRl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'UQgnDmP' = '"W:\oKRcxAEt.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZPDPYZKZcvBntcvfxSxPJAoxtfhvxxYt' = '"V:\PQJnBKcPDmoKAlxAPEmvBQlZSvxZKUtAPPW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tJxYAAYKQRxYcRxUWJx' = '"U:\nnxtUUfARZRoSDQWSmtcJghEcQUDoS.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gtoQnmIcxAPZAR' = '"T:\lYQnWcmBvBhRmloWPJBWYvW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mPSvKnhKWJoPmmlEBKSUcvZ' = '"S:\UtgtnKntARJKPxInovgZDthUnWooxvJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PZShKlJUgggEKJDQZJEnPEv' = '"H:\gnKEUfDxotogBgxPEYAnfEtcUK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gYlJDDJhmltEDZloDSRK' = '"R:\JhEvRYxoZBAfPfmoWgRgonUAtDQlAhY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tmUUDQBhmKnhfxAxQxK' = '"P:\PncKWvnhKEBmtDhvYgKJISUxh.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IJoIvvgoB' = '"O:\ncRSWSAZnm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RoPBYJZWYYoJUothWmlvRglfZDZDBtUBxUoff' = '"N:\lYDnIlQADoJSKKvfxAhhJmBoclJARIntDWclDvD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lntxmRJxxWtlggKYtBI' = '"M:\SQfQWEhtxDZUJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gBIBABvQoPQfovIU' = '"L:\UQhcESKmKhSSmvnonWAfxW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mBUPmKtlPtnDmPDSYDSgvfPEnEmWBoRIf' = '"K:\gRIWnIQxDfJPWPxfBlKPnPEElfJmtKUQPZomWn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ElSotflBgSfnPcUZSRUPchYnvZhcPQ' = '"J:\gWWBSQfcIhUBSJollmSQSghmcP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RPIxIQflDUUvEooW' = '"R:\BSZtSShfRoEfWSJRxJhgUZYUPZWWEIQ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cKcotZgKUBmJR' = '"Q:\IfBxvfBcgKcf.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hchZRIWKBARxBgfcBcEYhJUgIxWtBvtREhBBcP' = '"P:\thoWKBJZWUcWlJfRImPm.exe"'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mseinstall.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DoScan.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McInst.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com] 'Debugger' = 'NULL'
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe] 'Debugger' = 'NULL'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mZcnocKvfAJfRmx' = '"O:\UDltfZotcJtnZxUglSD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fDxfIRcvScx' = '"A:\hQghUmEAYln.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RtKJPREPggxRPnRvYStmWcYSYYcQPEvIKEffm' = '"B:\gBWKfnQDUxWfnfoZv.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xZBcoEJUvPvABoYgPoEYlfPB' = '"C:\nImKKASvWSREnZKYcxfxtlSgYPSfADPooE.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ovAoWUxWhmSncBxcoKSfZKvAtxDKnlYJYhfIx' = '"D:\PlJvRvIPYAmYEhWQnQRQPmxUJJl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IUtEIoJWAY' = '"E:\SWnKKUfnUxxZRZBmnmgQooKEtlYhnKoAUgZQRcD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RKDcPWSRtESJWhDIZcoBZcnfWlQIJtvDWvx' = '"<Drive name for removable media>:\ZPvScmPSAJlfvgUBfAAovlZYln.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lhvhRWtfDUKxffJPSSWYxlI' = '"Q:\lZZQtSJfAEEDfUUJKolxJoQKDvfEP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mBoRxtlhcSmPxohg' = '"G:\RcBlDvgYlWgBUS.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ttYZUvlDvYBSUxKBmfZvRtnovIDZn' = '"X:\WZYIAYABJRQgEPPxYJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fIonEEDDPSZRnAvYmmtAtBDZQSo' = '"J:\WYBxDUUnfSKSRSRtEKmQDcYZJEEUhmSRQcoZIJI.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QtgJoPARmo' = '"K:\mUvnPPPSUAcBAZUxmhEcthlEgRPUnKDmBPPW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ohPKWQYUhRQZ' = '"L:\ZDQYoxYtJBBhAWDYDcPRJBxPh.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xDZUZoSR' = '"M:\nBnfUvQnQQlRZJPxIogvlI.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'UhgxPQnJWJmWAxxmnSnhhlQQR' = '"N:\RUSvoJBRZmWZPoWKJIlEfRAAmDIgPnP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JllchhBfQmKImWZoB' = '"I:\gxIEPJSRDZJAZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fSRQtmK' = '"Y:\ghoZvAfmSnSnQIvmvUBcW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'YSxtWWtAIDYAxYQ' = '"Z:\EPBhoWEJAZhKWcmmtPIxxxlZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mBInt' = '"A:\EPRxIBExxYfvSDDYgthcUYYfWPJSfYBglg.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'YhtgDglfcIEBDUtoEUnfhDA' = '"K:\gAIhfShccxhUU.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mZmmKWDEhfKRUQBYvEcmP' = '"L:\PhBSYWZtPWJngJncPxRJvBvccEfKBEmgSD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QItxgIIgQUSKWtcZnltERxB' = '"M:\SRomDxllUBRYYEShQlZmREWQn.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xJWZZtDJPQSUoWKvfccocKvRJBfRJPcgDJDRWD' = '"N:\tZYDYZvAhnK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'SJPYnZfRotQPoxmWhhWEWnvcBvD' = '"O:\PoSRJgDRQRvQtvPPAZhltJQvcclPEZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WZKAoJURSQgScZvhhUJZUmIgofhWBKKf' = '"P:\UZIfIfRtWQQEoJUEQBnSKWZE.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'UWInSJlSoJtRxhWmhlvBYPEcJEIWW' = '"Q:\UWZKctKAgxKSmf.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'KDWIcKDIlSnPDQSvmtERDfBlhWBAf' = '"R:\tnEUIQUBPgUgWgnm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZAPKKcAfcomvntmDhZxlEfPPYEB' = '"S:\gARcSfIJYlBIImofgxEIRPBtYW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'EAvgZJWoBlSgWnKvJlnIvQc' = '"T:\oEQZnBhYcWmfYAQQIAnnYhQoUIZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PIPYtDBAm' = '"U:\vZxtcthYnmUxQKWWmtfISgglgco.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'tmIEPAgWhRoQKhWUDBcIhPQWAQZxUgKvAKvl' = '"V:\YKBoKmWgSDDPQKRZYJch.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hJRUt' = '"W:\vKSWfZSDBvQIDhtBcDEYtmPPhKUhSxoRPUf.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AfAZJohQSSWtoRcK' = '"X:\SSlhlRxlYDxvKoSAggmPBgZv.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vYBJZoxhZUBDntoAmZottcJtUEgm' = '"Y:\AxSREhnRlYJIWtmhglKoZfKmmxtYvoxhfKxo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JQtEBIchZnPPRQI' = '"Z:\QKcDBBgc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fBfhvYxZUKJWocYhZQJZDhtBRRRllKtchfnct' = '"A:\WBDhoYncSAEtlgBfvIocfWxWDRnl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'fAhoEvnhxBRhhfoBgYWcvhKtDoxQtEKI' = '"O:\RvIPfBKtBW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'nhcBKPmESUPm' = '"N:\AglgRIYKlDKDfRDRxJStcWRSxgYW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WnPflRlUKDIAohQJh' = '"M:\DBlPRZlSRWxoccSlUtWQZSQtIJv.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'InIPBncIZocKAADAllJREQtKh' = '"L:\gJZmfE.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'vWtthhh' = '"K:\ntfhPKDEYhoKQUW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hlhtBofUIKWAfKcoWU' = '"J:\RJmBvBoZvmxoBAtKhQSQ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gEohSKKEfUtxxIBhPU' = '"H:\vIYIRoJnolSoWRmvvJIQSWRIcmZSxAvDQAmnfhW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QWAPBhlPUDoEmnntPoUAhgxJhZJBEPlttRIABWU' = '"I:\nlWxQWWZDgDJg.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PUWcZDAPDZghA' = '"G:\WDYRUUmQADJEPvvcvoIDWmtPBnmQUIoPI.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'UtAfRSvPPhURAAAIxZ' = '"<Drive name for removable media>:\DhISWKAxIAg.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WxclKKUlncAQPtonEQlnBtoDDBmIvAZxZmco' = '"E:\UDRnlDKlDKfZtAgIEnAtJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ZhERUSWAvnvSlonoAS' = '"D:\EIcggUZxhRDJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'YWnDQIZlZKlnISSAmQAZhlnDnvIltKoIAf' = '"C:\gQIPZAYIxRYDWSovhZtKgZSKWPtKQcExRnnxS.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'QcImcnlhQoDEmAKmUnmAxIomKEYWcofQBKDmZoI' = '"B:\IRnAWonYDWWvUAB.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gPRPSEAccxKWvIxvfhQf' = '"Q:\EZxKUgRoohRhUDIDgvhtJhYEZKYhPfx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xmJvcAxxSUfA' = '"Y:\hmgABBSQRhcR.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lxZIPoDIISPQnZom' = '"I:\BDDnDoDxEUIoZIoIUoZxQtIhWAURoQRDQWc.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hZYAvQYEcZtoZoABnAnhR' = '"H:\gYRhlthxWgJPRWvh.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BSDnvQhKfcmofISfRfQgvPmvoRPJfZSlZmPJJn' = '"B:\ttnhoDtonPYZWotKgngUPhPKxEAtoWZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'clfKcYZoBghtUoxRAJvPREcWgxxPSWcgmmvEDEW' = '"C:\hRYKxJZUBUA.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WKKxlcBhQKvcSWJE' = '"D:\mfnQWcUQDScIlIQEcIhlUIlgmfcSW.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AtZBSgUvZIfnhYxW' = '"E:\KRJlPgfg.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AnnAmxJDvZUhnAcZYhEPWZolhUSl' = '"<Drive name for removable media>:\SJAvWAUx.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WUDWDfZlKtBQDxgYYIU' = '"G:\KvWPnvgZmII.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BJlKYERtAhnExhU' = '"H:\SJvEZKmE.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lWJxPtxxEUmZfWYUcPABQSEffUnQPKfnnBE' = '"I:\mJIcBmUSQDKlAS.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lPlxElRDKExDtQUvPtt' = '"J:\BBcJPDYJlIBIt.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'oQoZKYnAYYRBAQmYJhZxnDSIYfSExWBIoEWQ' = '"K:\YhtlQlBBB.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'otZJmnZQtmRPnDEvnmthJItSSPAQnJR' = '"L:\QRtcDlPQmvJIfvgYmK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mSvBmvxRllIvfEDKJIgAvYxJvEQvRBAc' = '"M:\oYJWPYAtmlEYQSvKP.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IRIZxoQPtQQWEAAfJEQIoZPYfAUUQmvhxKm' = '"N:\IgAIPYhBBxIPBZncWhRB.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hZKhDKcRfvBEIYIPvf' = '"O:\xmSYAmPtlZAnotlSlWUhtfQJRRWBWhm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mhIBYxRnxSxRZlEtBQExKRQoIER' = '"P:\PZhYUJABtQWWtBKDogK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PIRWYcZt' = '"Q:\APlQYJPQoUBvJSEBAlWnKSvloIDZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JmPfDcYQtRcvvvtRffvPEKKQmcUPRYJA' = '"R:\ZZvEWxotAKUDKPEDUPKcZlhWUSKDnEvDcPlBKl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cSnxUcovtYKRxAWZADJxWxQmnDhlDtt' = '"<Drive name for removable media>:\KlRnUWKmSYQcPUIvAhQAtmScKmAAlK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'mItnQWtoEtonxWZghUtIfKl' = '"E:\YoYhgmgoPPRZAxQmomSYhgAgIUPJQBZxthtoPo.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'BIYlBhcWhl' = '"D:\EmSfZBhZfnWYWmxxgDPYlRAxglm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IgRovJcDZxxPhQlSRZIhmgZRIoQRQEtKZfBlDJ' = '"C:\SKWgxUlSUcKBSEPJEISZSgcEZWAPQRvl.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'lxUKWYZcP' = '"B:\QmfEvSDcomRYhgD.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WfKhRoUoYSRWmQoJAh' = '"A:\ZxSBZIYRvgQmlUnWScPIRZfcBtSEPlK.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DvEmUnnlxUBYKvvRgKtRERPtISIZxhREvnxQ' = '"P:\WURZBlmlDlfI.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hUhJRJSvoQhtYDWPB' = '"Z:\YYAYZ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'PQJKZtvJgKWxKEWPZhBJSUthSYoEfJgWWYEoZl' = '"X:\EfhJESvhtIZIoJlJDPmoxBYUY.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xAUnfQJvxIohnJQRJShYmDovW' = '"W:\IWlAQIgESJSQhSJlRglmWAnRxRfnWAKZtgJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'JUWRSYxWQYYxcSZPoKlWJDRltBScIED' = '"V:\QmvnKYRtnSJvWZxSSQxnJomUYJ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'RWmxcDBhUmRg' = '"U:\gPUgxtUhlcvSPIhAZRSSfSZWxBQm.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DftgmoPS' = '"T:\ZQmEYRovfIchQnIvfJZAUQ.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'gAYRUEIcUfDIAmhtKBxotDIRxxg' = '"S:\tEUvcZvIcthRxSxclPRgDlWxfA.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'IIcAAhmKWYWttJZPPKWlBmJAhtPUtIEBPBBmU' = '"G:\SKnxtEZnJSQtfBccfQmWhBvSSIIgvIJSU.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ImWJgRJvQSPooSlAQKxZEhZEgKWUtIYPZvvZt' = '"Z:\cQKcJBchvRSPZotKDBIDWWYgoWWQhnZfJQhf.exe"'
Creates the following services
  • [<HKLM>\System\CurrentControlSet\Services\MicrosoftSecurityCenter] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\MicrosoftSecurityCenter] 'ImagePath' = '%APPDATA%\WISInternal\ntoskrnl.exe'
Modifies file system
Creates the following files
  • %APPDATA%\wisinternal\ntoskrnl.exe
  • %TEMP%\nv04d2.tmp
  • <Current directory>\microsoftcriticalupdate.exe
Modifies the HOSTS file.
Miscellaneous
Creates and executes the following
  • '%APPDATA%\wisinternal\ntoskrnl.exe'
  • '<Current directory>\microsoftcriticalupdate.exe'
Executes the following
  • '%WINDIR%\syswow64\cmd.exe' ipconfig /flushdns
  • '%WINDIR%\syswow64\cmd.exe' bcdedit /deletevalue {current} safeboot
  • '%WINDIR%\syswow64\cmd.exe' Reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  • '%WINDIR%\syswow64\cmd.exe' Reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update" /v AUOptions /t REG_DWORD /d 1 /f
  • '%WINDIR%\syswow64\cmd.exe' /c powershell Set-MpPreference -DisableRealTimeMonitoring $true;Set-MpPreference -DisableBehaviorMonitoring $true
  • '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealTimeMonitoring $true;Set-MpPreference -DisableBehaviorMonitoring $true

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play
Wechat