Worm.Win32.AutoRun.amf
Материал из Total Malware Info
Worm.Win32.AutoRun.amf Червь, создающий свои копии на локальных дисках и доступных для записи сетевых ресурсах. Является приложением Windows (PE-EXE файл). Имеет размер 24958 байт. Упакован при помощи Upack, распакованный размер 159 к.б.
Содержание |
Инсталляция
Копирует свой исполняемый файл как:
%Program Files%\Common Files\Microsoft Shared\<rnd>.exe %Program Files%\Common Files\System\<rnd>.exe %Program Files%\meex.exe
где, <rnd> - последовательность из 7 прописных латинских букв. Для автоматического запуска при следующем старте системы вирус добавляет ссылки на свой исполняемый файл в ключи автозапуска системного реестра:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <rnd>=%Program Files%\Common Files\System\<rnd>.exe <rnd>=%Program Files%\Common Files\Microsoft Shared\<rnd>.exe
где, <rnd> - последовательность из 7 прописных латинских букв. Так же создает файлы:
%Program Files%\Common Files\Microsoft Shared\<rnd>.inf %Program Files%\Common Files\System\<rnd>.inf %Program Files%\<rnd>.inf
Данный файл имеет размер 169 байта и не детектируется Антивирусом Касперского как вредоносный объект.
Распространение
Копирует свой исполняемый файл в корень всех разделов с именем следующего вида:
<rnd>.exe
где, <rnd> - последовательность из 7 прописных латинских букв. Так же вместе со своим исполняемым файлом червь помещает в корень раздела сопровождающий файл:
<X>:\autorun.inf, где X – буква съемного раздела.
который запускает исполняемый файл червя, каждый раз, когда пользователь открывает зараженный раздел при помощи программы ”Проводник”.
Деструктивная активность
Завершает процессы со следующими именами:
Ras.exe avp.com avp.exe runiep.exe PFW.exe FYFireWall.exe rfwmain.exe rfwsrv.exe KAVPF.exe KPFW32.exe nod32kui.exe nod32.exe Navapsvc.exe Navapw32.exe avconsol.exe webscanx.exe NPFMntor.exe vsstat.exe KPfwSvc.exe RavTask.exe Rav.exe RavMon.exe mmsk.exe WoptiClean.exe QQKav.exe QQDoctor.exe EGHOST.exe 360Safe.exe iparmo.exe adam.exe IceSword.exe 360rpt.exe 360tray.exe AgentSvr.exe AppSvc32.exe autoruns.exe avgrssvc.exe AvMonitor.exe CCenter.exe ccSvcHst.exe FileDsty.exe FTCleanerShell.exe HijackThis.exe Iparmor.exe isPwdSvc.exe kabaload.exe KaScrScn.SCR KASMain.exe KASTask.exe KAV32.exe KAVDX.exe KAVPFW.exe KAVSetup.exe KAVStart.exe KISLnchr.exe KMailMon.exe KMFilter.exe KPFW32X.exe KPFWSvc.exe KRegEx.exe KRepair.com KsLoader.exe KVCenter.kxp KvDetect.exe KvfwMcl.exe KVMonXP.kxp KVMonXP_1.kxp kvol.exe kvolself.exe KvReport.kxp KVScan.kxp KVSrvXP.exe KVStub.kxp kvupload.exe kvwsc.exe KvXP.kxp KvXP_1.kxp KWatch.exe KWatch9x.exe KWatchX.exe loaddll.exe MagicSet.exe mcconsol.exe mmqczj.exe nod32krn.exe PFWLiveUpdate.exe QHSET.exe RavMonD.exe RavStub.exe RegClean.exe rfwcfg.exe RfwMain.exe RsAgent.exe Rsaupd.exe safelive.exe scan32.exe shcfg32.exe SmartUp.exe SREng.EXE symlcsvc.exe SysSafe.exe TrojanDetector.exe Trojanwall.exe TrojDie.kxp UIHost.exe UmxAgent.exe UmxAttachment.exe UmxCfg.exe UmxFwHlp.exe UmxPol.exe UpLive.exe upiea.exe AST.exe ArSwp.exe USBCleaner.exe rstrui.exe
Изменяет значения ключей реестра на следующие:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\ Options\FYFireWall.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\Options\KAVPF.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe
Скачивает файлы по следующим ссылкам:
http://www.******.com/TDown1.exe http://www.******.com/ReadDown.txt
на момент создания описания ни одна из ссылок не работала. и сохраняет их в папку:
%WinDir%\Program Files
после чего запускает на выполнение. Удаляет следующие файлы из папки %System%:
niu.exe sbl.dll wniapsvr.exe Shell.exe Shell.pci crsss.exe chost.exe dream.exe ctfm0n.exe NATIVE.EXE directx.exe progmon.exe internt.exe SoftDLL.dll MySetup.exe SocksA.exe algssl.exe plmmsbl.dll servver.exe chostbl.exe lovesbl.dll netdde .exe svrhost.dll wnipsvr.exe Session.exe algsrvs.exe msfun80.exe msime82.exe msime80.exe msfir80.exe fixfile.exe WMDSINFO.dll Mcshie1d.exe Exp1orer.exe compobj32.dll snownClean.exe css.css
Рекомендации по удалению
Если ваш компьютер не был защищен антивирусом и оказался заражен данной вредоносной программой, то для её удаления необходимо выполнить следующие действия:
- При помощи <Диспетчера задач> завершить вредоносный процесс.
- Удалить оригинальный файл червя (его расположение на зараженном компьютере зависит от способа, которым программа попала на компьютер).
- Удалить параметры в ключах системного реестра:
- Удалить файлы:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] <rnd>=%Program Files%\Common Files\System\<rnd>.exe <rnd>=%Program Files%\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\ Options\FYFireWall.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\Options\KAVPF.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe
%Program Files%\Common Files\Microsoft Shared\<rnd>.exe %Program Files%\Common Files\System\<rnd>.exe %Program Files%\meex.exe <X>:\<rnd>.exe E:\autorun.inf %Program Files%\Common Files\Microsoft Shared\<rnd>.inf %Program Files%\Common Files\System\<rnd>.inf %Program Files%\<rnd>.inf
где X – буква съемного диска.
- Удалить папку и все ее содержимое
%WinDir%\Program Files
