TROJ_DROPPER.XXTUA
Trojan.Gamaredon (Symantec); Trojan.Win32.Generic!BT (Sunbelt)
Windows
Tipo di minaccia informatica:
Trojan
Distruttivo?:
No
Crittografato?:
In the wild::
Sì
Panoramica e descrizione
Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.
Dettagli tecnici
Instalación
Crea las carpetas siguientes:
- %System Root%\DOCUME~1
- %System Root%\DOCUME~1\Wilbert
- %User Profile%\LOCALS~1
- %System Root%\MSI35ff4.tmp
- %System Root%\Config.Msi
- %System%\sysfiles
- %Windows%\Installer\{AB7AA605-500F-4153-8207-FB5563419112}
(Nota: %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).
. %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).. %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows XP y Server 2003 en C:\Windows\System32).. %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).)Otras modificaciones del sistema
Elimina los archivos siguientes:
- %Windows%\Installer\MSIA.tmp
- %System Root%\Config.Msi\MSI14.tmp
(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).
. %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).)Elimina las carpetas siguientes:
- %Program Files%\Remote Manipulator System - Server
- \Remote Manipulator System - Server
- %Windows%\syswow64\sysfiles
- %User Profile%\My Documents\My Pictures
- %Start Menu%\Programs\Administrative Tools
(Nota: %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).
. %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).. %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).. %Start Menu% es la carpeta Menú Inicio del usuario activo, que en el caso de Windows 98 y ME suele estar ubicada en C:\Windows\Profiles\{nombre de usuario}\Menú Inicio, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Menú Inicio y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}\Menú Inicio).)Agrega las siguientes entradas de registro como parte de la rutina de instalación:
HKEY_CURRENT_USER\Software\WinRAR SFX
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Installer\
InProgress
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Installer\
Rollback\Scripts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
F400EEAA9D3E45C4987CFE35BD77F4C5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
E5052F47A02BDEA469F8EAB572D83BA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
6EDC4423414699340B5D245426472701
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
E45BAE6295648E74689FC47BF4E730EB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
6364F69515D55F943B4B3F3C669ECD32
HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\
v4\Server\Parameters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Installer\
UpgradeCodes\509B38EF4554FFD4794F292971C81B17
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\Usage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Features\506AA7BAF00535142870BF5536141921
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\Features
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\Patches
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921\
SourceList
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921\
SourceList\Net
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921\
SourceList\Media
Agrega las siguientes entradas de registro:
HKEY_CURRENT_USER\Software\WinRAR SFX
C%%DOCUME~1%Wilbert%LOCALS~1%Temp = "%User Temp%"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
Rollback\Scripts
%System Root%\Config.Msi\35ff6.rbs = "46ae69fd"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
F400EEAA9D3E45C4987CFE35BD77F4C5
506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
E5052F47A02BDEA469F8EAB572D83BA8
506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
6EDC4423414699340B5D245426472701
506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
E45BAE6295648E74689FC47BF4E730EB
506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
6364F69515D55F943B4B3F3C669ECD32
506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Components\
6364F69515D55F943B4B3F3C669ECD32
00000000000000000000000000000000 = "%System%\sysfiles"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
Folders
%System%\sysfiles = "1"
HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\
v4\Server\Parameters
UserAccess = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\
v4\Server\Parameters
Password = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\
v4\Server\Parameters
notification = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\
v4\Server\Parameters
Options = "{random values}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
RegOwner = "Wilbert"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
ProductID = "none"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
LocalPackage = "%Windows%\Installer\35ff7.msi"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
DisplayVersion = "5.210.0000"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
InstallDate = "20150514"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
InstallLocation = "%System%\sysfiles"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
InstallSource = "%User Temp%"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
ModifyPath = "MsiExec.exe /X{AB7AA605-500F-4153-8207-FB5563419112}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
NoModify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
NoRepair = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
Publisher = "Microsoft Corporation"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
EstimatedSize = "3aeb"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
UninstallString = "MsiExec.exe /X{AB7AA605-500F-4153-8207-FB5563419112}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
URLInfoAbout = "http://www.{BLOCKED}oft.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
URLUpdateInfo = "http://www.{BLOCKED}oft.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
VersionMajor = "5"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
VersionMinor = "d2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
WindowsInstaller = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
Version = "5d2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
Language = "419"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
DisplayVersion = "5.210.0000"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
InstallDate = "20150514"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
InstallLocation = "%System%\sysfiles"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
InstallSource = "%User Temp%"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
ModifyPath = "MsiExec.exe /X{AB7AA605-500F-4153-8207-FB5563419112}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
NoModify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
NoRepair = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
Publisher = "Microsoft Corporation"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
EstimatedSize = "3aeb"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
UninstallString = "MsiExec.exe /X{AB7AA605-500F-4153-8207-FB5563419112}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
URLInfoAbout = "http://www.{BLOCKED}oft.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
URLUpdateInfo = "http://www.{BLOCKED}oft.com"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
VersionMajor = "5"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
VersionMinor = "d2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
WindowsInstaller = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
Version = "5d2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
Language = "419"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\InstallProperties
DisplayName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{AB7AA605-500F-4153-8207-FB5563419112}
DisplayName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Installer\
UserData\S-1-5-18\Products\
506AA7BAF00535142870BF5536141921\Features
Remote_Office_Manager = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
PackageCode = "558594499A0F7BE41A10BED2C55AA173"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
Language = "419"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
Version = "5d2"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
Assignment = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
AdvertiseFlags = "184"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
ProductIcon = "%Windows%\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
InstanceType = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921
AuthorizedLUAApp = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921\
SourceList
PackageName = "rms5.2.1.msi"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921\
SourceList\Net
1 = "%User Temp%"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921\
SourceList\Media
DiskPrompt = "[1]"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921\
SourceList\Media
1 = "DISK1;1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Installer\Products\506AA7BAF00535142870BF5536141921\
SourceList
LastUsedSource = "n;1;%User Temp%"
Rutina de infiltración
Infiltra los archivos siguientes:
- %User Temp%\123.cmd
- %User Temp%\set.exe
- __tmp_rar_sfx_access_check_96281
- setting.exe
- %User Temp%\install.cmd
- %User Temp%\rms5.2.1.msi
- %User Temp%\wget.exe
- %Windows%\Installer\35ff3.msi
- %Windows%\Installer\35ff5.ipi
- %Windows%\Installer\MSI10.tmp
- %System Root%\Config.Msi\35ff6.rbs
- %System%\sysfiles\dsfvorbisdecoder.dll
- %System%\sysfiles\dsfvorbisencoder.dll
- %System%\sysfiles\gdiplus.dll
- %System%\sysfiles\microsoft.vc90.crt.manifest
- %System%\sysfiles\msimg32.dll
- %System%\sysfiles\msvcp90.dll
- %System%\sysfiles\msvcr90.dll
- %System%\sysfiles\oledlg.dll
- %System%\sysfiles\rasadhlp.dll
- %System%\sysfiles\rfusclient.exe
- %System%\sysfiles\ripcserver.dll
- %System%\sysfiles\rutserv.exe
- %System%\sysfiles\rwln.dll
- %System%\sysfiles\vp8decoder.dll
- %System%\sysfiles\vp8encoder.dll
- %Windows%\Installer\35ff7.msi
- %Windows%\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe
(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000, XP y Server 2003 suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp).
. %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).. %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).. %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows XP y Server 2003 en C:\Windows\System32).)
Soluzioni
Step 1
Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.
Step 2
Eliminar esta clave del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_CURRENT_USER\Software
- WinRAR SFX
- In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer
- InProgress
- In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback
- Scripts
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components
- F400EEAA9D3E45C4987CFE35BD77F4C5
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components
- E5052F47A02BDEA469F8EAB572D83BA8
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components
- 6EDC4423414699340B5D245426472701
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components
- E45BAE6295648E74689FC47BF4E730EB
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components
- 6364F69515D55F943B4B3F3C669ECD32
- In HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server
- Parameters
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921
- InstallProperties
- In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
- {AB7AA605-500F-4153-8207-FB5563419112}
- In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes
- 509B38EF4554FFD4794F292971C81B17
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921
- Usage
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features
- 506AA7BAF00535142870BF5536141921
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921
- Features
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921
- Patches
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
- 506AA7BAF00535142870BF5536141921
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes
- 509B38EF4554FFD4794F292971C81B17
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- SourceList
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList
- Net
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList
- Media
Step 3
Eliminar este valor del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_CURRENT_USER\Software\WinRAR SFX
- C%%DOCUME~1%Wilbert%LOCALS~1%Temp = "%User Temp%"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
- %System Root%\Config.Msi\35ff6.rbs = "46ae69fd"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F400EEAA9D3E45C4987CFE35BD77F4C5
- 506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E5052F47A02BDEA469F8EAB572D83BA8
- 506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EDC4423414699340B5D245426472701
- 506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E45BAE6295648E74689FC47BF4E730EB
- 506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6364F69515D55F943B4B3F3C669ECD32
- 506AA7BAF00535142870BF5536141921 = "%System%\sysfiles"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6364F69515D55F943B4B3F3C669ECD32
- 00000000000000000000000000000000 = "%System%\sysfiles"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
- %System%\sysfiles = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters
- UserAccess = "{random values}"
- In HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters
- Password = "{random values}"
- In HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters
- notification = "{random values}"
- In HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4\Server\Parameters
- Options = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- RegOwner = "Wilbert"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- ProductID = "none"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- LocalPackage = "%Windows%\Installer\35ff7.msi"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- DisplayVersion = "5.210.0000"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- InstallDate = "20150514"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- InstallLocation = "%System%\sysfiles"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- InstallSource = "%User Temp%"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- ModifyPath = "MsiExec.exe /X{AB7AA605-500F-4153-8207-FB5563419112}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- NoModify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- NoRepair = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- Publisher = "Microsoft Corporation"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- EstimatedSize = "3aeb"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- UninstallString = "MsiExec.exe /X{AB7AA605-500F-4153-8207-FB5563419112}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- URLInfoAbout = "http://www.{BLOCKED}oft.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- URLUpdateInfo = "http://www.{BLOCKED}oft.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- VersionMajor = "5"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- VersionMinor = "d2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- WindowsInstaller = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- Version = "5d2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- Language = "419"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- DisplayVersion = "5.210.0000"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- InstallDate = "20150514"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- InstallLocation = "%System%\sysfiles"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- InstallSource = "%User Temp%"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- ModifyPath = "MsiExec.exe /X{AB7AA605-500F-4153-8207-FB5563419112}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- NoModify = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- NoRepair = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- Publisher = "Microsoft Corporation"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- EstimatedSize = "3aeb"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- UninstallString = "MsiExec.exe /X{AB7AA605-500F-4153-8207-FB5563419112}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- URLInfoAbout = "http://www.{BLOCKED}oft.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- URLUpdateInfo = "http://www.{BLOCKED}oft.com"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- VersionMajor = "5"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- VersionMinor = "d2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- WindowsInstaller = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- Version = "5d2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- Language = "419"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\InstallProperties
- DisplayName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AB7AA605-500F-4153-8207-FB5563419112}
- DisplayName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\506AA7BAF00535142870BF5536141921\Features
- Remote_Office_Manager = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- PackageCode = "558594499A0F7BE41A10BED2C55AA173"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- Language = "419"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- Version = "5d2"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- Assignment = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- AdvertiseFlags = "184"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- ProductIcon = "%Windows%\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- InstanceType = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921
- AuthorizedLUAApp = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList
- PackageName = "rms5.2.1.msi"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net
- 1 = "%User Temp%"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media
- DiskPrompt = "[1]"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media
- 1 = "DISK1;1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList
- LastUsedSource = "n;1;%User Temp%"
Step 4
Buscar y eliminar estos archivos
- %User Temp%\123.cmd
- %User Temp%\set.exe
- __tmp_rar_sfx_access_check_96281
- setting.exe
- %User Temp%\install.cmd
- %User Temp%\rms5.2.1.msi
- %User Temp%\wget.exe
- %Windows%\Installer\35ff3.msi
- %Windows%\Installer\35ff5.ipi
- %Windows%\Installer\MSI10.tmp
- %System Root%\Config.Msi\35ff6.rbs
- %System%\sysfiles\dsfvorbisdecoder.dll
- %System%\sysfiles\dsfvorbisencoder.dll
- %System%\sysfiles\gdiplus.dll
- %System%\sysfiles\microsoft.vc90.crt.manifest
- %System%\sysfiles\msimg32.dll
- %System%\sysfiles\msvcp90.dll
- %System%\sysfiles\msvcr90.dll
- %System%\sysfiles\oledlg.dll
- %System%\sysfiles\rasadhlp.dll
- %System%\sysfiles\rfusclient.exe
- %System%\sysfiles\ripcserver.dll
- %System%\sysfiles\rutserv.exe
- %System%\sysfiles\rwln.dll
- %System%\sysfiles\vp8decoder.dll
- %System%\sysfiles\vp8encoder.dll
- %Windows%\Installer\35ff7.msi
- %Windows%\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe
Step 5
Buscar y eliminar estas carpetas
- %System Root%\DOCUME~1
- %System Root%\DOCUME~1\Wilbert
- %User Profile%\LOCALS~1
- %System Root%\MSI35ff4.tmp
- %System Root%\Config.Msi
- %System%\sysfiles
- %Windows%\Installer\{AB7AA605-500F-4153-8207-FB5563419112}
Step 6
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como TROJ_DROPPER.XXTUA En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Sondaggio