TROJ_CARBERP.YWQ
Trojan:Win32/Skeeyah.A!rfn (Microsoft), Trojan-Downloader.Win32.Carberp (Ikarus)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Dropped by other malware
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
256,512 bytes
EXE
Yes
31 May 2017
Deletes files
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %Windows%\rdpinst.exe
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It drops the following component file(s):
- %Windows%\F5Ws94kb.txt
- %Windows%\PsfjH4KN.txt
- %Windows%\VZT6nsdX.txt
- %Windows%\zhsw8lZB.txt
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
aaa99 = "%Windows%\rdpinst.exe"
Other System Modifications
This Trojan deletes the following files:
- %Application Data%\NTUSER.DAT
- %Windows%\bootstat.dat
- %Windows%\bootstat2.dat
- C:\Users\All Users\Documents\suchost..exe
- C:\desktop.ini
- C:\recycler
- C:\sYstem.vbs
- DDEDSDM\dde.exe
- Google\update\GoogleUpdate.exe
- Installed\mbarservice.exe
- Microsoft\Super Fitch x86\SuperFitch_x86.exe
- Microsoft\Windows\Default settings protector\dsp.exe
- Microsoft\Windows\Loadmnge32\Loadmnge32.exe
- Microsoft\Windows\Microsoap File Manager\MicrosoapFileManager.exe
- Microsoft\Windows\Officecompiler\Officecompiler.exe
- Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
- Mobile Internet\OnlineUpdate\ouc.exe
- SetWallpaper.cmd
- Sysconfig\Sysconfig.exe
- Updata\GoogleUpdata.exe
- WPM\wprotectmanager.exe
- Windows Update\svrupg.exe
- WindowsInstaller\windows.exe
- Windows\check.vbs
- Windows\csrss.exe
- Windows\winpoint
- \MSDCSC\msdcsc.exe
- cmds.exe
- explorer.exe
- fastan~1\FastAndSafeSvc.dll
- lsasss\lsasss.exe
- microsoft\dwmgr.exe
- newnext.me\nengine.dll
- nightupdate\svchost.exe
- start\update.exe
- svchost.exe
- temp\beta\vpn.exe
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It deletes the following folders:
- .clamwin
- 360
- 360SD
- AVAST Software
- AVG
- AVG Nation toolbar
- AVS4YOU
- Acceleration Software
- Ad-Aware Antivirus
- Advanced System Protector
- Advanced SystemCare 6
- Advanced SystemCare 7
- Advanced SystemCare 8
- Agnitum
- AhnLab
- Alwil Software
- AntiVir PersonalEdition Classic
- AntiVirus
- AntiWinLocker
- Anvisoft\Anvi Smart Defender
- Arcabit
- Archivos comunes\AVG Secure Search
- Arquivos comuns\AVG Secure Search
- Ashampoo\Ashampoo Anti-Virus
- Ashampoo\Ashampoo FireWall FREE
- Avanquest
- Avetix
- Avira
- BLuPro
- Baidu
- Baidu Security
- BillP Studios
- BitGuard
- Bitdefender
- Bitdefender Agent
- Bkav Corporation
- Bkav2006
- BkavHome
- BkavHomePlus
- BkavPro
- BkavProIS
- Blue Coat K9 Web Protection
- Blue Ridge Networks
- BullGuard
- BullGuard Ltd
- CA
- CMC\Antivirus
- CMC\Internet Security
- COMODO
- Cezurity
- CheckPoint
- ClamWin
- Common Files\AVG Secure Search
- Common Files\AV\McAfee Anti-Virus And Anti-Spyware
- Common Files\Baidu
- Common Files\Bitdefender
- Common Files\BullGuard Ltd
- Common Files\COMODO
- Common Files\Commtouch\AntiVirus5
- Common Files\Doctor Web
- Common Files\G Data
- Common Files\InfoWatch
- Common Files\Intel Security
- Common Files\McAfee
- Common Files\MicroWorld
- Common Files\Panda Security
- Common Files\Steganos\OnlineShield
- Common Files\Symantec Shared
- Common Files\TrustPort
- Common Files\eAcceleration
- Comodo Downloader
- Crystal Security
- DefenseWall
- Doctor Web
- DrWeb
- DrWeb AV-Desk
- DrWeb Enterprise Suite
- EMCO\Malware Destroyer 5
- EMCO\Malware Destroyer 6
- EMCO\Malware Destroyer 7
- EMCO\Malware Destroyer 8
- ESET
- ESTsoft\ALYac
- Elex-tech\YAC
- Emsisoft
- Emsisoft Anti-Malware
- Emsisoft Internet Security
- Essentware\PCKAV
- F-Secure
- FRISK Software
- File comuni\AVG Secure Search
- Filseclab
- Fortego Security
- Fortinet
- G DATA Software
- G Data
- GFI
- GlassWire
- GridinSoft Anti-Malware
- Grisoft
- HAURI
- IKARUS
- INCAInternet\nProtect Netizen v5.5
- INCAInternet\nProtect Online Security
- IObit
- Immunet
- Intel Security
- Jetico
- K7 Computing
- Kaspersky Lab
- Kerio
- Kingsoft\PCDoctor
- Lavasoft
- Loaris\Trojan Remover
- MPC Cleaner
- MSDL-MSDLAV
- Malware Defender
- Malwarebytes
- Malwarebytes Anti-Exploit
- Malwarebytes Anti-Malware
- Malwarebytes' Anti-Malware
- Mamutu
- McAfee
- McAfee Security Scan
- McAfee.com
- McAfeeMOBK
- MicroWorld
- Microsoft Forefront
- Microsoft Security Client
- Microsoft Security Essentials
- MinerGate
- MinerGate-service
- Moon Secure Antivirus
- N-able Technologies
- NANO Antivirus
- NETGATE\Amiti Antivirus
- NETGATE\FortKnox Personal Firewall
- NETGATE\Spy Emergency
- Net Protector 2011
- Net Protector 2014
- NetPolice
- Network Associates\VirusScan
- NetworkShield Firewall 3.0
- NoVirusThanks
- Nora Antimalware Scanner
- Norman
- Norton 360
- Norton Anti-Theft
- Norton AntiVirus
- Norton Internet Security
- Norton Security
- Norton Security Scan
- Norton Security with Backup
- NortonInstaller
- Online Armor
- OnlineArmor
- PC Tools
- PC Tools Firewall Plus
- PC Tools Security
- PSafe
- Padvish Antivirus
- Panda Security
- Panda Security URL Filtering
- PeerBlock
- Preventon Antivirus
- Privacyware
- Proland
- Proland Software
- Quick Heal
- Reason\Security
- Returnil
- Rising
- Roboscan
- Ruiware
- STOPzilla Optimizer
- STOPzilla!
- SUPERAntiSpyware
- SecuraLive Internet Security
- SecureAge
- Smadav
- Sophos
- SpyShelter
- SpyShelter Premium
- Spybot - Search & Destroy
- Spybot - Search & Destroy 2
- Spyware Doctor
- Spyware Terminator
- Steganos Online Shield
- StopSign
- Sygate\SPF
- Symantec AntiVirus
- Symantec.cloud
- Symantec\LiveUpdate
- Symantec\Symantec Endpoint Protection
- Symantec\Symantec Endpoint Protection Manager
- Tencent\QQPCMgr
- ThreatFire
- Tiranium AntiVirus
- Tizer Secure
- Total Defense
- TotalDefense
- TrafInsp
- Trend Micro
- Trend Micro Installer
- Trojan Remover
- TrojanHunter
- TrojanHunter 5.1
- TrojanHunter 5.2
- TrojanHunter 5.3
- TrojanHunter 5.4
- TrojanHunter 5.5
- TrojanHunter 5.6
- TrojanHunter 5.7
- TrojanHunter 5.8
- TrojanHunter 5.9
- TrustPort
- UPCleaner
- UnHackMe
- UnThreat
- UnThreat AntiVirus
- VIPRE
- Vba32
- VnSecurity 2008
- WRData
- Webroot
- WinPcap
- WinRoute Pro
- Winalysis
- Windows Defender
- Zillya Antivirus
- Zillya Internet Security
- Zillya! Internet Security
- avast
- eAcceleration
- eSafe
- eScan
- eScan Web Safe
- geswall
- kingsoft\kingsoft antivirus
- kingsoft\ksdef
- mks_vir_9
- nanoav
- nanolsp
- pandasecuritytb
- xCore Software
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
fs57 = "%Windows%\system32\netsh.exe winsock reset"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
fs32 = "%Windows%\system32\bcdedit.exe /set {current} recoveryenabled No"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = 0
(Note: The default value data of the said registry entry is 5.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
PromptOnSecureDesktop = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager
BootExecute = "autocheck autochk * {malware path and name}"
(Note: The default value data of the said registry entry is "autocheck autochk *".)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1
(Note: The default value data of the said registry entry is 0.)
HOSTS File Modification
This Trojan adds the following strings to the Windows HOSTS file:
- 0.0.0.0 account.norton.com
- 0.0.0.0 www.gmer.net
- 0.0.0.0 www.yeabests.cc
- 0.0.0.0 bleepingcomputer.com
- 0.0.0.0 www.bleepingcomputer.com
- 0.0.0.0 malekal.com
- 0.0.0.0 www.malekal.com
- 0.0.0.0 accounts.comodo.com
- 0.0.0.0 activation.adtrustmedia.com
- 0.0.0.0 activation-v2.kaspersky.com
- 0.0.0.0 auth.ff.avast.com
- 0.0.0.0 avstats.avira.com
- 0.0.0.0 backup1.bullguard.com
- 0.0.0.0 buddy.bitdefender.com
- 0.0.0.0 c2.dev.drweb.com
- 0.0.0.0 antivirus.baidu.com
- 0.0.0.0 cdn.static.malwarebytes.org
- 0.0.0.0 csasmain.symantec.com
- 0.0.0.0 definitionsbd.lavasoft.com
- 0.0.0.0 dm.kaspersky-labs.com
- 0.0.0.0 dnsscan.shadowserver.org
- 0.0.0.0 download.bitdefender.com
- 0.0.0.0 download.bullguard.com
- 0.0.0.0 download.comodo.com
- 0.0.0.0 download.eset.com
- 0.0.0.0 download.geo.drweb.com
- 0.0.0.0 downloadnada.lavasoft.com
- 0.0.0.0 downloads.comodo.com
- 0.0.0.0 downloads.lavasoft.com
- 0.0.0.0 www.reasoncoresecurity.com
- 0.0.0.0 reasoncoresecurity.com
- 0.0.0.0 drweb.com
- 0.0.0.0 ec.sunbeltsoftware.com
- 0.0.0.0 emupdate.avast.com
- 0.0.0.0 esetnod32.ru
- 0.0.0.0 zillya.ua
- 0.0.0.0 www.zillya.ua
- 0.0.0.0 expire.eset.com
- 0.0.0.0 gms.ahnlab.com
- 0.0.0.0 go.eset.eu
- 0.0.0.0 i1.c.eset.com
- 0.0.0.0 i2.c.eset.com
- 0.0.0.0 i3.c.eset.com
- 0.0.0.0 i4.c.eset.com
- 0.0.0.0 iploc.eset.com
- 0.0.0.0 ipm.avira.com
- 0.0.0.0 ipm.bitdefender.com
- 0.0.0.0 ksn4-12.kaspersky-labs.com
- 0.0.0.0 ksn-file-geo.kaspersky-labs.com
- 0.0.0.0 ksn-info-geo.kaspersky-labs.com
- 0.0.0.0 ksn-ipm-1.kaspersky-labs.com
- 0.0.0.0 ksn-kas-geo.kaspersky-labs.com
- 0.0.0.0 ksn-kddi.kaspersky-labs.com
- 0.0.0.0 ksn-pbs-geo.kaspersky-labs.com
- 0.0.0.0 ksn-stat-geo.kaspersky-labs.com
- 0.0.0.0 ksn-tboot-1.kaspersky-labs.com
- 0.0.0.0 ksn-tcert-geo.kaspersky-labs.com
- 0.0.0.0 ksn-tpcert-1.kaspersky-labs.com
- 0.0.0.0 ksn-url-geo.kaspersky-labs.com
- 0.0.0.0 ksn-verdict-geo.kaspersky-labs.com
- 0.0.0.0 licenseactivation.security.comodo.com
- 0.0.0.0 license.avira.com
- 0.0.0.0 license.nanoav.ru
- 0.0.0.0 license.trustport.com
- 0.0.0.0 licensing.security.comodo.com
- 0.0.0.0 login.bullguard.com
- 0.0.0.0 login.norton.com
- 0.0.0.0 metrics.bitdefender.com
- 0.0.0.0 mirror01.gdata.de
- 0.0.0.0 my.bitdefender.com
- 0.0.0.0 newton.norman.com
- 0.0.0.0 nimbus.bitdefender.net
- 0.0.0.0 niufour.norman.no
- 0.0.0.0 niuone.norman.no
- 0.0.0.0 niuseven.norman.no
- 0.0.0.0 o2.norton.com
- 0.0.0.0 omni.avg.com
- 0.0.0.0 oms.symantec.com
- 0.0.0.0 p003.sb.avast.com
- 0.0.0.0 p.filseclab.com
- 0.0.0.0 www.filseclab.com
- 0.0.0.0 ping.avast.com
- 0.0.0.0 premium.avira-update.com
- 0.0.0.0 program.avast.com
- 0.0.0.0 proxy.eset.com
- 0.0.0.0 redirect.avira.com
- 0.0.0.0 reg03.eset.com
- 0.0.0.0 register.k7computing.com
- 0.0.0.0 resolver1.bullguard.ctmail.com
- 0.0.0.0 resolver2.bullguard.ctmail.com
- 0.0.0.0 resolver3.bullguard.ctmail.com
- 0.0.0.0 resolver4.bullguard.ctmail.com
- 0.0.0.0 resolver5.bullguard.ctmail.com
- 0.0.0.0 rol.pandasecurity.com
- 0.0.0.0 360totalsecurity.com
- 0.0.0.0 www.360totalsecurity.com
- 0.0.0.0 secure.comodo.net
- 0.0.0.0 shasta-rrs.symantec.com
- 0.0.0.0 shop.esetnod32.ru
- 0.0.0.0 slcw.ff.avast.com
- 0.0.0.0 spoc-pool-gtm.norton.com
- 0.0.0.0 s.program.avast.com
- 0.0.0.0 static2.avast.com
- 0.0.0.0 static.avg.com
- 0.0.0.0 stats.norton.com
- 0.0.0.0 stats.qalabs.symantec.com
- 0.0.0.0 store.lavasoft.com
- 0.0.0.0 su.ff.avast.com
- 0.0.0.0 support.norton.com
- 0.0.0.0 symantec.tt.omtrdc.net
- 0.0.0.0 threatnet.threattrack.com
- 0.0.0.0 trace.eset.com
- 0.0.0.0 tracking.lavasoft.com
- 0.0.0.0 ts-crl.ws.symantec.com
- 0.0.0.0 ts.eset.com
- 0.0.0.0 uc.cloud.avg.com
- 0.0.0.0 um01.eset.com
- 0.0.0.0 um21.eset.com
- 0.0.0.0 update2.bullguard.com
- 0.0.0.0 update.avg.com
- 0.0.0.0 update.bullguard.com
- 0.0.0.0 update.eset.com
- 0.0.0.0 updates.agnitum.com
- 0.0.0.0 updates.k7computing.com
- 0.0.0.0 updates.sunbeltsoftware.com
- 0.0.0.0 upgrade.bitdefender.com
- 0.0.0.0 upgr-mmxiii-p.cdn.bitdefender.net
- 0.0.0.0 upgr-mmxiv.cdn.bitdefender.net
- 0.0.0.0 v7.stats.avast.com
- 0.0.0.0 versioncheck.eset.com
- 0.0.0.0 vl.ff.avast.com
- 0.0.0.0 wam.pandasecurity.com
- 0.0.0.0 webprot.avgate.net
- 0.0.0.0 webprot.avira.com
- 0.0.0.0 webprot.avira.de
- 0.0.0.0 wsmy.pandasecurity.com
- 0.0.0.0 www5.avira.com
- 0.0.0.0 www.avira.com
- 0.0.0.0 download.sp.f-secure.com
- 0.0.0.0 www.bullguard.com
- 0.0.0.0 www.esetnod32.ru
- 0.0.0.0 www.k7-russia.ru
- 0.0.0.0 www.lavasoft.com
- 0.0.0.0 www.mks.com.pl
- 0.0.0.0 www.nanoav.ru
- 0.0.0.0 www.pandasecurity.com
- 0.0.0.0 www-secure.symantec.com
- 0.0.0.0 www.sunbeltsoftware.com
- 0.0.0.0 www.trustport.com
- 0.0.0.0 kaspersky.ru
- 0.0.0.0 www.kaspersky.ru
- 0.0.0.0 avast.ru
- 0.0.0.0 www.avast.ru
- 0.0.0.0 freeavg.com
- 0.0.0.0 www.freeavg.com
- 0.0.0.0 free.avg.com
- 0.0.0.0 www.free.avg.com
- 0.0.0.0 avira.com
- 0.0.0.0 z-oleg.com
- 0.0.0.0 www.z-oleg.com
- 0.0.0.0 bitdefender.com
- 0.0.0.0 www.bitdefender.com
- 0.0.0.0 bullguard.com
- 0.0.0.0 personalfirewall.comodo.com
- 0.0.0.0 www.personalfirewall.comodo.com
- 0.0.0.0 comodo.com
- 0.0.0.0 www.comodo.com
- 0.0.0.0 www.drweb.com
- 0.0.0.0 www.emsisoft.ru
- 0.0.0.0 emsisoft.ru
- 0.0.0.0 avescan.ru
- 0.0.0.0 www.avescan.ru
- 0.0.0.0 escanav.com
- 0.0.0.0 www.escanav.com
- 0.0.0.0 escan.com
- 0.0.0.0 www.escan.com
- 0.0.0.0 f-prot.com
- 0.0.0.0 www.f-prot.com
- 0.0.0.0 f-secure.com
- 0.0.0.0 www.f-secure.com
- 0.0.0.0 gdatasoftware.com
- 0.0.0.0 ru.gdatasoftware.com
- 0.0.0.0 www.gdata.de
- 0.0.0.0 gdata.de
- 0.0.0.0 ikarussecurity.com
- 0.0.0.0 www.ikarussecurity.com
- 0.0.0.0 malwarebytes.org
- 0.0.0.0 www.malwarebytes.org
- 0.0.0.0 nanoav.ru
- 0.0.0.0 symantec.com
- 0.0.0.0 www.symantec.com
- 0.0.0.0 norton.com
- 0.0.0.0 www.norton.com
- 0.0.0.0 ru.norton.com
- 0.0.0.0 agnitum.ru
- 0.0.0.0 www.agnitum.ru
- 0.0.0.0 cloudantivirus.com
- 0.0.0.0 www.cloudantivirus.com
- 0.0.0.0 pandasecurity.com
- 0.0.0.0 www.rising.com.cn
- 0.0.0.0 rising.com.cn
- 0.0.0.0 rising-global.com
- 0.0.0.0 www.rising-global.com
- 0.0.0.0 www.rising-russia.com
- 0.0.0.0 rising-russia.com
- 0.0.0.0 freerav.com
- 0.0.0.0 www.freerav.com
- 0.0.0.0 safensoft.ru
- 0.0.0.0 www.safensoft.ru
- 0.0.0.0 trustport.com
- 0.0.0.0 www.trustport-ru.ru
- 0.0.0.0 virustotal.com
- 0.0.0.0 www.virustotal.com
- 0.0.0.0 zillya.com
- 0.0.0.0 www.zillya.com
- 0.0.0.0 anti-virus.by
- 0.0.0.0 www.anti-virus.by
- 0.0.0.0 sophos.com
- 0.0.0.0 www.sophos.com
- 0.0.0.0 www.freedrweb.com
- 0.0.0.0 freedrweb.com
- 0.0.0.0 www.avirus.ru
- 0.0.0.0 www.avg.com
- 0.0.0.0 avg.com
- 0.0.0.0 mcafee.com
- 0.0.0.0 www.mcafee.com
- 0.0.0.0 siteadvisor.com
- 0.0.0.0 www.siteadvisor.com
- 0.0.0.0 support.kaspersky.ru
- 0.0.0.0 www.comss.ru
- 0.0.0.0 comss.ru
- 0.0.0.0 www.spyware-ru.com
- 0.0.0.0 spyware-ru.com
- 0.0.0.0 virusinfo.info
- 0.0.0.0 www.virusinfo.info
- 0.0.0.0 forum.esetnod32.ru
- 0.0.0.0 www.forum.esetnod32.ru
- 0.0.0.0 forum.drweb.com
- 0.0.0.0 www.forum.drweb.com
- 0.0.0.0 forum.virlab.info
- 0.0.0.0 www.forum.virlab.info
- 0.0.0.0 spybot.info
- 0.0.0.0 www.spybot.info
- 0.0.0.0 winpatrol.com
- 0.0.0.0 www.quickheal.com
- 0.0.0.0 quickheal.com
- 0.0.0.0 www.winpatrol.com
- 0.0.0.0 av.download.avg.com
NOTES:
It checks the following registry entries to check if running on virtual machine:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI
- where values are as follows:
- QEMU
- VMware
- XENSRC&Prod_PVDISK
- CdRomVBOX_CD-ROM
- DiskVirtual_HD
It checks the following registry entries to check if running on virtual machine:
- HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
- SystemBiosVersion = "BOCHS - 1"
- SystemBiosVersion = "VBOX - 1"
- VideoBiosVersion = "VirtualBox"
It checks for the presence of the following regisries which are related to virtual machine:
- \Registry\Machine\HARDWARE\ACPI\DSDT\VBOX__
- \Registry\Machine\HARDWARE\ACPI\FADT\BOCHS_
- \Registry\Machine\HARDWARE\ACPI\DSDT\Xen
- \Registry\Machine\SYSTEM\CurrentControlSet\Enum\XEN\vif
It deletes AV related classes on the registry:
- {9CC1A7EB-B086-459B-8E62-A8F3B9A3007B}
- {24A0C840-2C3D-4410-8236-8B40816C7B90}
- {522119B9-1B9A-498A-AC52-148B533EFD50}
- {6880337A-1EB4-4EF2-9659-0FD2EC60CB1B}
- {87C077B2-3D3B-4156-938A-EA51B451D6C6}
- {8AE85550-832C-4A9B-81BB-2A49DBEE72B4}
- {C4A06E97-ED42-47B9-83E1-F12299B286A5}
- {C777C165-D422-426D-8EBF-6EAF3FB83ADF}
- {FB58BE68-EA9E-4803-847F-2CE814E7B159}
- {54505F9E-EE66-4F1D-A63B-B853A1759385}
- {56EBD688-B772-4181-9610-8633FCEE988D}
- {67F2A318-C8F7-4087-9F88-C4B434D41719}
- {7E0006EA-81A8-4780-B0C8-474E2DBF4D63}
- {1DF588BB-23CF-4F4F-851C-1DB73E102864}
- {3919A341-96C2-44B9-83AF-0A0897327A07}
- {C109C8FC-4A4D-4AA8-B592-9C0EA5ADE910}
It deletes registry entries with the folllwing strings that may prevent programs from running properly:
- Adobe Reader
- Java
- Java(TM)
- Antivirus
- avast!
- AVG
- Avira
- Bitdefender
- BkavHome
- ClamWin
- COMODO Antivirus
- COMODO Internet Security
- Computer Security
- Crystal Security
- Dr.Web
- ESET Endpoint Antivirus
- ESET NOD32
- ESET Online
- ESET Smart
- FMW 1
- FortiClient
- F-Secure
- GeekBuddy
- HijackThis
- Kaspersky
- Kingsoft AntiVirus
- Kingsoft PC Doctor
- McAfee
- NOD32 antivirus system
- Norton 360
- Norton AntiSpam
- Norton AntiVirus
- Norton Confidential
- Norton Internet Security
- Norton PC Checkup
- McAfee Virtual Technician
- nProtect Anti-Virus
- nProtect Security Platform
- Panda Antivirus
- Panda Cloud Antivirus
- Panda Devices Agent
- Panda Free Antivirus
- Panda Global Protection
- Panda Internet Security
- Panda Secure Vault
- Panda Security
- Personal Firewall
- Privatefirewall
- Quick Heal
- Rising Antivirus
- Sophos Anti-Rootkit
- Sophos Anti-Virus
- Sophos AutoUpdate
- Sophos Remote Management System
- Sophos Virus Removal Tool
- Symantec AntiVirus
- Symantec Endpoint Protection
- Traffic Inspector
- Trend Micro
- VIPRE Antivirus
- Virus Scanner
- VirusTotal
- ZoneAlarm
- Ashampoo WinOptimizer
- Advanced System Protector
- Phrase Finder
- Zillya!
- Ask Toolbar
- TuneUp Utilities
- Weatherbar
- IKARUS anti.virus
- Shopping App by Ask
- Search App by Ask
- Html5 geolocation provider
- ESET Endpoint Security
- Amazon 1Button App
It creates the following registry entries to prevent the following programs from executing:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{application name}
- debugger = "msiexec.exe"
- Adaware_Installer.exe
- AvetixSetup.exe
- BavPro_Setup_Mini_GL.exe
- BullGuardDownloaderBPP.exe
- ClamAVSetup.exe
- EmsisoftEmergencyKit.exe
- EmsisoftInternetSecuritySetup.exe
- F-SecureNetworkInstaller.exe
- F-SecureNetworkInstallerUpg.exe
- F-SecureNetworkInstallerUpgrade.exe
- F-SecureNetworkInstaller_IS-ESTORE-TRIAL-GLOBAL_.exe
- FRST.exe
- FRST64.exe
- HijackThis.exe
- HousecallLauncher.exe
- K7UltimateSecurity_installer.exe
- McAfeeSetup.exe
- OnlineArmorSetup.exe
- OutpostSecuritySuiteProInstall.exe
- OutpostSecuritySuiteProInstall_x64.exe
- PSafeAntivirusSetup.exe
- PSafeTotalSetup.exe
- PadvishAntivirusFree.exe
- PandaCloudAntivirus.exe
- ProcessHacker.exe
- QHTSFT64.EXE
- Roboscan_IS_Free_x64.exe
- SUPERAntiSpyware.exe
- SUPERAntiSpywarePro.exe
- SandboxieInstall.exe
- SecurityScan_Release.exe
- SoftonicDownloader_for_panda-antivirus-pro.exe
- SpyShelter.exe
- TRAYICOS.EXE
- Tiranium_antivirus_setup.exe
- TrojanHunterSetup.exe
- UnThreatProSetup.exe
- Vba32.Vista.exe
- Wireshark.exe
- ZillyaInternetSecurity.exe
- autoruns.exe
- autorunsc.exe
- avast_free_antivirus_setup_online.exe
- avast_free_antivirus_setup_online_cnet.exe
- avast_internet_security_setup.exe
- avast_internet_security_setup_online.exe
- avast_premier_antivirus_setup_online.exe
- avira_family_protection_suite_ru.exe
- avira_ultimate_protection_suite_ru.exe
- bitdefender_antivirus.exe
- bitdefender_tsecurity.exe
- bytefence-installer.exe
- cispremium_installer.exe
- cpuminer-btver1.exe
- cureit.exe
- drweb-900-win-space.exe
- drweb-900-win.exe
- escanmon.exe
- ess_trial32_rus.exe
- md_setup_en.exe
- minergate-service.exe
- minergate.exe
- procexp.exe
- registry-life-setup.exe
- ru-ru.kts.ya.setup.exe
- setup-vipre-internet-security-en-us-trial.exe
- stop-sign_install.exe
- systemreset.exe
- twister8_setup.exe
It changes the NameServer settings of the affected machine by changing the following IP address to free DNS Servers (8.8.8.8,209.244.0.3):
- 195.46.39.39
- 195.46.39.40
- 199.85.126.20
- 199.85.127.20
- 208.67.220.220
- 208.67.222.222
- 209.88.198.133
- 77.88.8.2
- 77.88.8.3
- 77.88.8.7
- 77.88.8.88
- 8.20.247.20
- 8.26.56.26
- 81.218.119.11
It deletes the following registry entries for services related to antivirus programs:
- HKEY_LOCAL_MACHINE\SOFTWARE\SYSTEM\CurrentControlSet\services\{service name}
- 360AntiHacker
- 360AvFlt
- 360Box
- 360Box64
- 360Camera
- 360SelfProtection
- 360fsflt
- 360rp
- A2DDA
- AAVScan
- AAVService
- ABConfSV
- ABFLT
- ABMainSV
- ABWFP
- ABndis
- ABndisMP
- AFW
- ALE_NF
- AMonLWLH
- AMonTDLH
- APPFLT
- ASD2Svc
- ASZFltNt
- ATamptNt_V3IS80
- AVBackup
- AVGEMS
- AVGIDSAgent
- AVGIDSDriver
- AVGIDSDriverl
- AVGIDSHA
- AVGIDSHX
- AVGIDSShim
- AVKProxy
- AVKService
- AVKWCtl
- AVP
- AVP15.0.0
- AVP15.0.2
- AVP16.0.0
- AVSFirewallService
- AVSNDISIM
- AVSNDISIMMP
- AVSRegMonDrv
- AVSTDIFilterDrv
- AVTasks2
- AVUpdate
- AdvancedSystemCareService6
- AdvancedSystemCareService7
- AdvancedSystemCareService8
- AhnActNt
- AhnFlt2K
- AhnRec2K
- AhnRghNt
- AhnSZE
- AmFSM
- AmitiAvHealth
- AmitiAvSrv
- Amnpardaz Filter
- Amsp
- AntiVirMailService
- AntiVirSchedulerService
- AntiVirService
- AntiVirWebService
- Application Updater
- ArcaFsAv
- ArcaRemoteService
- Asdids
- Avast Business Console Client Antivirus Service
- AvetixGuardService
- AvetixMonitorService
- AvetixOnAccess
- AvetixUpdateService
- Avg
- Avg7Alrt
- Avg7Core
- Avg7RsW
- Avg7RsXP
- Avg7UpdSvc
- AvgAMPS
- AvgAdminServer
- AvgTdi
- Avgboota
- Avgbootx
- Avgdiska
- Avgdiskx
- Avgfwdx
- Avgfwfd
- Avgldx64
- Avgldx86
- Avgloga
- Avglogx
- Avgmfx64
- Avgmfx86
- Avgrkx64
- Avgrkx86
- Avgtdia
- Avgtdix
- Avgunivx
- Avgwfpa
- Avgwfpx
- Avira.ServiceHost
- BAPIDRV
- BAVSvc
- BDSandBox
- BDVEDISK
- BHDrvx64
- BHDrvx86
- BHipsSvc
- BNmon
- BRN_APPGUARD_SERVICE
- Bcfilter
- BcfilterMP
- BdAgent
- BdApiUtil
- BdCameraProtect
- BdDesktopParental
- BdNet
- BdSpy
- Bdfndisf
- Behavior Detection System
- Bfilter
- Bfmon
- Bhbase
- Bkav
- BkavAuto
- BkavChkUI
- BkavCoreLib
- BkavSR
- BkavSdFlt
- BkavService
- BkavSystemService
- BluProService
- Bnbase
- Bndef
- Bprotect
- BprotectEx
- BrnFileLock
- Browser Defender Update Service
- BsBackup
- BsBhvScan
- BsFileScan
- BsFire
- BsMailProxy
- BsMain
- BsScanner
- BsUpdate
- CAAMSvc
- CAISafe
- CSCrySec
- CSObjectsSrv
- CSVirtualDiskDrv
- CaCCProvSP
- CdmDrvNt
- CezurityAntivirusService
- ComFiltr
- Core Mail Protection
- Core Scanning Server
- Core Scanning ServerEx
- DSAFLT
- Double Anti-Spy Task Manager
- DrWebAVService
- DrWebEngine
- DrWebFwSvc
- DrWebLwf
- DrWebNetFilter
- DrWebWfp
- DwDevGuard
- DwHV
- DwProt
- EMLSS
- ESHASRV
- EconService
- EfiMon
- EhttpSrv
- EncDisk
- EpfwLWF
- Epfwndis
- F-Secure Gatekeeper
- F-Secure HIPS
- FAFileMon
- FA_Scheduler
- FCSAM
- FNETMON
- FPAVServer
- FPAV_RTP
- FSMA
- FSORSPClient
- FWCore
- FWNDIS_LWF
- FWService
- FcsSas
- FileMonitor
- Fkndisf
- FortiFW
- FortiRdr
- FortiShield
- FortiWF
- Fortips
- GDBackupSvc
- GDBehave
- GDFwSvc
- GDMnIcpt
- GDNdisIc
- GDPkIcpt
- GDScan
- GDTdiInterceptor
- GDTunerSvc
- GLogin
- GeSWall
- GlassWire
- GuardX
- HipShieldK
- HomeNetSvc
- HomeVNService
- HookCentre
- HookPort
- HookTdi
- HyperVM
- IDSFLT
- IDSVia64
- IDSVix86
- IDSxpx86
- IDriverT
- IMFservice
- ISFWEnt
- ISIPSEnt
- ISPIBEnt
- ISPrxEnt
- ImmunetNetworkMonitorDriver
- ImmunetProtect
- ImmunetProtectDriver
- ImmunetSelfProtectDriver
- Jetico Personal Firewall server
- K7CrvSvc
- K7EmlPxy
- K7FWFilt
- K7FWHlpr
- K7FWSrvc
- K7PSSrvc
- K7RTScan
- K7Sentry
- K7SpmSrc
- K7TSMngr
- K7TdiHlp
- KLIF
- KLIM6
- KSafeSvc
- KerioMailServer
- KmxAMRT
- KmxAgent
- KmxCF
- KmxCfg
- KmxFile
- KmxFilter
- KmxFw
- KmxSbx
- KmxStart
- L2NDNS
- LavasoftAdAwareService11
- MBAMProtector
- MBAMScheduler
- MBAMService
- MBAMSwissArmy
- MBAMWebAccessControl
- MOBKFilter
- MOBKbackup
- MPCKpt
- MPCProtectService
- MSDLAVkrn
- MSK80Service
- MWAgent
- McAPExe
- McAfee SiteAdvisor Service
- McAfeeFramework
- McBootDelayStartSvc
- McComponentHostService
- McMPFSvc
- McNaiAnn
- McODS
- McProxy
- McPvDrv
- McShield
- McTaskManager
- MeDCoreD_V3IS80
- Microsoft Antimalware
- MksMonEn
- MksMonEv
- MksMonFd
- MpFilter
- MsMpSvc
- N360
- NASS
- NAVENG
- NAVEX15
- NETFLTDI
- NETIMFLT01060034
- NETIMFLT01060039
- NETIMFLT01060044
- NGS
- NHS
- NIG
- NIS
- NNFSVC
- NNSALPC
- NNSHTTP
- NNSHTTPS
- NNSIDS
- NNSNAHS
- NNSNAHSL
- NNSPICC
- NNSPIHS
- NNSPIHSW
- NNSPOP3
- NNSPROT
- NNSPRV
- NNSSMTP
- NNSSTRM
- NNSTLSC
- NNetSecC
- NPFSvc32
- NPFSvc32_Data
- NPROSEC
- NPROSECSVC
- NS
- NTGUARD
- NUAA
- NanoServiceMain
- Ndiskio
- NisSrv
- Norman NJeeves
- Norman ZANDA
- NovaShieldFilterDriver
- NovaShieldTDIDriver
- NvcMFlt
- OADevice
- OAcat
- OAmon
- OAnet
- Online Protection System
- Online Shield Starter Service
- PAVFNSVR
- PAVSRV
- PCTAppEvent
- PCTBD
- PCTCore
- PCTFW-PacketFilter
- PCTSD
- PCToolsFirewallPlus
- PEFService
- PPDrv
- PPEMSCAN
- PROCMON20
- PROCMON23
- PSHost
- PSIMSVC
- PSINAflt
- PSINFile
- PSINKNC
- PSINProc
- PSINProt
- PSINReg
- PSKMAD
- PSUAService
- Panda Software Controller
- PandaAgent
- PavPrSrv
- PavProc
- PavTPK.sys
- Platinum Host Service
- ProcObsrv
- ProductAgentService
- PskSvcRetail
- QHActiveDefense
- QMUdisk
- QQPCRTP
- QQSysMon
- QQSysMonX64
- Quick Update Service
- RVSMONBL
- RegFilter
- RoboFww
- RoboRtwIFDrv
- Roboscan_RTSrv
- Roboscan_UpdSrv
- RsMgrSvc
- RsRavMon
- RusRoute
- RusRouteMP
- SAPlus
- SASDIFSV
- SASKUTIL
- SAUAVSvc
- SAVAdminService
- SAVOnAccess
- SAVOnAccessControl
- SAVOnAccessFilter
- SAVService
- SBAMSvc
- SBFWIMCL
- SBFWIMCLMP
- SBPIMSvc
- SDScannerService
- SDUpdateService
- SDWSCService
- SFWCallout
- SKMScan
- SQLANYs_sem5
- SRTSP
- SRTSPX
- SYMTDI
- SafeBox
- SandBox
- SbFw
- ScSecSvc
- ScanWscS
- Scheduler
- SepMasterService
- ShldDrv
- ShldFlt
- SmcService
- Sophos AutoUpdate Service
- Sophos Client Firewall
- SophosBootDriver
- SpiderG3
- SpyEmrg
- SpyEmrgAccess
- SpyEmrgGuard
- SpyEmrgHealth
- SpyEmrgSrv
- Spyshelter
- SpyshelterKb
- StopSign Update Manager
- SvcOnlineArmor
- SyDvCtrl
- SymDS
- SymEFA
- SymEFASI
- SymELAM
- SymEvent
- SymIRON
- SymNetS
- SysLib
- SysLib0
- SysLib1
- SysLib2
- SysLib3
- SysLib4
- SysLib5
- SysLib6
- SysLib7
- SysPlant
- TFsFlt
- TICAPDRV
- TIRepService
- TListenerSvc
- TMEBC
- TPPFHOOK
- TPSrv
- TS4NT
- TSKSP
- TSNxGService
- TSSysKit
- Teefer
- Teefer2
- TfFRegNt
- TfFsMon
- TfNetMon
- TfProcNt
- TfSysMon
- ThreatFire
- TrafInspSrv
- TrojanKillerDriver
- TsFltMgr
- UGBroMon
- UGKrnlDrv
- UGProtect
- UGSVC
- UPDATESRV
- UPKernel
- UTSvcManager3
- UmxEngine
- UrlFilter
- V3 Service
- V3Flt2K
- V3Flu2k_V3IS80
- V3IFt2K
- VBCoreNT.0
- VBEngNT
- VBFilt
- VSSERV
- Vba32ECM
- Vba32Ldr
- Vba32PP3
- Vba32Prot
- Vba32dNT
- Vba32ifs
- Vba32mNT
- VbaControlAgent
- Vsdatant
- WNMFLT
- WRDRV
- WRSVC
- WRkrn
- WdBoot
- WdFilter
- WdNisDrv
- WdNisSvc
- WinDefend
- WinRoute
- Yndisim
- YndisimMP
- ZAPrivacyService
- ZEFAVAuxSvc
- ZEFAVCoreSvc
- ZEFAVEFSvc
- ZhuDongFangYu
- ZillyaAVAuxSvc
- ZillyaAVCoreSvc
- Znf
- a2AntiMalware
- a2acc
- a2injectiondriver
- a2util
- acssrv
- afw
- afwcore
- apspDriver
- arcabitsv
- arcawfp
- arwflt
- arwsrvc
- asd2fsm
- aswFsBlk
- aswHwid
- aswMon2
- aswMonFlt
- aswNdis
- aswNdis2
- aswNdisFlt
- aswNetSec
- aswRdr
- aswRvrt
- aswSP
- aswSnx
- aswStm
- aswStmXP
- aswTdi
- aswUpdSv
- aswVmm
- avas_service
- avasdmft
- avast! Antivirus
- avast! Firewall
- avast! Mail Scanner
- avast! Web Scanner
- avc3
- avchv
- avckf
- avetixBC
- avetixSP
- avg8emc
- avg8wd
- avgfws
- avgntflt
- avgsvc
- avguniva
- avgwd
- avipbb
- avkmgr
- avnetflt
- bc_hash_f
- bc_ip_f
- bc_ngn
- bc_pat_f
- bc_prt_f
- bc_tdi_f
- bcfsrm
- bcftdi
- bckd
- bdelam
- bdfsfltr
- bdftdif
- bdfwfpf
- bdfwfpf_pc
- bdselfpr
- bdsflt
- bdsnm
- bsfs
- catflt
- ccSchedulerSVC
- ccSet_Cloud
- ccSet_N360
- ccSet_NIS
- ccSet_NS
- ccSettings_{2FF4FBED-F03A-4EE2-AC58-C985811A4FBE}
- ccSettings_{3AC20362-8119-4C85-8CAC-8FC00AFA6B91}
- cfwids
- cleanhlp
- cm_km
- cmcengine
- cmcis
- cmdAgent
- cmdGuard
- cmdHlp
- cmderd
- cmdvirth
- defensewall_serv
- drwagntd
- dsio
- dwall
- eLoggerSvc6
- eScan Monitor Service
- eScan-trayicos
- eac_notifysvc
- eac_productsvc
- eamon
- eamonm
- eas_httpsvr
- econceal
- econcealMP
- edevmon
- eeCtrl
- ehdrv
- ekrn
- emlssx
- epfw
- epfwtdi
- epfwtdir
- epfwwfp
- epfwwfpr
- ffsmon
- fildds
- filmfd
- filppd
- fortiapd
- fortiloader
- fortisniff
- fortknox
- fortknox_drv
- fsbts
- fshoster
- fsni
- fsvista
- ft_vnic
- gddcd
- gddcv
- gdwfpcd
- gfi_lanss11_attservice
- gfiark
- gfiutil
- ggc
- gozer
- gswserv
- gzflt
- hVrCommandSvc
- hVrMalSvc
- hooksys
- iSafeKrnl
- iSafeKrnlBoot
- iSafeKrnlKit
- iSafeKrnlMon
- iSafeKrnlR3
- iSafeNetFilter
- ignis
- inspect
- khelperDriver
- kl1
- klactprx
- kladminserver
- klbackupflt
- kldisk
- klelam
- klflt
- klhk
- klim5
- klnagent
- klpd
- kltdf
- kltdi
- klwebsrv
- klwfp
- klwtp
- kneps
- kvnet
- kwflower
- kwfupper
- kxescore
- l2nDHCP
- llio
- mbamchameleon
- mccspsvc
- mcpltsvc
- mdareDriver_48
- mdareDriver_52
- mfeapfk
- mfeavfk
- mfebopk
- mfecore
- mfeelamk
- mfefire
- mfefirek
- mfehidk
- mfemms
- mfencbdc
- mfencrk
- mferkdet
- mfevtp
- mfewfpk
- mks_services
- mksfwallf
- mksidsa
- mksidsf
- mscank
- msdl
- mwfsmfltr
- nanoflt
- nanokrn
- nanosvc
- netcontroller
- netfilter
- nnetsec
- npsvc32
- nregsec
- nsesvc
- nvcoas
- nvoy
- oahlpXX
- panda_url_filtering
- pavboot
- pbfilter
- pctDS
- pctEFA
- pctNdis
- pctNdisLW
- pctNdisLW64
- pctNdisMP
- pctgntdi
- pctplfw
- pctplsm
- pwipf6
- qutmdserv
- qutmipc
- rsdsys
- rvseng
- rvsmon
- rvsmonf
- rvsmonn
- sascan
- sascansvc
- sbaphd
- sbapifs
- sbhips
- sbtis
- sbtisht
- sbwtis
- scan
- scfdriver
- scfndis
- sdAuxService
- sdCoreService
- secdl
- semlaunchsrv
- semsrv
- semwebsrv
- slservice
- ssfwmonsvc
- ssmdrv
- sstsmonsvc
- swi_callout
- swi_filter
- swi_service
- swi_update
- tdi_nf
- tdifw
- tdimapper
- tmactmon
- tmcomm
- tmeevw
- tmeext
- tmel
- tmevtmgr
- tmnciesc
- tmtdi
- tmumh
- tmusa
- tpmgma_service
- tpsec
- trufos
- twssrv
- v3engine
- viprecomsvc
- vrptcomn
- vrptself
- vsmon
- webssx
- wipesrv
- wpsdrvnt
- wrUrlFlt
- wsnf
- wstif
- xCoreFirewallSvc
- xCoreUpdateSvc
- zsc
It delete files in the following folder (with extensions such as EXE,DLL,SCR,BAT and VBS):
- C:\Documents and Settings\LocalService\Application Data
- C:\Documents and Settings\LocalService\Dati applicazioni
- C:\Documents and Settings\LocalService\Datos de programa
- "%Program Files%\Common Files
- %Windows%\system32\config\systemprofile\AppData\Roaming
- %Application Data%\LocalLow
- %Application Data%\Local\Temp
- %Application Data%\Local\Temp\Low
- %Application Data%\Roaming
- %Application Data%\Roaming\Microsoft
- %Application Data%\Roaming\WindowsUpdate
- %Application Data%\Datos de programa\System
- %Application Data%\Local Settings\Temp
- %System Root%\Users\All Users\Documents\svchost
- %System Root%\Users\All Users\AppData\Roaming\Microsoft\Windows
- %System Root%\Users\All Users\AppData\Roaming\Windows Update
- %System Root%\Users\All Users\AppData\Local\Microsoft\Windows
- %System Root%\Users\All Users\AppData\Roaming\Microsoft\extensions
- %System Root%\Users\All Users\AppData\Local\Microsoft\extensions
- %System Root%\Users\All Users\AppData\Roaming\Microsoft\Windows\IEUpdate
- %System Root%\Users\All Users\AppData\Local\Microsoft\Windows\IEUpdate
- %System Root%\Users\All Users\AppData\Roaming\Microsoft\Windows\Update
- %System Root%\Users\All Users\AppData\Roaming\System
- %Windows%\help\windows\systems
- %Windows%\fonts
It deletes the following files/folders in the "Program Files" (%Program Files%) directory:
- 2345Soft
- 24x7Help
- 2WdM2
- 33download.com\Free Video Downloader
- 34dc5208-3f7e-436e-907b-3dc21b172840
- 360Play
- 3WdM3
- 8WdM8
- 8WinManPro8
- ADSafe
- ASPackage
- AVG Web TuneUp
- AVHealthMonitor
- Abrupt Text
- Accelerer PC
- ActSys
- Ad Muncher
- AdBlocker
- Addon Enabler
- Adguard
- Adobe-Updater
- Advanced Monitoring Agent
- Advanced Monitoring Agent Network Management
- Advanced PC Care
- Advanced Registry Optimizer
- Advanced System~Protector
- Airtostrong
- AllTubeDownloader
- Aloof General
- AlterGeo
- AmIcoSingLun
- AmazingTab
- Amazon Browser Bar
- Amazon\Amazon1ButtonApp
- AnyDesk
- AnySend
- App Bud
- AppCola
- AppGraffiti
- Appetizing Introduction
- Application Assistance
- Application Hosting
- Application Installer
- ApplicationHosting
- Appset
- AppsiocE
- AppthgildeM
- ApptnioPhtooteulB
- Appverifier
- AppxelfmuZ
- Archivos comunes\Hydrup
- AruaTuss
- Asistente Infinitum
- AskPartnerNetwork
- Assets Manager
- Assets Manager\smdmf
- Atomic Alarm Clock
- Automatic Update
- Autorun Eater
- BIOSTAR
- BRApp
- Babylon
- BaiduEx
- BaisvikSoftware
- Bamcof
- Bandoo
- BetterBrain
- Bin\UpdateTool
- Bitter Discipline
- Blazers
- BocekYazilim
- Boot Camp
- BreakawayLive
- Brownie
- Browny02
- BrownyInd
- Browser
- Browser Defender
- Browser Good
- Browser Logo
- Browser Manager
- Browser Rush
- BrowserCompanion
- BrowserDefender
- BrowserProtect
- BubbleFighter
- Buzzing Dhol
- ByteFence
- CCleaner
- CNN News Ticker
- CalendarTool
- CaqeqHiamt
- CashReminder
- CeroHimna
- CetMuu
- Chart Choosing
- Cheapster
- Checked List
- Checker
- ChicaLogic\Chica Password Manager
- ChomikBox
- ChristmasTree
- Clean Sweet
- CleanBrowser
- CleverSearch
- Clickfree
- CloudPrinter
- Clownfish
- CodeMeter
- CoffeeFeed
- CoinMiner
- Coingeek
- Colorful Eat
- Common Files\Goobzo
- Common Files\Hydrup
- Common Files\IMGUpdater
- Common Files\PC Tools
- Common Trioris
- Company
- Computer Updater
- Concom
- Consumer Input
- Contemplative Path
- Content Defender
- ContentProtector
- Controller
- ConvertAd
- Cooperative Lead
- Coupons
- Coupoon
- Courageous Anywhere
- Crowdcores
- Crsoft
- Cruel Fee
- Cruel Tongue
- CuHanh
- CuHanhPlay
- Cupom123
- DNS Unlocker
- DWdsManProD
- DailyPCClean
- DailyPcClean Support
- Dashing Gas
- DatacardService
- DbSecuritySpt
- Deceitful Vehicle
- Defsoft
- DeltaFix
- DesProtetor
- Desk 365
- DesktopAuthority
- DesktopMania
- DeuVin
- DevID Agent
- DeviceVM
- DhmReu
- Disk Analysis
- DisplayLink Core Software
- Dolby Advanced Audio v2
- DownChecker
- Dripkix
- Driptax
- DriverFinder
- DriverPack Notifier
- DriverToolkit
- DriversPro
- Easy Speed Check
- EavitFoc
- Edu App
- EgisTec IPS
- EgisTec\MyWinLocker 3
- EnterpriseUpdate
- Envious Plate
- EroBisis
- Experience Video
- ExtTag
- Extension Follow
- Extension Manager
- FPSensor
- FWdMF
- FaderController
- Fast-Search
- FastCompress-Zip
- FastPcTools
- FastPlayer
- FastSearch
- Feed Notifier
- File Association Helper
- FileToNet
- Filthy Buddy
- Filthy Horse
- Firewall Integrity Checker
- FlashBeat
- FlashGamesRockstar
- Flexfix
- Floomby
- Flwsrf
- Fogtrans
- Folder Shield
- FolderSize
- Foolish King
- Framed Display
- Frantic Shower
- Freemake
- Freemake Shared
- Fresh Tower
- Fuzzy Living
- GOSafer
- GamesRS
- GbPlugin
- Genie Soft
- Giddy Reflection
- Gigabase\Guard
- Glary Utilities 5
- Globe Tattoo Broadband
- Glorious Lesson
- GoCoupons
- Greener Web
- Gritty Vacation
- Grotesque Money
- GuluxMecch
- HandSetService
- Hard Case
- Hi-Rez Studios
- HiSuiteOuc
- HipmoIdod
- HitsBlender
- Hoistsearch
- Hollow Estate
- HomePageDefender
- HomeTab
- HonController
- Horrific Shoulder
- Host Secure
- Host32manager
- Hostify
- House\Dorm
- Huge Anything
- Huge Swing
- HulaToo
- Hurt North
- IAC Updater
- ICCup
- ICQ6Toolbar
- IM Magician
- IObitBar
- IQIYI Video
- IcyCarje
- Idea Net Setter
- IePluginService
- IePluginServices
- Impressionable Routine
- Inbox Storage
- InclusionRunner
- Infigo
- Internet Content Filter
- Internet Explorar
- InternetUpdater
- Irate Remove
- Itibiti Soft Phone
- JWdMJ
- JWdsManProJ
- Java Security Plugin
- Java Update 2.0
- Jittery Guitar
- Jittery Tone
- JoinME Drivers
- JokerAds
- Joyous Hook
- JukdEsoia
- Jumpstart
- KDubaSoftDown
- KDubaSoftPgup
- KRB Updater Utility
- KedmAbo
- KeepUp
- Key Switcher
- Keyboard Device Update
- Killer Networking
- Kinoroom Browser
- Kit Cooking
- Kleptomania
- Knowhow Cloud
- KokoMoss
- KopEguc
- Koruko
- Large Stable
- Launch Manager
- Launchy
- Lazy Usual
- Lightzap
- Little Inferno
- LiveWPPUpdate
- LoadLeader
- Logo Extension
- LolClient
- LolliScan
- Lovi Video
- LoviVK
- LoviVideo
- LuckyBrowse
- LuckyTab
- LyricsTab
- MAgent
- MPCBrowser
- MSConfig Extended 2.0
- MWdMM
- Macho Physics
- Magic Memory Optimizer
- MailUpdate
- MakeIt-Team
- Maniacal Mail
- Max Driver Updater
- MaxLim
- MaxLim\AlarmClock
- Media Saver
- MediaGet Toolbar
- MediaGet2
- MediaLingua
- Medlight
- MegaDownloader
- Microsoft Application Virtualization Client
- Microsoft Firewall Client 2004
- Microsoft Security Essentials
- MinerGate
- MiniLite
- MiuiTab
- MixVideoPlayerUpdaterService
- Mixesoft
- Mobile Partner
- MobileBrServ
- Mobogenie
- Mobogenie3
- Mortified Climate
- MovieDea
- Movies App
- Movies Toolbar
- Mp3Tube Toolbar
- Music App
- MusicsPlayers
- My Cute Buddy
- MyBar
- MyDesktop
- MyPC Backup
- MyTubeTheater
- NAT Service
- Napnut
- Net Control 2
- NetService
- NetTime
- NetWriter
- NewWinDcomSvc
- NhtBamd
- NiceHashMiner
- NixController
- NixSrv
- Norpalla
- Norton PC Checkup
- Note-up
- NsCpuCNMiner
- Nuance
- OLBPre
- Oasis Space
- Object Browser
- Obnovi Soft
- Odd Attitude
- Olacarita
- OneSafe PC Cleaner
- OneSystemCare
- Outrageous Currency
- PC App Store
- PC Cleaner
- PC Faster
- PC Performer
- PC Registry Shield
- PC Speed Maximizer
- PC Speed Up
- PC Ultra Speed
- PCPowerSpeed
- PCValidator
- PDF Architect
- PaceItUp
- Pando Networks
- PathMaxx
- PennyBee
- PerSefit
- Photod1ex
- PhraseProfessor
- Pingzapper
- Pirrit
- PlaceEngine
- Plain Clerk
- PlayFree Browser
- Pogo Games
- PojkoJetig
- Pompous Give
- PopApp
- PopularScreensavers
- PremierOpinion
- Prickly Rise
- Primary Color
- Pro PC Cleaner
- Probit Software
- Process Killer
- Protector Suite QL
- ProxyApp
- QualityChecker
- QuickSearch
- Quizzical Officer
- REACHit
- Ranlab
- RayDld
- RebateInformer
- Reber Quick
- Reg Organizer
- Registry Helper
- Reimage
- RelayAppend
- Remote Manipulator System - Host
- Remote Mouse
- Remote Utilities - Host
- RiokfBypl
- Ripe Valuable
- Ronzap
- RosettaStoneLtdServices
- RrFilter
- SMART BRO
- SWMiniProS
- SWinManProS
- SafeGuard
- SatelliteAgent
- SavePass 1.1
- SaveSenseLive
- Scpad
- Screen Capture
- SearchDefender
- SearchModule
- SearchSnacks
- SearchesToYesbnd
- Security
- Security Updates Service
- SeePassword
- SelectionTool
- Sersoft
- Settings Manager
- Sharp Angle
- Shop and Save Up
- ShopperPro
- ShopperPro3
- SijsUwucc
- SilverSurfer
- SiteRanker
- Skrinshoter
- SkyMonk
- Sleep Memory Optimizer
- Slippery Policy
- SmartTweak
- SmartUpdater
- SmartWeb
- Sniffer service
- Softobase
- Software Informer
- SoftwareUpdater
- SohaService
- Sokyra
- Soloeco
- Solotough
- Sound+
- SourceApp
- SpIZdqeadX
- SpaceSoundPro
- Spanplus
- SpeedItup Free
- SpiderMessenger
- SpiderShare
- Splendid Increase
- Spotless Smile
- Spyware Process Detector
- StartNow Toolbar
- Steel Cut
- Sticky Pull
- Sublight
- Sunlex
- Supdater
- Super Optimizer
- SweepTools PC Cleaner
- SystemMonitor2016
- SystemSafeguard
- TDataDld
- TFEIMLPE
- Taladapp
- Tango
- TaobaoProtect
- Tbccint
- TeamViewerUpdate
- Teeny Improvement
- TempMoudleSet
- Tencent\AndroidServer
- Tenda
- Tepfel
- TextEditor
- Thankful Gas
- ThcuKedc
- ThhaaWobk
- Thunder Master
- Ticno
- Tigo\OnlineUpdate
- TimeTasks
- Tmp0x0x
- Today Calendar
- ToggleMark
- TomTom HOME 2
- ToolGet
- ToolsUpdatePlatform
- Torch
- Torrent Search
- Total Plugin
- Total Privacy Protector
- TouchUtility
- TrueCafe
- TunnelBear
- Tv-Plug-In
- TypingMaster
- UCBrowser
- UTILILAB\SystemOPTIMIZER
- UltraZip
- Unchecky
- Universal Driver Updater
- Universal Updater
- Updater
- Updater By Sweetpacks
- UpsPilot
- Upset Carry
- Uptight District
- Utatity
- V-bates
- VK Downloader
- VOPackage
- Vaiafineco
- Vast Assist
- VemgIha
- ViGlance
- Viafresh
- VibrateGameDeviceDriver
- View-Password
- Virtual Cooking
- Viscosity
- Visual Protect Service
- VolumeControl
- VuuPC
- WIntEnhancer
- WInterEnhancer
- WNEn Browser Enhancer
- WNetEnhance
- WNetEnhancer
- WNetworkEnhance
- WTFast Beta
- WaIntEnhance
- WaIntEnhancer
- WaInterEnhance
- WaInterEnhancer
- WaInternetEnhancer
- WaNetworkEnhance
- WaNetworkEnhancer
- Wacky Green
- WadaBar
- WajIEn
- WajInterEnhancer
- WajInternetEn
- WajNetEn
- WajNetworkEnhancer
- WajaIntEn
- WajaIntEnhancer
- WajaInternetEnhancer
- WajaNetEn
- WajaWebEnhance
- Wandoujia
- WeatherTool
- Web Protect
- WebBar
- WebPlayer
- WebProtectorPlus
- WildTangent Games
- WinArchiver
- WinCalendarTime
- WinLoaderModule
- WinNetSvc
- WinThruster
- WinZip Registry Optimizer
- WindoWeather
- Windows Genuine Advantage
- Windows Network Accelerater
- Windows Security
- Windows Update Engine
- WindowsMangerProtect
- WindowsProtectManger
- WindowsUpd
- Winreview.ru
- Winsere
- Wixer
- WizzWifiHotspot
- XTRM Group
- Xclient
- Xvirus Adblocker
- YoutubeDownloader.org
- Zaxar
- ZetaGames
- ZetaGamesNews
- ZetaGamesViewer
- Zitenop
- Zoiper
- Zonzap
- ZuiSyog
- aWdMa
- advPlugin
- afoir
- alipay
- amdidx
- b4bc9939-75e9-422b-af5c-653de35c4f4b
- bProtector
- banda larga tmn
- best-markit-soft
- bestLyrics
- cWinManProc
- caMyciloP
- chk32
- chroomium Browser
- click-n-mark Corp
- cmcm\Clean Master
- cmdidx
- comoBoss
- cpuminer
- crxbro Browser
- daugava
- dbprotectsuppore
- dbprotectsupport
- ddweather
- desktopfind
- dlohn
- e25f457c-9287-4f2d-b5a8-8cd714c55009
- eAHPeNhIUJ
- eDealPop
- endax
- eye perform
- ezvitInfo
- facemoods.com
- fchk32
- ffgogogo Browser
- gByrAT
- gate snapper
- ghokswa Browser
- globalUpdate
- gocoupon
- greenapp
- hostskidki
- iCLS Client
- iSafe
- iWebar
- iWin Games
- iZ3D Driver
- iretadpU
- ksecur
- logishrd
- ma-config.com
- majtu100_mx_14
- mediabar Toolbar
- mizip
- mysites123
- net1-sede
- netcut
- netfilter
- neurowise
- ntsvc
- oTweak
- ohnuze
- peaeLlz
- qksee
- ruyiso
- schk32
- screentk
- serfe
- serfev
- sgulPhceT
- skinapp
- snda\sdupdate
- speed browser
- storagecraft
- surf slide
- sushileads
- systips
- t100mx1
- tiger savings
- uCozMedia
- ver9Safer-Surf
- wainterneten
- wajainterneten
- wajanen
- wajinteren
- webget
- winteren
- wnetworken
- yWdMy
- {D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
- 003\vxlsnyaiet32.exe
- 005\hzunyanhtn64.exe
- ASP\AdvancedSystemProtector.exe
- Assistant\AssistantSvc.dll
- Bifrost\server.exe
- ClinckProxy.exe
- ClinckSystemLayer.exe
- Common Files\Microsoft shared\ink\pt\services.exe
- Common Files\WWS\Watchdog.exe
- Common Files\microsoft shared\ink\TabTip.exe
- Company\gupdate\gupdate.exe
- Microsoft Data\InstallAddons.exe
- Opera\opera.bat
- RCP\systweakasp.exe
- SFK\SSFK.exe
- Security\winsec.exe
- Software\Update\SoftwareUpdate.exe
- Windows Alerter
- Windows Common Files
- Workspace\offSyncService.exe
- badu\sys.exe
- baidu\baidu.exe
- common files\nt\smetts.exe
- common files\speechengines\microsoft\spcomon.ini
- fr\fr.exe
- pchd\PCHDPlayer.exe
- syspwow\syspwow.exe
- update\UpdateAgent.exe
It delete files/folder from User's Temp (%User Temp%) and Windows Temp (%Windows%\Temp) directories:
- .clamwin
- 360SD
- 360WD
- 360safe
- AFWCORE.sys
- AVAST Software
- Arcabit
- Ashampoo\Ashampoo Firewall
- Avanquest
- Avg2014
- AvgPackage
- Avira
- Baidu Security
- Baidu\Baidu
- Baidu\Baidu Antivirus
- BavPro_Setup_Mini_GL
- BgInstallAssistOld.txt
- Bitdefender
- BkavHome2014
- BkavWhatsNewEN_files
- BullGuard
- BullGuard Premium Protection Setup.exe
- Comodo
- Crystal Security
- ESCANDB.LOG
- ESET
- GDATA_Online_Update
- HCBackup
- HCLauncher.log
- HouseCall
- IObit
- IObit Apps
- K7 Computing
- K7TSInsFont.ttf
- K7TSInsRes.dll
- KAV Remote Installations
- Lavasoft
- LavasoftStatistics
- MPASBASE.VDM
- MPASDLTA.VDM
- MPAVBASE.VDM
- MPAVDLTA.VDM
- MPENGINE.DLL
- MWAV.LOG
- Malwarebytes
- McAfee
- McAfee File Lock
- MicroWorld
- MpCmdRun.log
- OnlineArmor
- Panda Security
- PavLogInst
- SYMEVENT.LOG
- SandBox.sys
- SecurityScan_Release
- Sophos AutoUpdate Install Log.txt
- Sophos Client Firewall CustomActions Log.txt
- Sophos Client Firewall DriverHelper Log.txt
- Sophos Client Firewall install log.txt
- Sophos Standalone Installer.txt
- Sophos Web Intelligence Install.log
- SpyShelter
- TiInst
- Titanium
- Trend Micro
- TrendMicro AntiThreat Toolkit
- VIPRE
- VIPREPremiumInstaller.log
- Zillya Internet Security
- _avast5_
- _avast_
- afw_setup.log
- avast_ash
- avginfo.id
- baidu\Antivirus
- baidu_secure
- eAcceleration
- housecall.guid.cache
- iSafeRightKeyScan
- kerio
- kerio-connect.setup.log
- kerio-control.setup.log
- kerio_webmail
- nanoav
- panda4_1dn
- pandasecurity-manifest.xml
- pandasecurity-toolbar.xml
- pandasecuritytb_Install_Log.txt
- trend download
- v3init2.log
- {64F7A9DE-BB02-4DAC-9246-E9B7668B9503}
It delete the following files in the Windows directory:
- 32\chromex.exe
- AppUpdate\updater.exe
- AudioHQ.dll.exe
- BkavFirewallService.exe
- BluProService.exe
- Cursors\services.exe
- Fonts\svchost.exe
- INCAinternet\nProtect Anti-Virus Spyware 3.0\nspsvc.exe
- INCAinternet\nProtect Anti-Virus Spyware 3.0\nspupsvc.exe
- ImageSAFERSvc.exe
- InstallDir\svchost.exe
- InstallDir\winexe.exe
- K7TSDbg.exe
- Microsoft.com
- SAsrv.exe
- SSVICHOSST.exe
- SVOHOST.exe
- Sys\Windows Defender.exe
- Sys\svchost.exe
- TEMP\system\svchost.exe
- Taskcall.EXE
- Tasks\FLASHUPDATE
- Terms.exe
- UPDATERWIN.EXE
- Updatesvc.exe
- Win7.exe
- antivar.exe
- aswBoot.exe
- bc.exe
- bsmain.exe
- ciique.exe
- csrcs.exe
- csrsc.exe
- csrss.exe
- debug\wmisrv.exe
- defensewall_serv.exe
- dell\iexplore.exe
- dell\pubwin.vbs
- dfrg\svc.exe
- dj.exe
- driver.exe
- drivers\ctfmon.exe
- drivers\etc\svchost.exe
- drivers\svchost.exe
- ext_driver.exe
- exxplorer.exe
- fonts\anqn.exe
- fonts\taskhost.exe
- hostnamex.exe
- iexplore\iexplore.exe
- iexplorer.exe
- inf\wuauclt.exe
- ipz.exe
- ipz2.exe
- jmesoft\Service.exe
- jusched.exe
- kamsoft.exe
- logfiles\nssm.exe
- logfiles\svchost.bat
- lsass.exe
- lsasvc.exe
- mlwps.exe
- mpk\MPK.exe
- mpk\lsynchost.exe
- nieyou.exe
- oobe\explorer.exe
- president.exe
- rcore.exe
- runSW.exe
- schost.exe
- sdeeae3e.exe
- setup\webser.exe
- speech\csrss.exe
- speech\taskhost.exe
- ssysstem32.exe
- ssystemxx32.exe
- svc49.exe
- svccost.exe
- svchoost.exe
- svchost.com
- svchost.exe
- svshost.exe
- sysfiles\rutserv.exe
- system.bat
- system\svchost.exe
- system\svchosts.exe
- system\system\start.vbs
- system\taskhost.exe
- system\win32.exe
- syswow\conhost.exe
- tcpsv\ams.exe
- tpnative.exe
- vss\svchost.exe
- wauctla.exe
- winfile.exe
- wininits.exe
- winscok.dll
- wmisrv.exe
- zkz.exe
SOLUTION
9.850
13.440.07
31 May 2017
13.441.00
01 Jun 2017
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- fs32 = "%SystemRoot%\system32\bcdedit.exe /set {current} recoveryenabled No"
- fs32 = "%SystemRoot%\system32\bcdedit.exe /set {current} recoveryenabled No"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- fs57 = "%SystemRoot%\system32\netsh.exe winsock reset"
- fs57 = "%SystemRoot%\system32\netsh.exe winsock reset"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- aaa99 = "%Windows%\rdpinst.exe"
- aaa99 = "%Windows%\rdpinst.exe"
Step 3
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- From: ConsentPromptBehaviorAdmin = 5
To: ConsentPromptBehaviorAdmin = 0
- From: ConsentPromptBehaviorAdmin = 5
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- From: EnableLUA = 0
To: EnableLUA = 1
- From: EnableLUA = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- From: PromptOnSecureDesktop = 0
To: PromptOnSecureDesktop = 1
- From: PromptOnSecureDesktop = 0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
- From: BootExecute = "autocheck autochk * {malware path and name}"
To: BootExecute = "autocheck autochk *"
- From: BootExecute = "autocheck autochk * {malware path and name}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- From: AntiVirusOverride = 1
To: AntiVirusOverride = 0
- From: AntiVirusOverride = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- From: FirewallOverride = 1
To: FirewallOverride = 0
- From: FirewallOverride = 1
Step 4
Search and delete these files
Step 5
Scan your computer with your Trend Micro product to delete files detected as TROJ_CARBERP.YWQ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 6
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
NOTES:
Note: Restore files from backups or reinstall deleted files and registries to ensure that all programs functions properly.
Did this description help? Tell us how we did.