Pour les utilisateurs

Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Recherche
Recherche

Contacter-nous !
Support 24/24 | Rules regarding submitting

Envoyer un message

Requête à l'aide du formulaire

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -
Créer une nouvelle requête

Nous téléphoner

0 825 300 230

Profil

FR

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Fermer
Services support
Scanners
Dr.Web vxCube
Démo
Bibliothèque virale
Base documentaire

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Actualités

Trojan.Encoder.37229

Added to the Dr.Web virus database: 2023-02-11

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'vlc' = '"%APPDATA%\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'WindowsUpdateCheck' = '<Full path to file>'
Creates or modifies the following files
Creates the following files on removable media
  • <Drive name for removable media>:\.c4d1664ef40ce18f8d41
  • <Drive name for removable media>:\delete.avi
  • <Drive name for removable media>:\split.avi
  • <Drive name for removable media>:\toolbar.bmp
  • <Drive name for removable media>:\default.bmp
  • <Drive name for removable media>:\dialmap.bmp
  • <Drive name for removable media>:\tileimage.bmp
  • <Drive name for removable media>:\coffee.bmp
  • <Drive name for removable media>:\dashborder_96.bmp
  • <Drive name for removable media>:\sdksampleprivdeveloper.cer
  • <Drive name for removable media>:\contosoroot_1.cer
  • <Drive name for removable media>:\sdkfailsafeemulator.cer
  • <Drive name for removable media>:\testee.cer
  • <Drive name for removable media>:\fi51.doc
  • <Drive name for removable media>:\hanni_umami_chapter.doc
  • <Drive name for removable media>:\february_catalogue__2015.doc
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
  • Windows Defender
Executes the following
  • '<SYSTEM32>\net.exe' stop U8WorkerService1
  • '<SYSTEM32>\net.exe' stop MSExchangeHM
  • '<SYSTEM32>\net.exe' stop "Alibaba Security Aegis Detect Service"
  • '<SYSTEM32>\taskkill.exe' /IM vm-agent-daemon.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM SogouImeBroker.exe /F
  • '<SYSTEM32>\net.exe' stop MSExchangeFrontEndTransport
  • '<SYSTEM32>\taskkill.exe' /IM java.exe /F
  • '<SYSTEM32>\net.exe' stop AutoUpdateService
  • '<SYSTEM32>\net.exe' stop "Alibaba Security Aegis Update Service"
  • '<SYSTEM32>\taskkill.exe' /IM TeamViewer_Service.exe /F
  • '<SYSTEM32>\net.exe' stop CASLicenceServer
  • '<SYSTEM32>\net.exe' stop MSExchangeFastSearch
  • '<SYSTEM32>\net.exe' stop QPCore
  • '<SYSTEM32>\net.exe' stop MSExchangeEdgeSync
  • '<SYSTEM32>\net.exe' stop TeamViewer
  • '<SYSTEM32>\net.exe' stop MSExchangeDiagnostics
  • '<SYSTEM32>\net.exe' stop Tomcat8
  • '<SYSTEM32>\net.exe' stop CASWebServer
  • '<SYSTEM32>\taskkill.exe' /IM sqlservr.exe /F
  • '<SYSTEM32>\net.exe' stop MSSQL$SQL2008
  • '<SYSTEM32>\taskkill.exe' /IM cygrunsrv.exe /F
  • '<SYSTEM32>\net.exe' stop CASMsgSrv
  • '<SYSTEM32>\net.exe' stop MSExchangeIMAP4BE
  • '<SYSTEM32>\net.exe' stop CASVirtualDiskService
  • '<SYSTEM32>\taskkill.exe' /IM CCenter.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM bengine.exe /F
  • '<SYSTEM32>\net.exe' stop iNethinkSQLBackupSvc
  • '<SYSTEM32>\taskkill.exe' /IM TeamViewer.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM fdhost.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM eSightService.exe /F
  • '<SYSTEM32>\net.exe' stop DDNSService
  • '<SYSTEM32>\taskkill.exe' /IM BackupExecManagementService.exe /F
  • '<SYSTEM32>\net.exe' stop MSExchangeImap4
  • '<SYSTEM32>\net.exe' stop RapService
  • '<SYSTEM32>\net.exe' stop AGSService
  • '<SYSTEM32>\net.exe' stop CASXMLService
  • '<SYSTEM32>\net.exe' stop MSExchangeHMRecovery
  • '<SYSTEM32>\taskkill.exe' /IM mysqld.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM mdm.exe /F
  • '<SYSTEM32>\net.exe' stop MSExchangeDelivery
  • '<SYSTEM32>\taskkill.exe' /IM rcrelay.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM vm-agent.exe /F
  • '<SYSTEM32>\net.exe' stop VMUSBArbService
  • '<SYSTEM32>\net.exe' stop wanxiao-monitor
  • '<SYSTEM32>\taskkill.exe' /IM ThunderPlatform.exe /F
  • '<SYSTEM32>\net.exe' stop MSComplianceAudit
  • '<SYSTEM32>\net.exe' stop xenlite
  • '<SYSTEM32>\net.exe' stop VMAuthdService
  • '<SYSTEM32>\net.exe' stop UFIDAWebService
  • '<SYSTEM32>\net.exe' stop Realtek11nSU
  • '<SYSTEM32>\net.exe' stop "igfxCUIService2.0.0.0"
  • '<SYSTEM32>\net.exe' stop XenSvc
  • '<SYSTEM32>\net.exe' stop Apache2.4
  • '<SYSTEM32>\net.exe' stop TeamViewer8
  • '<SYSTEM32>\net.exe' stop VMwareHostd
  • '<SYSTEM32>\net.exe' stop "memcached Server"
  • '<SYSTEM32>\net.exe' stop HaoZipSvc
  • '<SYSTEM32>\net.exe' stop UIODetect
  • '<SYSTEM32>\net.exe' stop U8WorkerService2
  • '<SYSTEM32>\taskkill.exe' /IM fdlauncher.exe /F
  • '<SYSTEM32>\net.exe' stop "AliyunService"
  • '<SYSTEM32>\net.exe' stop WebAttendServer
  • '<SYSTEM32>\net.exe' stop "Synology Drive VSS Service x64"
  • '<SYSTEM32>\net.exe' stop MSExchangeADTopology
  • '<SYSTEM32>\taskkill.exe' /IM httpd.exe /F
  • '<SYSTEM32>\net.exe' stop JWRinfoClientService
  • '<SYSTEM32>\net.exe' stop "VMware NAT Service"
  • '<SYSTEM32>\taskkill.exe' /IM Att.exe /F
  • '<SYSTEM32>\net.exe' stop MSExchangeDagMgmt
  • '<SYSTEM32>\taskkill.exe' /IM iexplore.exe /F
  • '<SYSTEM32>\net.exe' stop JWEM3DBAUTORun
  • '<SYSTEM32>\net.exe' stop VMnetDHCP
  • '<SYSTEM32>\taskkill.exe' /IM pg_ctl.exe /F
  • '<SYSTEM32>\net.exe' stop FirebirdGuardianDeafaultInstance
  • '<SYSTEM32>\taskkill.exe' /IM VBoxSDS.exe /F
  • '<SYSTEM32>\net.exe' stop MSExchangeCompliance
  • '<SYSTEM32>\net.exe' stop DellDRLogSvc
  • '<SYSTEM32>\taskkill.exe' /IM BackupExec.exe /F
  • '<SYSTEM32>\net.exe' stop MSExchangeAntispamUpdate
  • '<SYSTEM32>\net.exe' stop mysqltransport
  • '<SYSTEM32>\net.exe' stop Apache2.2
  • '<SYSTEM32>\net.exe' stop "OracleOraDb10g_homeliSQL*Plus"
Terminates or attempts to terminate
the following system processes:
  • <SYSTEM32>\cmd.exe
Modifies file system
Creates the following files
  • %TEMP%\test.exe
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\updates\how to back your files.txt
  • %HOMEPATH%\local settings\how to back your files.txt
  • %HOMEPATH%\local settings\virtualstore\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\virtualstore\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\updates\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little
  • %HOMEPATH%\start menu\programs\accessories\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\how to back your files.txt
  • %HOMEPATH%\start menu\programs\accessories\how to back your files.txt
  • %HOMEPATH%\start menu\programs\videolan\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\4\how to back your files.txt
  • %HOMEPATH%\start menu\programs\videolan\vlc.exe
  • %HOMEPATH%\start menu\programs\videolan\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\how to back your files.txt
  • %HOMEPATH%\start menu\programs\total commander\how to back your files.txt
  • %HOMEPATH%\start menu\programs\accessories\accessibility\how to back your files.txt
  • %HOMEPATH%\start menu\programs\telegram desktop\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\2\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\1\how to back your files.txt
  • %HOMEPATH%\start menu\programs\maintenance\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\3\how to back your files.txt
  • %HOMEPATH%\start menu\programs\accessories\system tools\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\how to back your files.txt
  • %HOMEPATH%\start menu\programs\winrar\how to back your files.txt
  • %HOMEPATH%\start menu\programs\accessories\accessibility\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\programs\how to back your files.txt
  • %HOMEPATH%\start menu\programs\winrar\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\how to back your files.txt
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\iconcache.db
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\0\how to back your files.txt
  • %HOMEPATH%\local settings\gdipfontcachev1.dat
  • %HOMEPATH%\my documents\my music\how to back your files.txt
  • C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\voip\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\voip\how to back your files.txt
  • %HOMEPATH%\videos\.c4d1664ef40ce18f8d41
  • C:\$recycle.bin\how to back your files.txt
  • %HOMEPATH%\videos\how to back your files.txt
  • C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\how to back your files.txt
  • %HOMEPATH%\sendto\desktop (create shortcut).desklink
  • %HOMEPATH%\templates\how to back your files.txt
  • %HOMEPATH%\start menu\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\programs\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\how to back your files.txt
  • %HOMEPATH%\sendto\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget
  • D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\templates\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\how to back your files.txt
  • D:\.c4d1664ef40ce18f8d41
  • %TEMP%\luwfhemn.vbs
  • %APPDATA%\microsoft\windows\start menu\programs\videolan\vlc.exe
  • %TEMP%\e0ec.tmp\e0ed.tmp\e0ee.bat
  • %ALLUSERSPROFILE%\local\.c4d1664ef40ce18f8d41
  • <Current directory>\ids.txt
  • C:\.c4d1664ef40ce18f8d41
  • z:\.c4d1664ef40ce18f8d41
  • C:\users\how to back your files.txt
  • C:\$recycle.bin\.c4d1664ef40ce18f8d41
  • D:\$recycle.bin\.c4d1664ef40ce18f8d41
  • D:\system volume information\.c4d1664ef40ce18f8d41
  • C:\how to back your files.txt
  • z:\system volume information\.c4d1664ef40ce18f8d41
  • C:\users\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\sendto\mail recipient.mapimail
  • %HOMEPATH%\sendto\how to back your files.txt
  • %HOMEPATH%\searches\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms
  • %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms
  • %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms
  • %HOMEPATH%\recent\automaticdestinations\how to back your files.txt
  • %HOMEPATH%\printhood\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\recent\customdestinations\how to back your files.txt
  • %HOMEPATH%\recent\automaticdestinations\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\printhood\how to back your files.txt
  • %HOMEPATH%\nethood\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\nethood\how to back your files.txt
  • %HOMEPATH%\my documents\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\my documents\how to back your files.txt
  • %HOMEPATH%\my documents\my music\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\pictures\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\pictures\how to back your files.txt
  • %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms
  • %HOMEPATH%\saved games\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\saved games\how to back your files.txt
  • %HOMEPATH%\recent\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\recent\how to back your files.txt
  • %HOMEPATH%\recent\customdestinations\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms
  • %HOMEPATH%\searches\how to back your files.txt
  • %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms
  • %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms
  • %HOMEPATH%\local settings\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\programs\mail.ru\how to back your files.txt
Sets the 'hidden' attribute to the following files
  • %ALLUSERSPROFILE%\local\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\updates\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\updates\8216c80c92c4e828\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\entries\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache2\doomed\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\virtualstore\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\f\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\programs\accessories\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\c\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\b\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\a\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\programs\winrar\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\9\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\8\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\7\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\6\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\programs\accessories\accessibility\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\e\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\d\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\my documents\my music\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\my documents\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\nethood\.c4d1664ef40ce18f8d41
  • C:\.c4d1664ef40ce18f8d41
  • D:\.c4d1664ef40ce18f8d41
  • z:\.c4d1664ef40ce18f8d41
  • C:\$recycle.bin\.c4d1664ef40ce18f8d41
  • D:\$recycle.bin\.c4d1664ef40ce18f8d41
  • D:\system volume information\.c4d1664ef40ce18f8d41
  • z:\system volume information\.c4d1664ef40ce18f8d41
  • C:\users\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\.c4d1664ef40ce18f8d41
  • D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\voip\.c4d1664ef40ce18f8d41
  • <Drive name for removable media>:\.c4d1664ef40ce18f8d41
  • C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\templates\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\programs\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\sendto\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\searches\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\saved games\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\recent\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\recent\customdestinations\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\recent\automaticdestinations\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\printhood\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\pictures\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\videos\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\5\.c4d1664ef40ce18f8d41
  • %HOMEPATH%\start menu\programs\videolan\.c4d1664ef40ce18f8d41
Deletes the following files
  • %TEMP%\test.exe
  • %TEMP%\e0ec.tmp\e0ed.tmp\e0ee.bat
Moves the following files
  • from %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget to %HOMEPATH%\sendto\compressed (zipped) folder.zfsendtotarget.globeimposter-alpha865qqz
  • from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_003_.globeimposter-alpha865qqz
  • from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_002_.globeimposter-alpha865qqz
  • from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_001_.globeimposter-alpha865qqz
  • from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\startupcache\startupcache.4.little.globeimposter-alpha865qqz
  • from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\_cache_clean_.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\7e4dca80246863e3.automaticdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\74d7f43c1561fc1e.automaticdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms to %HOMEPATH%\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms to %HOMEPATH%\recent\customdestinations\c312e260e424ae76.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms to %HOMEPATH%\recent\customdestinations\bf8efb871eda5262.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_ to %HOMEPATH%\local settings\thunderbird\profiles\wjj9aet2.default\cache\_cache_map_.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms to %HOMEPATH%\recent\customdestinations\969252ce11249fdd.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms to %HOMEPATH%\recent\customdestinations\7e4dca80246863e3.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms to %HOMEPATH%\recent\customdestinations\74d7f43c1561fc1e.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms to %HOMEPATH%\recent\customdestinations\5d696d521de238c3.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms to %HOMEPATH%\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms to %HOMEPATH%\recent\customdestinations\590aee7bdd69b59b.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms to %HOMEPATH%\recent\customdestinations\28c8b86deab549a1.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms to %HOMEPATH%\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms to %HOMEPATH%\recent\customdestinations\10a2479c877ca098.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\sendto\mail recipient.mapimail to %HOMEPATH%\sendto\mail recipient.mapimail.globeimposter-alpha865qqz
  • from %HOMEPATH%\sendto\desktop (create shortcut).desklink to %HOMEPATH%\sendto\desktop (create shortcut).desklink.globeimposter-alpha865qqz
  • from %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms to %HOMEPATH%\recent\customdestinations\9027fe24326910d2.customdestinations-ms.globeimposter-alpha865qqz
  • from %HOMEPATH%\start menu\programs\videolan\vlc.exe to %HOMEPATH%\start menu\programs\videolan\vlc.exe.globeimposter-alpha865qqz
Modifies the following files
Modifies user data files (Trojan.Encoder).
Changes user data files extensions (Trojan.Encoder).
Miscellaneous
Searches for the following windows
  • ClassName: '' WindowName: ''
Creates and executes the following
  • '%WINDIR%\syswow64\wscript.exe' "%TEMP%\Luwfhemn.vbs"
  • '%TEMP%\test.exe'
  • '%TEMP%\test.exe' ' (with hidden window)
Executes the following
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\E0EC.tmp\E0ED.tmp\E0EE.bat %TEMP%\test.exe"
  • '<SYSTEM32>\sc.exe' delete MSSQL$SQL2008
  • '<SYSTEM32>\sc.exe' delete VmAgentDaemon
  • '<SYSTEM32>\sc.exe' delete OSearch16
  • '<SYSTEM32>\net1.exe' stop Tomcat8
  • '<SYSTEM32>\sc.exe' delete MsDtsServer100
  • '<SYSTEM32>\net1.exe' stop MSExchangeDiagnostics
  • '<SYSTEM32>\sc.exe' delete OpenSSHd
  • '<SYSTEM32>\sc.exe' delete ProjectCalcService16
  • '<SYSTEM32>\net1.exe' stop MSExchangeDelivery
  • '<SYSTEM32>\sc.exe' delete IpOverUsbSvc
  • '<SYSTEM32>\sc.exe' delete SQLAgent$SQL2008
  • '<SYSTEM32>\sc.exe' delete eSightService
  • '<SYSTEM32>\sc.exe' delete c2wts
  • '<SYSTEM32>\sc.exe' delete KMSELDI
  • '<SYSTEM32>\net1.exe' stop MSExchangeEdgeSync
  • '<SYSTEM32>\net1.exe' stop QPCore
  • '<SYSTEM32>\sc.exe' delete TPlusStdTaskService1300
  • '<SYSTEM32>\sc.exe' delete apachezt
  • '<SYSTEM32>\sc.exe' delete btPanel
  • '<SYSTEM32>\sc.exe' delete KuaiYunTools
  • '<SYSTEM32>\net1.exe' stop TeamViewer
  • '<SYSTEM32>\sc.exe' delete SPTraceV4
  • '<SYSTEM32>\sc.exe' delete "vm-agent"
  • '<SYSTEM32>\sc.exe' delete TPlusStdAppService1300
  • '<SYSTEM32>\net1.exe' stop DellDRLogSvc
  • '<SYSTEM32>\sc.exe' delete ZTEVdservice
  • '<SYSTEM32>\sc.exe' delete VMAuthdService
  • '<SYSTEM32>\sc.exe' delete ProjectQueueService16
  • '<SYSTEM32>\net1.exe' stop FirebirdGuardianDeafaultInstance
  • '<SYSTEM32>\sc.exe' delete SSMonitorService
  • '<SYSTEM32>\net1.exe' stop MSExchangeCompliance
  • '<SYSTEM32>\net1.exe' stop VMnetDHCP
  • '<SYSTEM32>\sc.exe' delete SPAdminV4
  • '<SYSTEM32>\sc.exe' delete "Sense Shield Service"
  • '<SYSTEM32>\net1.exe' stop JWEM3DBAUTORun
  • '<SYSTEM32>\sc.exe' delete kbasesrv
  • '<SYSTEM32>\sc.exe' delete SSSyncService
  • '<SYSTEM32>\net1.exe' stop MSExchangeDagMgmt
  • '<SYSTEM32>\net1.exe' stop "VMware NAT Service"
  • '<SYSTEM32>\sc.exe' delete SPSearchHostController
  • '<SYSTEM32>\sc.exe' delete MMRHookService
  • '<SYSTEM32>\sc.exe' delete VMwareHostd
  • '<SYSTEM32>\sc.exe' delete SPTimerV4
  • '<SYSTEM32>\sc.exe' delete OracleJobSchedulerORCL
  • '<SYSTEM32>\sc.exe' delete VMUSBArbService
  • '<SYSTEM32>\net1.exe' stop CASLicenceServer
  • '<SYSTEM32>\sc.exe' delete Jenkins
  • '<SYSTEM32>\sc.exe' delete GPSGatewaySvr
  • '<SYSTEM32>\sc.exe' delete TPlusStdUpgradeService1300
  • '<SYSTEM32>\sc.exe' delete OracleRemExecService
  • '<SYSTEM32>\net1.exe' stop AGSService
  • '<SYSTEM32>\sc.exe' delete GPSDaemon
  • '<SYSTEM32>\sc.exe' delete 360EntHttpServer
  • '<SYSTEM32>\net1.exe' stop RapService
  • '<SYSTEM32>\sc.exe' delete GPSUserSvr
  • '<SYSTEM32>\sc.exe' delete 360EntSvc
  • '<SYSTEM32>\net1.exe' stop MSExchangeImap4
  • '<SYSTEM32>\net1.exe' stop CASXMLService
  • '<SYSTEM32>\sc.exe' delete zyb_sync
  • '<SYSTEM32>\net1.exe' stop DDNSService
  • '<SYSTEM32>\net1.exe' stop iNethinkSQLBackupSvc
  • '<SYSTEM32>\sc.exe' delete GPSStorageSvr
  • '<SYSTEM32>\sc.exe' delete NFWebServer
  • '<SYSTEM32>\net1.exe' stop CASVirtualDiskService
  • '<SYSTEM32>\sc.exe' delete GPSDataProcSvr
  • '<SYSTEM32>\net1.exe' stop MSExchangeIMAP4BE
  • '<SYSTEM32>\net1.exe' stop CASMsgSrv
  • '<SYSTEM32>\sc.exe' delete wampapache
  • '<SYSTEM32>\sc.exe' delete GPSDownSvr
  • '<SYSTEM32>\sc.exe' delete 360EntClientSvc
  • '<SYSTEM32>\net1.exe' stop MSExchangeHMRecovery
  • '<SYSTEM32>\sc.exe' delete "OSP Service"
  • '<SYSTEM32>\sc.exe' delete QQCertificateService
  • '<SYSTEM32>\net1.exe' stop CASWebServer
  • '<SYSTEM32>\sc.exe' delete secbizsrv
  • '<SYSTEM32>\sc.exe' delete VirboxWebServer
  • '<SYSTEM32>\sc.exe' delete 2345PicSvc
  • '<SYSTEM32>\net1.exe' stop AutoUpdateService
  • '<SYSTEM32>\net1.exe' stop MSExchangeFrontEndTransport
  • '<SYSTEM32>\sc.exe' delete SQLTELEMETRY
  • '<SYSTEM32>\sc.exe' delete vmware-converter-agent
  • '<SYSTEM32>\sc.exe' delete jhi_service
  • '<SYSTEM32>\sc.exe' delete Protect_2345Explorer
  • '<SYSTEM32>\net1.exe' stop "Alibaba Security Aegis Detect Service"
  • '<SYSTEM32>\net1.exe' stop MSExchangeHM
  • '<SYSTEM32>\sc.exe' delete LMS
  • '<SYSTEM32>\sc.exe' delete MSMQ
  • '<SYSTEM32>\net1.exe' stop "Alibaba Security Aegis Update Service"
  • '<SYSTEM32>\sc.exe' delete vmware-converter-worker
  • '<SYSTEM32>\sc.exe' delete "FontCache3.0.0.0"
  • '<SYSTEM32>\net1.exe' stop MSSQL$SQL2008
  • '<SYSTEM32>\sc.exe' delete smtpsvrJT
  • '<SYSTEM32>\net1.exe' stop "AliyunService"
  • '<SYSTEM32>\sc.exe' delete vmware-converter-server
  • '<SYSTEM32>\sc.exe' delete AlibabaProtect
  • '<SYSTEM32>\net1.exe' stop MSExchangeFastSearch
  • '<SYSTEM32>\sc.exe' delete ProjectEventService16
  • '<SYSTEM32>\net1.exe' stop UIODetect
  • '<SYSTEM32>\sc.exe' delete VMTools
  • '<SYSTEM32>\sc.exe' delete ftnlses3
  • '<SYSTEM32>\sc.exe' delete ImeDictUpdateService
  • '<SYSTEM32>\sc.exe' delete FxService
  • '<SYSTEM32>\sc.exe' delete "UtilDev Web Server Pro"
  • '<SYSTEM32>\sc.exe' delete VGAuthService
  • '<SYSTEM32>\sc.exe' delete ftusbrdwks
  • '<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM ThunderPlatform.exe /F & @taskkill /IM iexplore.exe /F & @taskkill /IM vm-agent.exe /F & @taskkill /IM vm-agent-daemon.exe /F & @taskkill /IM eSightService.exe /F & ...
  • '<SYSTEM32>\sc.exe' delete "UWS LoPriv Services"
  • '<SYSTEM32>\sc.exe' delete ftnlsv3
  • '<SYSTEM32>\sc.exe' delete ftusbrdsrv
  • '<SYSTEM32>\sc.exe' delete MSDTC
  • '<SYSTEM32>\sc.exe' delete "eCard-TTransServer"
  • '<SYSTEM32>\net1.exe' stop U8WorkerService1
  • '<SYSTEM32>\sc.exe' delete "ZTE USBIP Client Guard"
  • '<SYSTEM32>\sc.exe' delete MSCRMAsyncService
  • '<SYSTEM32>\sc.exe' delete eCardMPService
  • '<SYSTEM32>\sc.exe' delete MCService
  • '<SYSTEM32>\sc.exe' delete REPLICA
  • '<SYSTEM32>\sc.exe' delete XT800Service_Personal
  • '<SYSTEM32>\sc.exe' delete "DAService_TCP"
  • '<SYSTEM32>\sc.exe' delete JhTask
  • '%WINDIR%\syswow64\cmd.exe' /c @echo off sc config browser sc config browser start=enabled vssadmin delete shadows /all /quiet sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabl...
  • '<SYSTEM32>\sc.exe' delete aspnet_state @sc delete Redis
  • '<SYSTEM32>\cmd.exe' /c "color b & @sc delete "DAService_TCP" & @sc delete "eCard-TTransServer" & @sc delete eCardMPService & @sc delete EnergyDataService & @sc delete UI0Detect & @sc delete K3MobileService & @sc d...
  • '<SYSTEM32>\cmd.exe' /c "color b & @sc delete OracleOraDb11g_home1ClrAgent & @sc delete OracleOraDb11g_home1TNSListener & @sc delete OracleVssWriterORCL & @sc delete OracleServiceORCL & @sc delete aspnet_state @sc ...
  • '<SYSTEM32>\cmd.exe' /c "color b & @sc delete "UWS LoPriv Services" & @sc delete ftnlsv3 & @sc delete ftnlses3 & @sc delete FxService & @sc delete "UtilDev Web Server Pro" & @sc delete ftusbrdwks & @sc delete ftusb...
  • '<SYSTEM32>\cmd.exe' /c "@color b & sc delete MSCRMAsyncService & @sc delete REPLICA & @sc delete RTCATS & @sc delete RTCAVMCU & @sc delete RtcQms & @sc delete RTCMEETINGMCU & @sc delete RTCIMMCU & @sc delete RTCDA...
  • '<SYSTEM32>\cmd.exe' /c "color a & @net stop U8WorkerService1 & @net stop U8WorkerService2 & @net stop "memcached Server" & @net stop Apache2.4 & @net stop UFIDAWebService & @net stop MSComplianceAudit & @net stop ...
  • '<SYSTEM32>\cmd.exe' /c "color a & @net stop HaoZipSvc & @net stop "igfxCUIService2.0.0.0" & @net stop Realtek11nSU & @net stop xenlite & @net stop XenSvc & @net stop Apache2.2 & @net stop "Synology Drive VSS Servi...
  • '<SYSTEM32>\sc.exe' delete "XT800Service_Personal"
  • '<SYSTEM32>\cmd.exe' /c "color a & @net stop UIODetect & @net stop VMwareHostd & @net stop TeamViewer8 & @net stop VMUSBArbService & @net stop VMAuthdService & @net stop wanxiao-monitor & @net stop WebAttendServer ...
  • '<SYSTEM32>\sc.exe' delete SQLSERVERAGENT
  • '<SYSTEM32>\cmd.exe' /c "color b & @sc delete "XT800Service_Personal" & @sc delete SQLSERVERAGENT & @sc delete SQLWriter & @sc delete SQLBrowser & @sc delete MSSQLFDLauncher & @sc delete MSSQLSERVER & @sc delete Qc...
  • '<SYSTEM32>\sc.exe' delete SQLWriter
  • '<SYSTEM32>\sc.exe' delete MSSQLFDLauncher
  • '<SYSTEM32>\sc.exe' delete MSSQLSERVER
  • '<SYSTEM32>\sc.exe' delete QcSoftService
  • '<SYSTEM32>\sc.exe' delete OracleOraDb11g_home1ClrAgent
  • '<SYSTEM32>\sc.exe' delete OracleOraDb11g_home1TNSListener
  • '<SYSTEM32>\sc.exe' delete MSSQLServerOLAPService
  • '<SYSTEM32>\sc.exe' delete OracleVssWriterORCL
  • '<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM sqlservr.exe /F & @taskkill /IM httpd.exe /F & @taskkill /IM java.exe /F & @taskkill /IM fdhost.exe /F & @taskkill /IM fdlauncher.exe /F & @taskkill /IM reportingser...
  • '<SYSTEM32>\sc.exe' delete OracleServiceORCL
  • '<SYSTEM32>\sc.exe' delete SQLBrowser
  • '<SYSTEM32>\sc.exe' delete EnergyDataService
  • '<SYSTEM32>\net1.exe' stop U8WorkerService2
  • '<SYSTEM32>\net1.exe' stop MSExchangeAntispamUpdate
  • '<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM pg_ctl.exe /F & @taskkill /IM rcrelay.exe /F & @taskkill /IM SogouImeBroker.exe /F & @taskkill /IM CCenter.exe /F & @taskkill /IM ScanFrm.exe /F & @taskkill /IM d_ma...
  • '<SYSTEM32>\sc.exe' delete "Flash Helper Service"
  • '<SYSTEM32>\sc.exe' delete RTCDATAMCU
  • '<SYSTEM32>\net1.exe' stop xenlite
  • '<SYSTEM32>\net1.exe' stop MSComplianceAudit
  • '<SYSTEM32>\sc.exe' delete wwbizsrv
  • '<SYSTEM32>\net1.exe' stop wanxiao-monitor
  • '<SYSTEM32>\sc.exe' delete RabbitMQ
  • '<SYSTEM32>\net1.exe' stop XenSvc
  • '<SYSTEM32>\sc.exe' delete allpass_redisservice_port21160
  • '<SYSTEM32>\net1.exe' stop VMAuthdService
  • '<SYSTEM32>\net1.exe' stop MSExchangeADTopology
  • '<SYSTEM32>\net1.exe' stop Apache2.2
  • '<SYSTEM32>\sc.exe' delete "Kiwi Syslog Server"
  • '<SYSTEM32>\sc.exe' delete RTCCDR
  • '<SYSTEM32>\sc.exe' delete qemu-ga
  • '<SYSTEM32>\net1.exe' stop "Synology Drive VSS Service x64"
  • '<SYSTEM32>\sc.exe' delete "UWS HiPriv Services"
  • '<SYSTEM32>\sc.exe' delete "AHS SERVICE"
  • '<SYSTEM32>\net1.exe' stop mysqltransport
  • '<SYSTEM32>\sc.exe' delete UIODetect
  • '<SYSTEM32>\net1.exe' stop WebAttendServer
  • '<SYSTEM32>\sc.exe' delete WebAttendServer
  • '<SYSTEM32>\net1.exe' stop UFIDAWebService
  • '<SYSTEM32>\net1.exe' stop Realtek11nSU
  • '<SYSTEM32>\sc.exe' delete RTCATS
  • '<SYSTEM32>\sc.exe' delete UI0Detect
  • '<SYSTEM32>\net1.exe' stop HaoZipSvc
  • '<SYSTEM32>\net1.exe' stop VMwareHostd
  • '<SYSTEM32>\sc.exe' delete RTCAVMCU
  • '<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM BackupExec.exe /F & @taskkill /IM Att.exe /F & @taskkill /IM mdm.exe /F & @taskkill /IM BackupExecManagementService.exe /F & @taskkill /IM bengine.exe /F & @taskkill...
  • '<SYSTEM32>\net1.exe' stop "memcached Server"
  • '<SYSTEM32>\sc.exe' delete K3MobileService
  • '<SYSTEM32>\sc.exe' delete "ZTE USBIP Client"
  • '<SYSTEM32>\sc.exe' delete TeamViewer
  • '<SYSTEM32>\sc.exe' delete RtcQms
  • '<SYSTEM32>\cmd.exe' /c "color e & @taskkill /IM VBoxSDS.exe /F & @taskkill /IM mysqld.exe /F & @taskkill /IM TeamViewer_Service.exe /F & @taskkill /IM TeamViewer.exe /F & @taskkill /IM CasLicenceServer.exe /F & @t...
  • '<SYSTEM32>\sc.exe' delete RTCMEETINGMCU
  • '<SYSTEM32>\net1.exe' stop TeamViewer8
  • '<SYSTEM32>\net1.exe' stop Apache2.4
  • '<SYSTEM32>\net1.exe' stop "igfxCUIService2.0.0.0"
  • '<SYSTEM32>\sc.exe' delete RTCIMMCU
  • '<SYSTEM32>\sc.exe' delete ReportServer
  • '<SYSTEM32>\net1.exe' stop VMUSBArbService
  • '<SYSTEM32>\sc.exe' delete "ZTE FileTranS"
  • '<SYSTEM32>\sc.exe' delete TCPIDDAService
  • '<SYSTEM32>\sc.exe' delete "wanxiao-monitor"
  • '<SYSTEM32>\net1.exe' stop "OracleOraDb10g_homeliSQL*Plus"

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.
Version démo gratuite

 

Télécharger Dr.Web

Par le numéro de série

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Version démo gratuite

 

Télécharger Dr.Web sur le site

Par le numéro de série

Télécharger Dr.Web sur l'Apple Store

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

 

Télécharger Dr.Web

Par le numéro de série

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Free trial

14 days

Download now
Get it on Google Play