Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '<SYSTEM32>\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'clsid' = '<SYSTEM32>\comsys.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'system32' = '<SYSTEM32>\comsys.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\taskmrg.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\taskmrg.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'uninst32' = '%WINDIR%\System\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'user32' = '%WINDIR%\System\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'clsid' = '%WINDIR%\System\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '<SYSTEM32>\redegit.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = '<SYSTEM32>\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'uninst32' = '<SYSTEM32>\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\redegit.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\sysvc32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'system' = '<SYSTEM32>\sysvc32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '<SYSTEM32>\sysvc32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\sysvc32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'winlogon' = '<SYSTEM32>\sysvc32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'system32' = '%WINDIR%\System\taskmrg.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'clsid' = '%WINDIR%\System\memory.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'clsid' = '%WINDIR%\System\memory.dat'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\memory.dat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%WINDIR%\System\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\memory.dat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'sched' = '%WINDIR%\System\memory.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '%WINDIR%\System\scvhost.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'user32' = '%WINDIR%\System\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] '' = '%WINDIR%\System\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\scvhost.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\scvhost.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'taskmrg' = '%WINDIR%\System\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'taskmrg' = '%WINDIR%\System\taskmrg.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'clsid' = '%WINDIR%\System\taskmrg.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'user32' = '%WINDIR%\System\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'svchost' = '%WINDIR%\System\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'system32' = '%WINDIR%\System\debug.dat'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\debug.dat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'cmd' = '%WINDIR%\System\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\debug.dat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '<SYSTEM32>\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '<SYSTEM32>\sched.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'taskmrg' = '<SYSTEM32>\sched.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\memory.dat'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\memory.dat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '<SYSTEM32>\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'user32' = '<SYSTEM32>\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '<SYSTEM32>\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'uninst32' = '<SYSTEM32>\winlogin.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'system32' = '<SYSTEM32>\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'sched' = '<SYSTEM32>\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\winlogin.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\taskmrg.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'taskmrg' = '<SYSTEM32>\taskmrg.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'FF90FA' = '<SYSTEM32>\taskmrg.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\taskmrg.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'FF90FA' = '<SYSTEM32>\taskmrg.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'svchost' = '<SYSTEM32>\memory.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'user32' = '<SYSTEM32>\bootchk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'user32' = '<SYSTEM32>\bootchk.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\bootchk.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '<SYSTEM32>\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\bootchk.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '<SYSTEM32>\bootchk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'taskmrg' = '<SYSTEM32>\uninst32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '<SYSTEM32>\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'uninst32' = '<SYSTEM32>\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\uninst32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\uninst32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'system32' = '<SYSTEM32>\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '<SYSTEM32>\memory.dat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'bootchk' = '<SYSTEM32>\memory.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'clsid' = '<SYSTEM32>\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'system' = '<SYSTEM32>\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sched' = '<SYSTEM32>\windat32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\windat32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '<SYSTEM32>\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '<SYSTEM32>\windat32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '%WINDIR%\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'user32' = '%WINDIR%\scvhost.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] '' = '%WINDIR%\scvhost.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\bootchk.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\bootchk.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'cmd' = '%WINDIR%\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'clsid' = '%WINDIR%\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'uninst32' = '%WINDIR%\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'clsid' = '%WINDIR%\debug.dat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'taskmrg' = '%WINDIR%\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'bootchk' = '%WINDIR%\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\debug.dat'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\debug.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\memory.dat'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'taskmrg' = '%WINDIR%\memory.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\scvhost.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cmd' = '%WINDIR%\memory.dat'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\memory.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'system' = '%WINDIR%\memory.dat'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'reg32' = '%WINDIR%\bootchk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'bootchk' = '%WINDIR%\sysvc32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'bootchk' = '%WINDIR%\sysvc32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\sysvc32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'sched' = '%WINDIR%\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\sysvc32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'user32' = '%WINDIR%\sysvc32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'bootchk' = '%WINDIR%\comsys.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'FF90FA' = '%WINDIR%\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'winlogon' = '%WINDIR%\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\comsys.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\comsys.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'clsid' = '%WINDIR%\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '%WINDIR%\bootchk.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '%WINDIR%\bootchk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'uninst32' = '%WINDIR%\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'user32' = '%WINDIR%\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '%WINDIR%\redegit.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\redegit.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'bootchk' = '%WINDIR%\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\redegit.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'user32' = '%WINDIR%\System\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '%WINDIR%\System\uninst32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'cmd' = '%WINDIR%\System\uninst32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\sysvc32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\sysvc32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%WINDIR%\System\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'user32' = '%WINDIR%\System\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'bootchk' = '%WINDIR%\System\redegit.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'system32' = '%WINDIR%\System\windat32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'FF90FA' = '%WINDIR%\System\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'reg32' = '%WINDIR%\System\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\windat32.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\windat32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\bootchk.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '%WINDIR%\System\bootchk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\uninst32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'system32' = '%WINDIR%\System\bootchk.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\bootchk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'uninst32' = '%WINDIR%\System\bootchk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'FF90FA' = '%WINDIR%\System\sysvc32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'system' = '%WINDIR%\taskmrg.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'user32' = '%WINDIR%\taskmrg.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\taskmrg.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'reg32' = '%WINDIR%\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\taskmrg.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%WINDIR%\taskmrg.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cmd' = '%WINDIR%\sched.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%WINDIR%\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'user32' = '%WINDIR%\sched.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\sched.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\sched.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\System\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'system' = '%WINDIR%\System\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\System\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'sched' = '%WINDIR%\System\sysvc32.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '%WINDIR%\System\sysvc32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '%WINDIR%\System\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 'FF90FA' = '%WINDIR%\winlogin.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'cmd' = '%WINDIR%\winlogin.exe'
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '%WINDIR%\winlogin.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'bootchk' = '%WINDIR%\System\comsys.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] 'Shell' = '%WINDIR%\winlogin.exe'
- hidden files
- <SYSTEM32>\comsys.exe
- %WINDIR%\system\winlogin.exe
- <SYSTEM32>\redegit.exe
- <SYSTEM32>\sysvc32.exe
- %WINDIR%\system\taskmrg.exe
- %WINDIR%\system\memory.dat
- %WINDIR%\system\scvhost.exe
- %WINDIR%\system\sched.exe
- %WINDIR%\system\debug.dat
- <SYSTEM32>\sched.exe
- <SYSTEM32>\debug.dat
- <SYSTEM32>\winlogin.exe
- <SYSTEM32>\taskmrg.exe
- <SYSTEM32>\memory.dat
- <SYSTEM32>\bootchk.exe
- <SYSTEM32>\uninst32.exe
- <SYSTEM32>\scvhost.exe
- <SYSTEM32>\windat32.exe
- %WINDIR%\scvhost.exe
- %WINDIR%\windat32.exe
- %WINDIR%\debug.dat
- %WINDIR%\memory.dat
- %WINDIR%\bootchk.exe
- %WINDIR%\sysvc32.exe
- %WINDIR%\comsys.exe
- %WINDIR%\uninst32.exe
- %WINDIR%\redegit.exe
- %WINDIR%\system\uninst32.exe
- %WINDIR%\system\redegit.exe
- %WINDIR%\system\windat32.exe
- %WINDIR%\system\bootchk.exe
- %WINDIR%\system\sysvc32.exe
- %WINDIR%\taskmrg.exe
- %WINDIR%\sched.exe
- %WINDIR%\system\comsys.exe
- %WINDIR%\winlogin.exe
- <SYSTEM32>\comsys.exe
- %WINDIR%\system\winlogin.exe
- <SYSTEM32>\redegit.exe
- <SYSTEM32>\sysvc32.exe
- %WINDIR%\system\taskmrg.exe
- %WINDIR%\system\memory.dat
- %WINDIR%\system\scvhost.exe
- %WINDIR%\system\sched.exe
- %WINDIR%\system\debug.dat
- <SYSTEM32>\sched.exe
- <SYSTEM32>\debug.dat
- <SYSTEM32>\winlogin.exe
- <SYSTEM32>\taskmrg.exe
- <SYSTEM32>\memory.dat
- <SYSTEM32>\bootchk.exe
- <SYSTEM32>\uninst32.exe
- <SYSTEM32>\scvhost.exe
- <SYSTEM32>\windat32.exe
- %WINDIR%\scvhost.exe
- %WINDIR%\windat32.exe
- %WINDIR%\debug.dat
- %WINDIR%\memory.dat
- %WINDIR%\bootchk.exe
- %WINDIR%\sysvc32.exe
- %WINDIR%\comsys.exe
- %WINDIR%\uninst32.exe
- %WINDIR%\redegit.exe
- %WINDIR%\system\uninst32.exe
- %WINDIR%\system\redegit.exe
- %WINDIR%\system\windat32.exe
- %WINDIR%\system\bootchk.exe
- %WINDIR%\system\sysvc32.exe
- %WINDIR%\taskmrg.exe
- %WINDIR%\sched.exe
- %WINDIR%\system\comsys.exe
- %WINDIR%\winlogin.exe
- '72.##.71.220':25
- '11#.#11.111.1':25
- DNS ASK 72.##.71.220 ь"
Curing recommendations
- If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
- If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download by serial number
Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.
After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.
Download by serial number
- If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
- If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
- Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
- Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
- Switch off your device and turn it on as normal.