ユーザー向け情報

閉じる

マイライブラリ
マイライブラリ

+ マイライブラリに追加

検索
検索

電話
テクニカルサポート利用方法

問い合わせ

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

フォーラム(英語)

お問い合わせ履歴

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

Profile

JP

RU CN DE EN ES FR IT JP KZ UZ PL BY
閉じる
サービス
スキャナー
Dr.Web vxCube
トライアル
ウイルスライブラリ
ナレッジベース

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

ニュース

Trojan.StartPage1.58329

Added to the Dr.Web virus database: 2019-10-28

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • <SYSTEM32>\tasks\59643
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini
Creates the following services
  • [<HKLM>\system\currentcontrolset\services\TermService\parameters] 'ServiceDLL' = '%ProgramFiles%\windows mail\appcache.xml'
  • [<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'
Changes the following executable system files
  • <SYSTEM32>\unregmp2.exe
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
  • file extensions
Modifies settings of Windows Internet Explorer
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnOnPost' = '{01,00,00,00}'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'PMDisplayName' = 'Internet [Protected Mode]'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Description' = 'This zone contains all Web sites you haven't...
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Icon' = 'inetcpl.cpl#001313'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'LowIcon' = 'inetcpl.cpl#005425'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'CurrentLevel' = '00011500'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'Flags' = '00000001'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '' = ''
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'DisplayName' = 'Restricted sites'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'PMDisplayName' = 'Restricted sites [Protected Mode]'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Description' = 'This zone contains Web sites that could pote...
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Icon' = 'inetcpl.cpl#00004481'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'LowIcon' = 'inetcpl.cpl#005426'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'CurrentLevel' = '00012000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] 'Flags' = '00000003'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1200' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2007' = '00010000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1200' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1200' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1200' = '00000003'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1400' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1400' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1400' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '2500' = '00000003'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'DisplayName' = 'Computer'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'PMDisplayName' = 'Computer [Protected Mode]'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnonZoneCrossing' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '2007' = '00000003'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '2007' = '00010000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '2007' = '00010000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'DisplayName' = 'Internet'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '1200' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '' = ''
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'CurrentLevel' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1400' = '00000003'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1C00' = '00000000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '{AEBA21FA-782A-4A90-978D-B72164C80120}' = '{1a,37,61,59,23,5...
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A10' = '00000001'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '{A8A88C49-5EB2-4990-A1A2-0876022C854F}' = '{1a,37,61,59,23,5...
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '{AEBA21FA-782A-4A90-978D-B72164C80120}' = '{1a,37,61,59,23,5...
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1A10' = '00000003'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '{A8A88C49-5EB2-4990-A1A2-0876022C854F}' = '{1a,37,61,59,23,5...
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] '' = ''
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'DisplayName' = 'My Computer'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'PMDisplayName' = 'My Computer [Protected Mode]'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Description' = 'Your computer'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Icon' = 'shell32.dll#0016'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'LowIcon' = 'inetcpl.cpl#005422'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] 'Flags' = '00000021'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'CurrentLevel' = '00011000'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '' = ''
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'DisplayName' = 'Local intranet'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'PMDisplayName' = 'Local intranet [Protected Mode]'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Description' = 'This zone contains all Web sites that are on...
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Icon' = 'shell32.dll#0018'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'LowIcon' = 'inetcpl.cpl#005423'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'CurrentLevel' = '00010500'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] 'Flags' = '00000143'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '' = ''
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'DisplayName' = 'Trusted sites'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'PMDisplayName' = 'Trusted sites [Protected Mode]'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Description' = 'This zone contains Web sites that you trust ...
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Icon' = 'inetcpl.cpl#00004480'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'LowIcon' = 'inetcpl.cpl#005424'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] 'Flags' = '00000047'
  • [\REGISTRY\USER\S-1-5-21-1960123792-2022915161-3775307078-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '2007' = '00000003'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system
Creates the following files
  • %TEMP%\nshe2e6.tmp
  • C:\users\wgautilacc\favorites\microsoft websites\microsoft store.url
  • C:\users\wgautilacc\favorites\windows live\get windows live.url
  • C:\users\wgautilacc\favorites\windows live\windows live gallery.url
  • C:\users\wgautilacc\favorites\windows live\windows live spaces.url
  • C:\users\wgautilacc\favorites\windows live\windows live mail.url
  • C:\users\wgautilacc\favorites\msn websites\msn autos.url
  • C:\users\wgautilacc\appdata\local\microsoft\internet explorer\brndlog.txt
  • C:\users\wgautilacc\favorites\msn websites\msn entertainment.url
  • C:\users\wgautilacc\favorites\msn websites\msnbc news.url
  • C:\users\wgautilacc\favorites\msn websites\msn sports.url
  • C:\users\wgautilacc\favorites\msn websites\msn.url
  • C:\users\wgautilacc\favorites\microsoft websites\microsoft at work.url
  • C:\users\wgautilacc\favorites\microsoft websites\microsoft at home.url
  • C:\users\wgautilacc\favorites\microsoft websites\ie add-on site.url
  • C:\users\wgautilacc\favorites\msn websites\msn money.url
  • C:\users\wgautilacc\favorites\microsoft websites\ie site on microsoft.com.url
  • C:\users\wgautilacc\favorites\links\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\wf5fc7ae\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\vy5w1piv\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\kawh1y9m\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\index.dat
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\ietldcache\index.dat
  • C:\users\wgautilacc\appdata\local\microsoft\windows\history\history.ie5\index.dat
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\2h4gdlev\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\uff8gtgb\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\mt81bxl0\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\index.dat
  • C:\users\wgautilacc\appdata\local\microsoft\windows\history\history.ie5\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\history\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\cookies\index.dat
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\internet explorer.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\internet explorer (no add-ons).lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\google chrome.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\documents.library-ms
  • C:\users\wgautilacc\documents\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini
  • C:\users\wgautilacc\music\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\desktop.ini
  • C:\users\wgautilacc\desktop\desktop.ini
  • C:\users\wgautilacc\pictures\desktop.ini
  • C:\users\wgautilacc\videos\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\media player\localmls_3.wmdb
  • C:\users\wgautilacc\appdata\local\microsoft\media player\currentdatabase_372.wmdb
  • C:\users\wgautilacc\appdata\local\microsoft\windows media\12.0\wmsdknsd.xml
  • C:\users\wgautilacc\favorites\desktop.ini
  • C:\users\wgautilacc\searches\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\~ocuments.tmp
  • C:\users\wgautilacc\downloads\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\google chrome.lnk
  • C:\users\wgautilacc\saved games\desktop.ini
  • C:\users\wgautilacc\appdata\local\temp\chrome_installer.log
  • C:\users\wgautilacc\links\downloads.lnk
  • C:\users\wgautilacc\links\desktop.lnk
  • C:\users\wgautilacc\links\recentplaces.lnk
  • C:\users\wgautilacc\searches\everywhere.search-ms
  • C:\users\wgautilacc\searches\indexed locations.search-ms
  • C:\users\wgautilacc\links\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\pictures.library-ms
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\~usic.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\music.library-ms
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\~ideos.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\videos.library-ms
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\~ictures.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\9za16v6u\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\w1wtk07j\desktop.ini
  • C:\users\wgautilacc\appdata\local\temp\~dfd004c485a8d84b9e.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df9cec9a7b6d51065c.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\39x30r8cna48okb6j2al.temp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\82y1zom1cfy9ziztgugh.temp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\windows media player.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\windows explorer.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\internet explorer.lnk
  • C:\users\wgautilacc\appdata\local\microsoft\windows\burn\burn\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini
  • C:\users\wgautilacc\appdata\local\temp\www3259.tmp
  • C:\users\wgautilacc\appdata\local\temp\www3248.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\internet explorer\brndlog.bak
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\internet explorer (64-bit).lnk
  • C:\users\wgautilacc\appdata\local\temp\rgi1500.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgi1482.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\bujewm0v5q1hv1z5clxn.temp
  • C:\users\wgautilacc\appdata\local\microsoft\windows\explorer\thumbcache_32.db
  • C:\users\wgautilacc\appdata\local\microsoft\windows\explorer\thumbcache_96.db
  • C:\users\wgautilacc\appdata\local\microsoft\windows\explorer\thumbcache_256.db
  • C:\users\wgautilacc\appdata\local\temp\~dfac8d955564f72369.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df321bb1e6cdd0dd54.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df6bb22e62f3dbdfb3.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df53d09a36256e091c.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfe49dfe6154daad69.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df77ab5e18271b1fe1.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfecf488db10ee063c.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df6fea5c0f6635e80a.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df31ade8862a8ae211.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df97dfd43890381287.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfbae36bd3628c9681.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfd5b14036a0ec9964.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\windows\explorer\thumbcache_idx.db
  • C:\users\wgautilacc\appdata\local\microsoft\windows\explorer\thumbcache_sr.db
  • C:\users\wgautilacc\appdata\local\microsoft\windows\explorer\thumbcache_1024.db
  • C:\users\wgautilacc\appdata\local\temp\rgi1442.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgi13e3.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgi1422.tmp
  • C:\users\wgautilacc\appdata\local\temp\www10d6.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfff2e90b3029bef30.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\feeds\microsoft feeds~\microsoft at work~.feed-ms
  • C:\users\wgautilacc\appdata\local\temp\~df58c0495c23bc91eb.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df28841ce2392bbb51.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df2a866051dcc2ba92.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfca7b6d441b86675e.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfcc04b3815e7a1ab7.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfc04dd0bdbdda9d13.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dff74e55f7703d4b4f.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df66c9a27a7053802a.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\feeds\feedsstore.feedsdb-ms
  • C:\users\wgautilacc\appdata\local\temp\~df3e81da9e09cdb560.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfd98265079ef8e88f.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\feeds\microsoft feeds~\microsoft at home~.feed-ms
  • C:\users\wgautilacc\appdata\local\temp\~df9544678f2091f0c5.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfdb01ee9fd6ce5cda.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfb1ee9b5a05ee5169.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df0fac3035fe4c86c5.tmp
  • C:\users\wgautilacc\appdata\local\temp\www10d5.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df6ace819c177f7346.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df5f6090abf438ffda.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfcadda8fd162d9f2f.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df82fd402f856f1a0b.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\feeds\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\webslices~\web slice gallery~.feed-ms
  • C:\users\wgautilacc\appdata\local\temp\~dff094a0eb23985a63.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df6ebc0726e6e4c672.tmp
  • C:\users\wgautilacc\favorites\links\web slice gallery.url
  • C:\users\wgautilacc\appdata\local\temp\~df64126a35fa98de14.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df01b6a09d35974f13.tmp
  • C:\users\wgautilacc\appdata\local\temp\~dfcad7fc110dde388b.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df33069c4533ca35cb.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\feeds\microsoft feeds~\msnbc news~.feed-ms
  • C:\users\wgautilacc\appdata\local\temp\~df0a6a2eb6a3fcc460.tmp
  • C:\users\wgautilacc\appdata\local\temp\~df74291009ad959cf3.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\windows media\12.0\wmsdkns.xml.bak
  • C:\users\wgautilacc\appdata\local\microsoft\windows media\12.0\wmsdkns.dtd
  • C:\users\wgautilacc\appdata\local\microsoft\windows media\12.0\wmsdkns.xml
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbecd.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiaddb.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiad2e.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiacee.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiac51.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiac02.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\run.lnk
  • C:\users\wgautilacc\appdata\local\temp\rgiaba3.tmp
  • \device\termdd
  • C:\users\wgautilacc\ntuser.pol
  • C:\users\wgautilacc\ntuser.dat.log1
  • C:\users\wgautilacc\appdata\local\microsoft\windows\usrclass.dat
  • C:\users\wgautilacc\appdata\local\microsoft\windows\usrclass.dat.log1
  • C:\users\wgautilacc\ntuser.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\explorer\explorerstartuplog.etl
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\windows explorer.lnk
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbeee.tmp
  • D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1006\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\edb.log
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\edbres00002.jrs
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\edbres00001.jrs
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\edbtmp.log
  • C:\users\wgautilacc\appdata\local\temp\wgautilacc.bmp
  • C:\users\wgautilacc\contacts\wgautilacc.contact
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbf1f.tmp
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbefe.tmp
  • C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1006\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\themes\transcodedwallpaper.jpg
  • <SYSTEM32>\spool\drivers\x64\3\new\tsprint-pipelineconfig.xml
  • <SYSTEM32>\spool\drivers\x64\3\new\tsprint-datafile.dat
  • <SYSTEM32>\spool\drivers\x64\3\new\tsprint.dll
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbf6e.tmp
  • C:\users\wgautilacc\contacts\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\command prompt.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini
  • %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
  • <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
  • <SYSTEM32>\microsoft\protect\s-1-5-20\f9ebfdbe-fb9d-4475-a23a-216053b8559c
  • %WINDIR%\temp\usrnm.txt
  • <SYSTEM32>\rfxvmt.dll
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\maintenance\help.lnk
  • %ProgramFiles%\windows mail\cleanuptask.cfg
  • %ProgramFiles%\windows mail\appcache.xml
  • %TEMP%\nshe2e7.tmp\system.dll
  • %TEMP%\add.ps1
  • %TEMP%\premiumextradjjdvqwohl.ps1
  • %TEMP%\chadshfsd323.txt
  • %TEMP%\nshe2e7.tmp\blowfish.dll
  • %ProgramFiles%\windows mail\default_list.xml
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\maintenance\desktop.ini
  • C:\users\wgautilacc\ntuser.dat
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\private character editor.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\sendto\fax recipient.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\sendto\compressed (zipped) folder.zfsendtotarget
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\sendto\desktop (create shortcut).desklink
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\sendto\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\sendto\mail recipient.mapimail
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\narrator.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\ease of access.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\magnify.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\on-screen keyboard.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\control panel.lnk
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\computer.lnk
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\tmp.edb
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\edb.chk
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\windowsmail.msmessagestore
  • C:\users\wgautilacc\appdata\roaming\microsoft\protect\credhist
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\stars.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\softblue.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\soft blue.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\small_news.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\shorthand.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\shadesofblue.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\stars.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\shades of blue.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\sand_paper.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\roses.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\roses.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\psychedelic.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\pretty_peacock.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\pine_lumber.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\seyes.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\stucco.gif
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\tanspecks.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\tiki.gif
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\11_all_pictures.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\10_all_music.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\09_music_played_the_most.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\08_video_rated_at_4_or_5_stars.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\07_tv_recorded_in_the_last_week.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\06_pictures_rated_4_or_5_stars.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\05_pictures_taken_in_the_last_month.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\04_music_played_in_the_last_month.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\03_music_rated_at_4_or_5_stars.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\02_music_added_in_the_last_month.wpl
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\01_music_auto_rated_at_5_stars.wpl
  • C:\users\wgautilacc\appdata\local\temp\wmsetup.log
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\wrinkled_paper.gif
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\white_chocolate.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\to_do_list.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\peacock.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\orangecircles.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\peacock.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\orange circles.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\cave_drawings.gif
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\blue_gradient.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\bears.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\bears.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\oeold.xml
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\account{07f04b33-8ac1-44c8-9e6c-6960eb9b304e}.oeaccount
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\connectivity.gif
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\account{133b540b-fd4c-48a6-81fb-c1bd3db68074}.oeaccount
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\backup\temp\windowsmail.pat
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\backup\temp\edb00001.log
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\windowsmail.pat
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\backup\temp\windowsmail.msmessagestore
  • C:\users\wgautilacc\appdata\roaming\microsoft\protect\s-1-5-21-1960123792-2022915161-3775307078-1006\preferred
  • C:\users\wgautilacc\appdata\roaming\microsoft\protect\s-1-5-21-1960123792-2022915161-3775307078-1006\ce009c06-1a9b-4fdf-b25c-fed2fff847d4
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\account{b37872b1-4ed3-4f38-bf8f-920255c3d070}.oeaccount
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\dotted_lines.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\garden.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\notebook.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\music.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\month_calendar.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\monet.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\memo.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\handprints.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\hand prints.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\grid_(inch).wmf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\grid_(cm).wmf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\greenbubbles.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\green bubbles.htm
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\graph.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\genko_2.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\genko_1.emf
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\stationery\garden.jpg
  • C:\users\wgautilacc\appdata\local\microsoft\media player\sync playlists\en-us\0010eb0e\12_all_video.wpl
  • C:\users\wgautilacc\appdata\local\temp\~df95efd0cb61306fe4.tmp
Sets the 'hidden' attribute to the following files
  • C:\users\wgautilacc\ntuser.dat
  • C:\users\wgautilacc\favorites\links\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\mt81bxl0\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\uff8gtgb\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\2h4gdlev\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\<INETFILES>\content.ie5\wf5fc7ae\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\kawh1y9m\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\vy5w1piv\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\9za16v6u\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\feeds cache\w1wtk07j\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\history\desktop.ini
  • C:\users\wgautilacc\saved games\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini
  • C:\users\wgautilacc\links\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini
  • C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1006\desktop.ini
  • D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1006\desktop.ini
  • C:\users\wgautilacc\contacts\desktop.ini
  • C:\users\wgautilacc\videos\desktop.ini
  • C:\users\wgautilacc\pictures\desktop.ini
  • C:\users\wgautilacc\desktop\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\history\history.ie5\desktop.ini
  • C:\users\wgautilacc\favorites\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\desktop.ini
  • C:\users\wgautilacc\documents\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\desktop.ini
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\desktop.ini
  • C:\users\wgautilacc\searches\desktop.ini
  • C:\users\wgautilacc\downloads\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\usrclass.dat
  • C:\users\wgautilacc\music\desktop.ini
  • C:\users\wgautilacc\appdata\local\microsoft\windows\burn\burn\desktop.ini
Deletes the following files
  • %TEMP%\nshe2e7.tmp\blowfish.dll
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\music.library-ms~rf10fcff.tmp
  • C:\users\wgautilacc\appdata\local\temp\www10d5.tmp
  • C:\users\wgautilacc\appdata\local\temp\www10d6.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\internet explorer.lnk
  • C:\users\wgautilacc\appdata\local\temp\rgi13e3.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgi1422.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgi1482.tmp
  • C:\users\wgautilacc\appdata\local\temp\www3248.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgi1500.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\media player\localmls_3.wmdb
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\music.library-ms~rf112911.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\videos.library-ms~rf112930.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\documents.library-ms~rf11293f.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\pictures.library-ms~rf11294f.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\videos.library-ms~rf10fce0.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgi1442.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\pictures.library-ms~rf10fcb1.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiad2e.tmp
  • %TEMP%\nshe2e7.tmp\system.dll
  • %TEMP%\chadshfsd323.txt
  • C:\users\wgautilacc\appdata\local\temp\rgiaba3.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiac02.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiac51.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiacee.tmp
  • C:\users\wgautilacc\appdata\local\temp\rgiaddb.tmp
  • C:\users\wgautilacc\appdata\local\microsoft\windows media\12.0\wmsdknsd.xml
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\mxdwdrv.dll
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\tsprint-datafile.dat
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\tsprint-pipelineconfig.xml
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\tsprint.dll
  • <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\xpssvcs.dll
  • C:\users\wgautilacc\appdata\local\microsoft\windows media\12.0\wmsdkns.xml.bak
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\documents.library-ms~rf10fc73.tmp
  • C:\users\wgautilacc\appdata\local\temp\www3259.tmp
Moves the following files
  • from <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbecd.tmp to <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\tsprint.dll
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\bujewm0v5q1hv1z5clxn.temp to C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\5afe4de1b92fc382.customdestinations-ms
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\pictures.library-ms to C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\pictures.library-ms~rf11294f.tmp
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\documents.library-ms to C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\documents.library-ms~rf11293f.tmp
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\videos.library-ms to C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\videos.library-ms~rf112930.tmp
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\music.library-ms to C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\music.library-ms~rf112911.tmp
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\music.library-ms to C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\music.library-ms~rf10fcff.tmp
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\videos.library-ms to C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\videos.library-ms~rf10fce0.tmp
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\pictures.library-ms to C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\pictures.library-ms~rf10fcb1.tmp
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\82y1zom1cfy9ziztgugh.temp to C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\documents.library-ms to C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\documents.library-ms~rf10fc73.tmp
  • from C:\users\wgautilacc\appdata\local\microsoft\windows mail\edbtmp.log to C:\users\wgautilacc\appdata\local\microsoft\windows mail\edb.log
  • from <SYSTEM32>\spool\drivers\x64\3\new\tsprint-pipelineconfig.xml to <SYSTEM32>\spool\drivers\x64\3\tsprint-pipelineconfig.xml
  • from <SYSTEM32>\spool\drivers\x64\3\new\tsprint-datafile.dat to <SYSTEM32>\spool\drivers\x64\3\tsprint-datafile.dat
  • from <SYSTEM32>\spool\drivers\x64\3\new\tsprint.dll to <SYSTEM32>\spool\drivers\x64\3\tsprint.dll
  • from <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbf6e.tmp to <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\xpssvcs.dll
  • from <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbf1f.tmp to <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\mxdwdrv.dll
  • from <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbefe.tmp to <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\tsprint-datafile.dat
  • from <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\setbeee.tmp to <SYSTEM32>\spool\drivers\x64\{f631e2e7-1a30-4ec5-8272-524ed8e5f9c1}\tsprint-pipelineconfig.xml
  • from C:\users\wgautilacc\appdata\local\microsoft\windows mail\edb.log to C:\users\wgautilacc\appdata\local\microsoft\windows mail\edb00001.log
  • from C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\39x30r8cna48okb6j2al.temp to C:\users\wgautilacc\appdata\roaming\microsoft\windows\recent\customdestinations\7e4dca80246863e3.customdestinations-ms
Substitutes the following files
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\edbtmp.log
  • C:\users\wgautilacc\appdata\local\microsoft\windows mail\edb.log
  • C:\users\wgautilacc\appdata\local\microsoft\windows media\12.0\wmsdkns.xml.bak
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\documents.library-ms
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\pictures.library-ms
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\videos.library-ms
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\music.library-ms
  • C:\users\wgautilacc\appdata\local\microsoft\media player\localmls_3.wmdb
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\~usic.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\~ideos.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\~ocuments.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\libraries\~ictures.tmp
  • C:\users\wgautilacc\appdata\roaming\microsoft\windows\start menu\programs\internet explorer.lnk
Deletes itself.
Network activity
UDP
  • DNS ASK ki####dzhara.xyz
  • DNS ASK ga###dina.xyz
Miscellaneous
Searches for the following windows
  • ClassName: 'CicLoaderWndClass' WindowName: ''
  • ClassName: 'Progman' WindowName: ''
  • ClassName: 'Proxy Desktop' WindowName: ''
  • ClassName: 'PersonalizationThemeChangeListener' WindowName: ''
  • ClassName: 'SystemTray_Main' WindowName: ''
  • ClassName: 'OutlookExpressHiddenWindow' WindowName: ''
Creates and executes the following
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -f %TEMP%\premiumextraDJJDVQWOHL.ps1
  • '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\premiumextraDJJDVQWOHL.ps1' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc Ghasar4f5 /del' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc REVQSAVQ /add' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" tbbvay$ /ADD' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc REVQSAVQ' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /C schtasks /create /tn 59643 /tr "powershell -nop -ep bypass -f %WINDIR%\help\31768.ps1" /ru system /sc hourly /mo 1' (with hidden window)
  • '<SYSTEM32>\userinit.exe' ' (with hidden window)
  • '%WINDIR%\syswow64\rundll32.exe' advpack.dll,LaunchINFSectionEx <SYSTEM32>\ieuinit.inf,Install,,36' (with hidden window)
  • '<SYSTEM32>\rundll32.exe' advpack.dll,LaunchINFSectionEx <SYSTEM32>\ieuinit.inf,Install,,36' (with hidden window)
Executes the following
  • '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\premiumextraDJJDVQWOHL.ps1
  • '%WINDIR%\syswow64\rundll32.exe' advpack.dll,LaunchINFSectionEx <SYSTEM32>\ieuinit.inf,Install,,36
  • '<SYSTEM32>\gpscript.exe' /RefreshSystemParam
  • '%WINDIR%\syswow64\ie4uinit.exe' -BaseSettings
  • '%WINDIR%\explorer.exe'
  • '<SYSTEM32>\userinit.exe'
  • '<SYSTEM32>\rdpclip.exe'
  • '<SYSTEM32>\rundll32.exe' uxtheme.dll,#64 %WINDIR%\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
  • '<SYSTEM32>\regsvr32.exe' /s /n /i:/UserInstall <SYSTEM32>\themeui.dll
  • '<SYSTEM32>\smss.exe' 00000000 0000003c
  • '<SYSTEM32>\schtasks.exe' /create /tn 59643 /tr "powershell -nop -ep bypass -f %WINDIR%\help\31768.ps1" /ru system /sc hourly /mo 1
  • '<SYSTEM32>\cmd.exe' /C schtasks /create /tn 59643 /tr "powershell -nop -ep bypass -f %WINDIR%\help\31768.ps1" /ru system /sc hourly /mo 1
  • '<SYSTEM32>\net1.exe' user WgaUtilAcc REVQSAVQ
  • '<SYSTEM32>\net.exe' user WgaUtilAcc REVQSAVQ
  • '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc REVQSAVQ
  • '<SYSTEM32>\winlogon.exe'
  • '<SYSTEM32>\cmd.exe' /c cmd/c net start TermService
  • '%ProgramFiles(x86)%\windows mail\winmail.exe' OCInstallUserConfigOE
  • '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\iedkcs32.dll",BrandIEActiveSetup SIGNUP
  • '<SYSTEM32>\ie4uinit.exe' -ClearIconCache
  • '<SYSTEM32>\ie4uinit.exe' -UserIconConfig
  • '<SYSTEM32>\rundll32.exe' <SYSTEM32>\mscories.dll,Install
  • '<SYSTEM32>\rundll32.exe' advpack.dll,LaunchINFSectionEx <SYSTEM32>\ieuinit.inf,Install,,36
  • '<SYSTEM32>\ie4uinit.exe' -BaseSettings
  • '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP
  • '%WINDIR%\syswow64\ie4uinit.exe' -ClearIconCache
  • '%WINDIR%\syswow64\ie4uinit.exe' -UserIconConfig
  • '%ProgramFiles(x86)%\google\chrome\application\42.0.2311.135\installer\chrmstp.exe' --configure-user-settings --verbose-logging --system-level --multi-install --chrome
  • '%WINDIR%\syswow64\rundll32.exe' %WINDIR%\SysWOW64\mscories.dll,Install
  • '<SYSTEM32>\regsvr32.exe' /s /n /i:U shell32.dll
  • '<SYSTEM32>\rundll32.exe' %ProgramFiles%\Windows Mail\default_list.xml, jgasuug
  • '<SYSTEM32>\cmd.exe' /c rundll32.exe %ProgramFiles%\Windows Mail\default_list.xml, jgasuug
  • '<SYSTEM32>\unregmp2.exe' /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
  • '<SYSTEM32>\net1.exe' LOCALGROUP "Administrators" WgaUtilAcc /ADD
  • '<SYSTEM32>\csrss.exe' ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitializa...
  • '<SYSTEM32>\net.exe' LOCALGROUP "Administrators" WgaUtilAcc /ADD
  • '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  • '<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" tbbvay$ /ADD
  • '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant BUILTIN\Administrators:RX
  • '<SYSTEM32>\cmd.exe' /c cmd/c net start rdpdr
  • '<SYSTEM32>\net1.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
  • '<SYSTEM32>\net.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
  • '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
  • '<SYSTEM32>\reg.exe' add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d "%ProgramFiles%\windows mail\appcache.xml" /f
  • '<SYSTEM32>\reg.exe' ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
  • '<SYSTEM32>\icacls.exe' rfxvmt.dll /remove BUILTIN\Administrators
  • '<SYSTEM32>\net.exe' start rdpdr
  • '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
  • '<SYSTEM32>\icacls.exe' rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
  • '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
  • '<SYSTEM32>\icacls.exe' rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
  • '<SYSTEM32>\icacls.exe' rfxvmt.dll /inheritance:d
  • '<SYSTEM32>\takeown.exe' /A /F rfxvmt.dll
  • '%ProgramFiles%\windows sidebar\sidebar.exe' /autoRun
  • '%ProgramFiles%\windows mail\winmail.exe' OCInstallUserConfigOE
  • '<SYSTEM32>\net1.exe' start rdpdr
  • '<SYSTEM32>\net.exe' start TermService
  • '<SYSTEM32>\cmd.exe' /c net start rdpdr
  • '<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" tbbvay$ /ADD
  • '<SYSTEM32>\cmd.exe' /c del %temp%\*.txt /f
  • '<SYSTEM32>\cmd.exe' /c del %temp%\*.ps1 /f
  • '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" tbbvay$ /ADD
  • '<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  • '<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  • '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  • '<SYSTEM32>\net1.exe' user WgaUtilAcc REVQSAVQ /add
  • '<SYSTEM32>\net.exe' user WgaUtilAcc REVQSAVQ /add
  • '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc REVQSAVQ /add
  • '<SYSTEM32>\net1.exe' user WgaUtilAcc Ghasar4f5 /del
  • '<SYSTEM32>\net.exe' user WgaUtilAcc Ghasar4f5 /del
  • '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc Ghasar4f5 /del
  • '<SYSTEM32>\net1.exe' start TermService
  • '<SYSTEM32>\cmd.exe' /c net start TermService
  • '<SYSTEM32>\mctadmin.exe'

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play