ユーザー向け情報

閉じる

マイライブラリ
マイライブラリ

+ マイライブラリに追加

検索
検索

電話
テクニカルサポート利用方法

問い合わせ

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

フォーラム(英語)

お問い合わせ履歴

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

Profile

JP

RU CN DE EN ES FR IT JP KZ UZ PL BY
閉じる
サービス
スキャナー
Dr.Web vxCube
トライアル
ウイルスライブラリ
ナレッジベース

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

ニュース

Trojan.Siggen8.52849

Added to the Dr.Web virus database: 2019-11-02

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKLM>\Software\Classes\.wme\Shell\open\command] '' = '%ProgramFiles%\WW2010CF\wmcEncryption.exe %1 decrypt'
  • [<HKLM>\Software\Classes\.smr\Shell\open\command] '' = '%ProgramFiles%\WW2010CF\wmcEncryption.exe %1 decrypt'
  • [<HKLM>\Software\Classes\.sef\Shell\open\command] '' = '%ProgramFiles%\WW2010CF\wmcEncryption.exe %1 decrypt'
Creates the following services
  • [<HKLM>\System\CurrentControlSet\Services\Win-Win] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Win-Win] 'ImagePath' = '%ProgramFiles%\WW2010CF\wmcSystem.exe'
  • [<HKLM>\System\CurrentControlSet\Services\Smrf] 'Start' = '00000002'
  • [<HKLM>\System\CurrentControlSet\Services\Smrf] 'ImagePath' = 'system32\DRIVERS\Smrf.sys'
Malicious functions
Executes the following
  • '<SYSTEM32>\net.exe' stop smrf
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="ICMPv4 Inbound" dir=in action=allow enable=yes profile=any localip=any remoteip=any protocol=icmpv4:8,any interfacetype=any edge=yes
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="WinMasterServices V7 Client" dir=in program="%ProgramFiles%\WW2010CF\wmcSystem.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP...
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="WinMasterRC Slave" dir=in program="%ProgramFiles%\WW2010CF\wmcRCSlave.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfac...
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="WinMasterFT Slave" dir=in program="%ProgramFiles%\WW2010CF\wmcFTSlave.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfac...
Registers file system filter
  • [<HKLM>\System\CurrentControlSet\Services\Smrf] 'Group' = 'FSFilter Activity Monitor'
Modifies file system
Creates the following files
  • C:\temp\temp\foxsdku32w.dll
  • %ProgramFiles%\ww2010cf\pcinfo.exe
  • %ProgramFiles%\ww2010cf\policy\system\replysystem.opt
  • %ProgramFiles%\ww2010cf\scheduletask.exe
  • %ProgramFiles%\ww2010cf\serverschtask.dat
  • %ProgramFiles%\ww2010cf\smrf.cat.208
  • %ProgramFiles%\ww2010cf\smrf.cat.208_x64
  • %ProgramFiles%\ww2010cf\smrf.cat.212r2_x64
  • %ProgramFiles%\ww2010cf\smrf.cat.212_x64
  • %ProgramFiles%\ww2010cf\smrf.cat.vis
  • %ProgramFiles%\ww2010cf\smrf.cat.w7
  • %ProgramFiles%\ww2010cf\install.dat
  • %ProgramFiles%\ww2010cf\manualupdate2015.exe
  • %ProgramFiles%\ww2010cf\smrf.cat.w7_x64
  • %ProgramFiles%\ww2010cf\smrf.cat.w81_x64
  • %ProgramFiles%\ww2010cf\smrf.cat.w8_x64
  • %ProgramFiles%\ww2010cf\smrf.inf.208
  • %ProgramFiles%\ww2010cf\smrf.inf.208_x64
  • %ProgramFiles%\ww2010cf\smrf.inf.212r2_x64
  • %ProgramFiles%\ww2010cf\smrf.inf.212_x64
  • %ProgramFiles%\ww2010cf\smrf.inf.vis
  • %ProgramFiles%\ww2010cf\smrf.inf.w23
  • %ProgramFiles%\ww2010cf\smrf.inf.w7
  • %ProgramFiles%\ww2010cf\smrf.inf.w7_x64
  • %ProgramFiles%\ww2010cf\smrf.cat.w8
  • %ProgramFiles%\ww2010cf\smrf.cat.w81
  • %ProgramFiles%\ww2010cf\hucheck5.exe
  • %ProgramFiles%\ww2010cf\foxsdku32w.dll
  • C:\temp\winet\hurms.exe
  • C:\temp\winet\smrf.sys.w7_x64
  • C:\temp\winet\smrf.sys.w8
  • C:\temp\winet\smrf.sys.w81
  • C:\temp\winet\smrf.sys.w81_x64
  • C:\temp\winet\smrf.sys.w8_x64
  • C:\temp\winet\smrf.sys.wxp
  • C:\temp\winet\winet.ln_
  • C:\temp\winet\winnetdaily.dll
  • C:\temp\winet\wmcdataburner.exe
  • C:\temp\winet\wmcencryption.exe
  • C:\temp\winet\wmcftslave.exe
  • C:\temp\winet\smrf.sys.w7
  • C:\temp\winet\wmchook.dll
  • C:\temp\winet\wmcmemmgr.dll
  • C:\temp\winet\wmcmemmgr64.dll
  • C:\temp\winet\wmcproc.exe
  • C:\temp\winet\wmcrcslave.exe
  • C:\temp\winet\wmcrms.exe
  • C:\temp\winet\wmcservice.exe
  • C:\temp\winet\wmcservice64.exe
  • C:\temp\winet\wmcsystem.exe
  • C:\temp\winet\wmcsystem64.exe
  • C:\temp\winet\wmcuser.exe
  • C:\temp\winet\xceedcry.dll
  • C:\temp\winet\wmchook64.dll
  • %ProgramFiles%\ww2010cf\smrf.inf.w8
  • %ProgramFiles%\ww2010cf\smrf.inf.w81
  • %ProgramFiles%\ww2010cf\smrf.inf.w81_x64
  • %ProgramFiles%\ww2010cf\smrf.inf.w8_x64
  • <SYSTEM32>\pcinfo.exe
  • <SYSTEM32>\winnetdaily.dll
  • %WINDIR%\syswow64\pcinfo.exe
  • %WINDIR%\syswow64\hurms.exe
  • %WINDIR%\syswow64\winnetdaily.dll
  • %WINDIR%\debug\smr\warninglog\memmgr\20191101.log
  • %WINDIR%\debug\smr\eventlog\servicemain\20191101.log
  • %WINDIR%\debug\smr\eventlog\customer\20191101.log
  • %WINDIR%\debug\smr\eventlog\driver\20191101.log
  • <DRIVERS>\smrf.inf
  • <DRIVERS>\smrf.cat
  • <DRIVERS>\smrf.sys
  • C:\temp\pnpadd.tmp
  • %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\setb20c.tmp
  • %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\setb307.tmp
  • %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\setb3e3.tmp
  • <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
  • %WINDIR%\temp\oldc8c0.tmp
  • <DRIVERS>\setc8e0.tmp
  • %WINDIR%\temp\uddcc4b.tmp
  • %ProgramFiles%\ww2010cf\info\pcinfo.opt
  • %WINDIR%\debug\smr\eventlog\pipe\20191101.log
  • %WINDIR%\debug\smr\eventlog\wmcsystem.exe\20191101.log
  • %WINDIR%\debug\smr\eventlog\wmcservice.exe\20191101.log
  • %WINDIR%\debug\smr\eventlog\runservice\20191101.log
  • <SYSTEM32>\hurms.exe
  • %ProgramFiles%\ww2010cf\wmcuser.exe
  • %ProgramFiles%\ww2010cf\xceedcry.dll
  • %ProgramFiles%\ww2010cf\wmcsystem.exe
  • %ProgramFiles%\ww2010cf\smrf.inf.wxp
  • %ProgramFiles%\ww2010cf\smrf.sys.208
  • %ProgramFiles%\ww2010cf\smrf.sys.208_x64
  • %ProgramFiles%\ww2010cf\smrf.sys.212r2_x64
  • %ProgramFiles%\ww2010cf\smrf.sys.212_x64
  • %ProgramFiles%\ww2010cf\smrf.sys.vis
  • %ProgramFiles%\ww2010cf\smrf.sys.w23
  • %ProgramFiles%\ww2010cf\smrf.sys.w7
  • %ProgramFiles%\ww2010cf\smrf.sys.w7_x64
  • %ProgramFiles%\ww2010cf\smrf.sys.w8
  • %ProgramFiles%\ww2010cf\smrf.sys.w81
  • %ProgramFiles%\ww2010cf\smrf.sys.w81_x64
  • %ProgramFiles%\ww2010cf\smrf.sys.w8_x64
  • %ProgramFiles%\ww2010cf\smrf.sys.wxp
  • %ProgramFiles%\ww2010cf\winet.ln_
  • %ProgramFiles%\ww2010cf\wmcdataburner.exe
  • %ProgramFiles%\ww2010cf\wmcencryption.exe
  • %ProgramFiles%\ww2010cf\wmcftslave.exe
  • %ProgramFiles%\ww2010cf\wmchook.dll
  • %ProgramFiles%\ww2010cf\wmchook64.dll
  • %ProgramFiles%\ww2010cf\wmcmemmgr.dll
  • %ProgramFiles%\ww2010cf\wmcmemmgr64.dll
  • %ProgramFiles%\ww2010cf\wmcproc.exe
  • %ProgramFiles%\ww2010cf\wmcrcslave.exe
  • %ProgramFiles%\ww2010cf\wmcservice.exe
  • %WINDIR%\debug\smr\scheduletask\2019_11_01.log
  • C:\temp\winet\smrf.sys.w23
  • C:\temp\winet\smrf.sys.vis
  • C:\temp\winet\smrf.sys.212_x64
  • C:\temp\temp\smrf.inf.w7_x64
  • C:\temp\temp\smrf.inf.w8
  • C:\temp\temp\smrf.inf.w81
  • C:\temp\temp\smrf.inf.w81_x64
  • C:\temp\temp\smrf.inf.w8_x64
  • C:\temp\temp\smrf.inf.wxp
  • C:\temp\temp\smrf.sys.208
  • C:\temp\temp\smrf.sys.208_x64
  • C:\temp\temp\smrf.sys.212r2_x64
  • C:\temp\temp\smrf.sys.212_x64
  • C:\temp\temp\smrf.inf.w23
  • C:\temp\temp\smrf.inf.w7
  • C:\temp\temp\smrf.sys.vis
  • C:\temp\temp\smrf.sys.w7_x64
  • C:\temp\temp\smrf.sys.w8
  • C:\temp\temp\smrf.sys.w81
  • C:\temp\temp\smrf.sys.w81_x64
  • C:\temp\temp\smrf.sys.w8_x64
  • C:\temp\temp\smrf.sys.wxp
  • C:\temp\temp\winet.ln_
  • C:\temp\temp\winnetdaily.dll
  • C:\temp\temp\wmcdataburner.exe
  • C:\temp\temp\wmcencryption.exe
  • C:\temp\temp\smrf.sys.w23
  • C:\temp\temp\smrf.sys.w7
  • C:\temp\temp\smrf.inf.vis
  • C:\temp\temp\smrf.inf.212_x64
  • C:\temp\temp\smrf.inf.212r2_x64
  • C:\temp\temp\install.dat
  • C:\temp\temp\manualupdate2015.exe
  • C:\temp\temp\pcinfo.exe
  • C:\temp\temp\policy\system\replysystem.opt
  • C:\temp\temp\presto.agn
  • C:\temp\temp\reginfo.dat
  • C:\temp\temp\rms.dll
  • C:\temp\temp\runmanualupdate2015.exe
  • C:\temp\temp\scheduletask.exe
  • C:\temp\temp\sensetup.exe
  • C:\temp\temp\serverschtask.dat
  • C:\temp\temp\hucheck5.exe
  • C:\temp\temp\smrf.cat.208
  • C:\temp\temp\smrf.cat.212r2_x64
  • C:\temp\temp\smrf.cat.212_x64
  • C:\temp\temp\smrf.cat.vis
  • C:\temp\temp\smrf.cat.w7
  • C:\temp\temp\smrf.cat.w7_x64
  • C:\temp\temp\smrf.cat.w8
  • C:\temp\temp\smrf.cat.w81
  • C:\temp\temp\smrf.cat.w81_x64
  • C:\temp\temp\smrf.cat.w8_x64
  • C:\temp\temp\smrf.inf.208
  • C:\temp\temp\smrf.inf.208_x64
  • C:\temp\temp\smrf.cat.208_x64
  • C:\temp\temp\wmcftslave.exe
  • C:\temp\temp\wmchook.dll
  • C:\temp\temp\wmchook64.dll
  • C:\temp\temp\wmcmemmgr.dll
  • C:\temp\winet\smrf.cat.208_x64
  • C:\temp\winet\smrf.cat.212r2_x64
  • C:\temp\winet\smrf.cat.212_x64
  • C:\temp\winet\smrf.cat.vis
  • C:\temp\winet\smrf.cat.w7
  • C:\temp\winet\smrf.cat.w7_x64
  • C:\temp\winet\smrf.cat.w8
  • C:\temp\winet\smrf.cat.w81
  • C:\temp\winet\smrf.cat.w81_x64
  • C:\temp\winet\smrf.cat.w8_x64
  • C:\temp\winet\smrf.inf.208
  • C:\temp\winet\smrf.inf.208_x64
  • C:\temp\winet\smrf.inf.212r2_x64
  • C:\temp\winet\smrf.inf.212_x64
  • C:\temp\winet\smrf.inf.vis
  • C:\temp\winet\smrf.inf.w23
  • C:\temp\winet\smrf.inf.w7
  • C:\temp\winet\smrf.inf.w7_x64
  • C:\temp\winet\smrf.inf.w8
  • C:\temp\winet\smrf.inf.w81
  • C:\temp\winet\smrf.inf.w81_x64
  • C:\temp\winet\smrf.inf.w8_x64
  • C:\temp\winet\smrf.inf.wxp
  • C:\temp\winet\smrf.sys.208
  • C:\temp\winet\smrf.sys.208_x64
  • C:\temp\winet\smrf.cat.208
  • C:\temp\winet\sensetup.exe
  • C:\temp\winet\serverschtask.dat
  • C:\temp\winet\scheduletask.exe
  • C:\temp\temp\wmcmemmgr64.dll
  • C:\temp\temp\wmcproc.exe
  • C:\temp\temp\wmcrcslave.exe
  • C:\temp\temp\wmcrms.exe
  • C:\temp\temp\wmcservice.exe
  • C:\temp\temp\wmcservice64.exe
  • C:\temp\temp\wmcsystem.exe
  • C:\temp\temp\wmcsystem64.exe
  • C:\temp\temp\wmcuser.exe
  • C:\temp\temp\xceedcry.dll
  • C:\temp\wwnew.ver
  • %WINDIR%\debug\smr\manualupdate2015_2019_11_01.log
  • %TEMP%\auta6d6.tmp
  • %TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\wmcrms.exe
  • %WINDIR%\debug\smr\rmslog\20191101.log
  • %TEMP%\aut256d.tmp
  • %TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\copyfiles.exe
  • C:\temp\winet\foxsdku32w.dll
  • C:\temp\winet\hucheck5.exe
  • C:\temp\winet\install.dat
  • C:\temp\winet\manualupdate2015.exe
  • C:\temp\winet\pcinfo.exe
  • C:\temp\winet\policy\system\replysystem.opt
  • C:\temp\winet\presto.agn
  • C:\temp\winet\reginfo.dat
  • C:\temp\winet\smrf.sys.212r2_x64
  • %WINDIR%\debug\smr\eventlog\trace\20191101.log
Sets the 'hidden' attribute to the following files
  • <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
Deletes the following files
  • %TEMP%\auta6d6.tmp
  • C:\temp\winet\smrf.sys.212_x64
  • C:\temp\winet\smrf.sys.212r2_x64
  • C:\temp\winet\smrf.sys.208_x64
  • C:\temp\winet\smrf.sys.208
  • C:\temp\winet\smrf.inf.wxp
  • C:\temp\winet\smrf.inf.w8_x64
  • C:\temp\winet\smrf.inf.w81_x64
  • C:\temp\winet\smrf.inf.w81
  • C:\temp\winet\smrf.sys.w23
  • C:\temp\winet\smrf.sys.vis
  • C:\temp\winet\smrf.inf.w7
  • C:\temp\winet\smrf.inf.w23
  • C:\temp\winet\smrf.inf.vis
  • C:\temp\winet\smrf.inf.212_x64
  • C:\temp\winet\smrf.inf.212r2_x64
  • C:\temp\winet\smrf.inf.208_x64
  • C:\temp\winet\smrf.inf.208
  • C:\temp\winet\smrf.cat.w8_x64
  • C:\temp\winet\smrf.inf.w8
  • %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\smrf.sys
  • C:\temp\winet\smrf.sys.w7
  • C:\temp\winet\wmcuser.exe
  • C:\temp\winet\wmcsystem.exe
  • C:\temp\winet\wmcservice.exe
  • C:\temp\winet\wmcrcslave.exe
  • C:\temp\winet\wmcproc.exe
  • C:\temp\winet\wmcmemmgr64.dll
  • C:\temp\winet\wmcmemmgr.dll
  • C:\temp\winet\wmchook64.dll
  • C:\temp\winet\wmchook.dll
  • C:\temp\winet\wmcftslave.exe
  • C:\temp\winet\wmcencryption.exe
  • C:\temp\winet\wmcdataburner.exe
  • C:\temp\winet\winnetdaily.dll
  • C:\temp\winet\winet.ln_
  • C:\temp\winet\smrf.sys.wxp
  • C:\temp\winet\smrf.sys.w8_x64
  • C:\temp\winet\smrf.sys.w81_x64
  • C:\temp\winet\smrf.sys.w81
  • C:\temp\winet\smrf.sys.w8
  • C:\temp\winet\smrf.cat.w81_x64
  • C:\temp\winet\smrf.inf.w7_x64
  • C:\temp\winet\smrf.cat.w81
  • C:\temp\winet\smrf.cat.w8
  • C:\temp\winet\smrf.cat.w7_x64
  • C:\temp\temp\sensetup.exe
  • C:\temp\winet\wmcsystem64.exe
  • C:\temp\winet\wmcrms.exe
  • C:\temp\temp\xceedcry.dll
  • C:\temp\temp\wmcuser.exe
  • C:\temp\temp\wmcrms.exe
  • C:\temp\temp\wmcproc.exe
  • C:\temp\temp\wmchook.dll
  • C:\temp\temp\winet.ln_
  • C:\temp\temp\reginfo.dat
  • %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\smrf.cat
  • C:\temp\temp\presto.agn
  • C:\temp\temp\pcinfo.exe
  • C:\temp\temp\install.dat
  • C:\temp\temp\hucheck5.exe
  • %TEMP%\aut256d.tmp
  • C:\temp\temp\runmanualupdate2015.exe
  • C:\temp\temp\rms.dll
  • %TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\wmcrms.exe
  • C:\temp\winet\xceedcry.dll
  • C:\temp\winet\smrf.sys.w7_x64
  • %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\smrf.inf
  • %WINDIR%\temp\uddcc4b.tmp
  • C:\temp\winet\wmcservice64.exe
  • C:\temp\winet\smrf.cat.w7
  • C:\temp\winet\smrf.cat.vis
  • C:\temp\winet\smrf.cat.212_x64
  • C:\temp\winet\smrf.cat.212r2_x64
  • C:\temp\winet\smrf.cat.208_x64
  • C:\temp\winet\smrf.cat.208
  • C:\temp\winet\serverschtask.dat
  • C:\temp\winet\sensetup.exe
  • C:\temp\winet\scheduletask.exe
  • C:\temp\winet\reginfo.dat
  • C:\temp\winet\presto.agn
  • C:\temp\winet\policy\system\replysystem.opt
  • C:\temp\winet\pcinfo.exe
  • C:\temp\winet\manualupdate2015.exe
  • C:\temp\winet\install.dat
  • C:\temp\winet\hurms.exe
  • C:\temp\winet\hucheck5.exe
  • C:\temp\winet\foxsdku32w.dll
  • %WINDIR%\temp\oldc8c0.tmp
  • C:\temp\wwnew.ver
Moves the following files
  • from %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\setb20c.tmp to %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\smrf.cat
  • from %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\setb307.tmp to %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\smrf.inf
  • from %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\setb3e3.tmp to %WINDIR%\temp\{397f1503-6dec-69d0-34f2-79541656c017}\smrf.sys
  • from C:\temp\pnpadd.tmp to %WINDIR%\debug\smr\huservice\pnpadd_2019_11_01_15_43.tmp
  • from <DRIVERS>\setc8e0.tmp to <DRIVERS>\smrf.sys
Miscellaneous
Searches for the following windows
  • ClassName: 'EDIT' WindowName: ''
  • ClassName: 'wmcRMS' WindowName: ''
  • ClassName: 'SMR_HUEXEC' WindowName: ''
  • ClassName: 'Win-Win 32 Commander Class' WindowName: ''
  • ClassName: 'Win-Win 32 Commander Class6' WindowName: ''
  • ClassName: '' WindowName: 'SMR_CDINFO'
  • ClassName: 'SMR_HULOGIN' WindowName: ''
  • ClassName: '' WindowName: 'SMR_WINMASTER_MISC'
  • ClassName: '' WindowName: 'SMR_USB_SN'
  • ClassName: '' WindowName: 'SMR_CDinfo_V'
  • ClassName: '' WindowName: 'SMR_PT'
  • ClassName: '' WindowName: 'SMR_HuNCommEx'
  • ClassName: '' WindowName: 'SMR_SK'
  • ClassName: 'SENSETUP' WindowName: ''
  • ClassName: 'WMCSYSTEM' WindowName: ''
  • ClassName: 'ScheduleTask' WindowName: ''
Creates and executes the following
  • 'C:\temp\temp\runmanualupdate2015.exe'
  • '%ProgramFiles%\ww2010cf\scheduletask.exe' -SetSchedule
  • 'C:\temp\winet\sensetup.exe'
  • '%ProgramFiles%\ww2010cf\wmcsystem.exe' -i
  • '%ProgramFiles%\ww2010cf\wmcuser.exe'
  • '%ProgramFiles%\ww2010cf\wmcservice.exe'
  • '%ProgramFiles%\ww2010cf\wmcsystem.exe'
  • '%ProgramFiles%\ww2010cf\wmcproc.exe'
  • '%TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\copyfiles.exe'
  • 'C:\temp\temp\manualupdate2015.exe'
  • 'C:\temp\temp\hucheck5.exe'
  • '%ProgramFiles%\ww2010cf\hucheck5.exe'
  • '%TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\wmcrms.exe' -noui -driver -older -alt -log
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Client"' (with hidden window)
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="ICMPv4 Inbound"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Server"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c del <DRIVERS>\ntfsf.* /F /Q' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c del %TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\*.* /F /Q' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c rd %ProgramFiles%\ww2000cf /Q /S' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c ren "%ProgramFiles%\ww2010cf\wmcMemmgr64.dll" wmcMemmgr64.1101154218' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c del %WINDIR%\inf\ntfsf.* /F /Q' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c del %WINDIR%\inf\ntfsf6.* /F /Q' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c del <DRIVERS>\ntfsf6.* /F /Q' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c md %ProgramFiles%\ww2010cf\SMRTEATIME' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c del %ProgramFiles%\ww2000cf /F /Q' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c rd ""c:\temp\temp"" /Q /S' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move "%ProgramFiles%\ww2010cf\*.1101154218" "%TEMP%\SMRCV7"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c rd ""c:\Users\Public\Temp\temp"" /Q /S' (with hidden window)
  • '%TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\copyfiles.exe' ' (with hidden window)
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="ICMPv4 Inbound" dir=in action=allow enable=yes profile=any localip=any remoteip=any protocol=icmpv4:8,any interfacetype=any edge=yes' (with hidden window)
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="WinMasterServices V7 Client" dir=in program="%ProgramFiles%\WW2010CF\wmcSystem.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP...' (with hidden window)
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="WinMasterRC Slave" dir=in program="%ProgramFiles%\WW2010CF\wmcRCSlave.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfac...' (with hidden window)
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="WinMasterFT Slave" dir=in program="%ProgramFiles%\WW2010CF\wmcFTSlave.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfac...' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c PnPutil.exe -a <DRIVERS>\Smrf.inf > c:\temp\PnPadd.tmp' (with hidden window)
  • '%WINDIR%\syswow64\regsvr32.exe' /i /s "%ProgramFiles%\WW2010CF\FoxSDKU32w.dll"' (with hidden window)
  • '%ProgramFiles%\ww2010cf\scheduletask.exe' -SetSchedule' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c ren "%ProgramFiles%\ww2010cf\wmcMemmgr.dll" wmcMemmgr.1101154218' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c rd %ProgramFiles%\ww2010cf\SMRTEATIME' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c md %ProgramFiles%\ww2010cf\SMRPLAYBALL' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Client_x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterFT Master x64"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c net stop smrf' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c rd %ProgramFiles%\ww2010cf\SMRPLAYBALL' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Client x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Client"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c ren "%ProgramFiles%\ww2010cf\wmcHook64.dll" wmcHook64.1101154218' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcSystem.exe"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMaster Client"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c %TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\wmcrms.exe -noui -driver -older -alt -log' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c ren "%ProgramFiles%\ww2010cf\wmcHook.dll" wmcHook.1101154218' (with hidden window)
  • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "WinMaster Log and Backup Auto Archive" /F' (with hidden window)
  • 'C:\temp\temp\manualupdate2015.exe' ' (with hidden window)
  • 'C:\temp\temp\hucheck5.exe' ' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c del %ProgramFiles%\ww2010cf\smrf.* /F /S /Q' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Server"' (with hidden window)
  • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "CheckTaskHour" /F' (with hidden window)
  • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "CheckTaskDaily" /F' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Server_x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices V7 Server x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Server x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices V7 Server"' (with hidden window)
  • '%WINDIR%\syswow64\msiexec.exe' /x {6ECF2098-BEE1-45D2-BD6F-5A4CCF4EC6D5} /qn /norestart' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices V7 Client"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMaster Server"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcRCMaster.exe"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcFTSlave.exe"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcFTMaster.exe"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\WM7_Server.exe"' (with hidden window)
  • '%ProgramFiles%\ww2010cf\hucheck5.exe' ' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Connect x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices V7 Client x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Connect"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterRC Master x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterFT Slave x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterRC Slave x64"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterFT Master"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterRC Master"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterFT Slave"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterRC Slave"' (with hidden window)
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcRCSlave.exe"' (with hidden window)
  • '<SYSTEM32>\secedit.exe' /export /cfg C:\Users\Public\secpol.tmp' (with hidden window)
Executes the following
  • '<SYSTEM32>\cmd.exe' /c %TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\wmcrms.exe -noui -driver -older -alt -log
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Client"
  • '<SYSTEM32>\cmd.exe' /c move "%ProgramFiles%\ww2010cf\*.1101154218" "%TEMP%\SMRCV7"
  • '<SYSTEM32>\cmd.exe' /c ren "%ProgramFiles%\ww2010cf\wmcMemmgr64.dll" wmcMemmgr64.1101154218
  • '<SYSTEM32>\cmd.exe' /c ren "%ProgramFiles%\ww2010cf\wmcMemmgr.dll" wmcMemmgr.1101154218
  • '<SYSTEM32>\cmd.exe' /c ren "%ProgramFiles%\ww2010cf\wmcHook64.dll" wmcHook64.1101154218
  • '<SYSTEM32>\cmd.exe' /c ren "%ProgramFiles%\ww2010cf\wmcHook.dll" wmcHook.1101154218
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices V7 Client x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices V7 Client"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterRC Slave"
  • '<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Client"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterFT Slave"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterFT Master"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterRC Slave x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterFT Slave x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterRC Master x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterFT Master x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMaster Client"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMaster Server"
  • '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcSystem.exe"
  • '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\WM7_Server.exe"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterRC Master"
  • '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Server"
  • '<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Server"
  • '<SYSTEM32>\cmd.exe' /c del %TEMP%\5f6d5g9gg5er9g3h5uj4e6sjh6u22i4t6\*.* /F /Q
  • '<SYSTEM32>\netstat.exe' -ano
  • '<SYSTEM32>\cmd.exe' /c netstat -ano |findstr :7150
  • '<SYSTEM32>\cmd.exe' /c rd %ProgramFiles%\ww2010cf\SMRPLAYBALL
  • '<SYSTEM32>\cmd.exe' /c md %ProgramFiles%\ww2010cf\SMRPLAYBALL
  • '<SYSTEM32>\cmd.exe' /c rd %ProgramFiles%\ww2010cf\SMRTEATIME
  • '%WINDIR%\syswow64\regsvr32.exe' /i /s "%ProgramFiles%\WW2010CF\FoxSDKU32w.dll"
  • '<SYSTEM32>\rundll32.exe' setupapi.dll,InstallHinfSection DefaultInstall 128 <DRIVERS>\Smrf.inf
  • '<SYSTEM32>\pnputil.exe' -a <DRIVERS>\Smrf.inf
  • '<SYSTEM32>\cmd.exe' /c PnPutil.exe -a <DRIVERS>\Smrf.inf > c:\temp\PnPadd.tmp
  • '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\WW2010CF\FoxSDKU32w.dll"
  • '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\WW2010CF\XceedCry.dll"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="ICMPv4 Inbound"
  • '<SYSTEM32>\cmd.exe' /c rd ""c:\Users\Public\Temp\temp"" /Q /S
  • '<SYSTEM32>\cmd.exe' /c rd ""c:\temp\temp"" /Q /S
  • '<SYSTEM32>\cmd.exe' /c rd %ProgramFiles%\ww2000cf /Q /S
  • '<SYSTEM32>\cmd.exe' /c del %ProgramFiles%\ww2000cf /F /Q
  • '<SYSTEM32>\cmd.exe' /c md %ProgramFiles%\ww2010cf\SMRTEATIME
  • '<SYSTEM32>\cmd.exe' /c del <DRIVERS>\ntfsf6.* /F /Q
  • '<SYSTEM32>\cmd.exe' /c del %WINDIR%\inf\ntfsf6.* /F /Q
  • '<SYSTEM32>\cmd.exe' /c del <DRIVERS>\ntfsf.* /F /Q
  • '<SYSTEM32>\cmd.exe' /c del %WINDIR%\inf\ntfsf.* /F /Q
  • '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcFTMaster.exe"
  • '<SYSTEM32>\findstr.exe' :7150
  • '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcFTSlave.exe"
  • '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcRCSlave.exe"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterRC Master"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterFT Slave"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterRC Slave"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices V7 Client"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices V7 Client x64"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices V7 Server"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices V7 Server x64"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Client x64"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Client_x64"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterFT Master"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Client"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Connect x64"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Server"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Server x64"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Server_x64"
  • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "WinMaster Log and Backup Auto Archive" /F
  • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "CheckTaskDaily" /F
  • '%WINDIR%\syswow64\schtasks.exe' /Delete /TN "CheckTaskHour" /F
  • '%WINDIR%\syswow64\msiexec.exe' /x {6ECF2098-BEE1-45D2-BD6F-5A4CCF4EC6D5} /qn /norestart
  • '%WINDIR%\syswow64\cmd.exe' /c del %ProgramFiles%\ww2010cf\smrf.* /F /S /Q
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterServices Connect"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterRC Slave x64"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterFT Slave x64"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterRC Master x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Server x64"
  • '<SYSTEM32>\net1.exe' stop smrf
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Connect"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Client"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Client_x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Client x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices V7 Server x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices V7 Server"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Connect x64"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Server"
  • '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="WinMasterServices Server_x64"
  • '<SYSTEM32>\cmd.exe' /c net stop smrf
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcRCSlave.exe"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcRCMaster.exe"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcFTSlave.exe"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcFTMaster.exe"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\WM7_Server.exe"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcSystem.exe"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMaster Server"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMaster Client"
  • '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall delete rule name="WinMasterFT Master x64"
  • '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram program ="%ProgramFiles%\WW2010CF\wmcRCMaster.exe"
  • '<SYSTEM32>\secedit.exe' /export /cfg C:\Users\Public\secpol.tmp

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play