ユーザー向け情報

閉じる

マイライブラリ
マイライブラリ

+ マイライブラリに追加

検索
検索

電話
テクニカルサポート利用方法

問い合わせ

新規お問い合わせ

電話

03-6550-8770

フォーラム(英語)

お問い合わせ履歴

新規お問い合わせ

電話

03-6550-8770

Profile

JP

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
閉じる
サービス
スキャナー
Dr.Web vxCube
トライアル
ウイルスライブラリ
ナレッジベース

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

ニュース

Trojan.MulDrop24.38687

Added to the Dr.Web virus database: 2023-12-22

Virus description added:

Technical Information

To ensure autorun and distribution
Sets the following service settings
  • [HKLM\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\Wcmsvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\UserManager] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\StorSvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\sppsvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\Schedule] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\RasMan] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\ProfSvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\Power] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\nsi] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\mpssvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\LSM] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\EventSystem] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\EventLog] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\Dnscache] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\Dhcp] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\CoreMessagingRegistrar] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\CDPSvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\BrokerInfrastructure] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\BFE] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\WlanSvc] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\WSearch] 'Start' = '00000002'
Malicious functions
Launches a large number of processes
Modifies file system
Creates the following files
  • %TEMP%\b07a.tmp\b07b.tmp\b07c.bat
Deletes the following files
  • %TEMP%\b07a.tmp\b07b.tmp\b07c.bat
Miscellaneous
Creates and executes the following
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\B07A.tmp\B07B.tmp\B07C.bat <Full path to file>"' (with hidden window)
Executes the following
  • '<SYSTEM32>\cmd.exe' /c "%TEMP%\B07A.tmp\B07B.tmp\B07C.bat <Full path to file>"
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SCPolicySvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SDRSVC" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SEMgrSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SensorDataService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SensorService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SensrSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SessionEnv" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\ScDeviceEnum" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\shpamsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\smphost" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SNMPTRAP" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\ssh-agent" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SCardSvr" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\RpcSs" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\p2pimsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\p2psvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PeerDistSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PerfHost" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PhoneSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\pla" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\nsi" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PNRPsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Power" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PrintWorkflowUserSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\ProfSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PushToInstall" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\RasAuto" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\RasMan" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\RmSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\StateRepository" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\StorSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\svsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WebClient" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Wecsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WEPHOSTSVC" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WFDSConMgrSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Wcmsvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WiaRpc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WinRM" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WlanSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wlpasvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WManSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wmiApSrv" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WpcMonSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WPDBusEnum" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WSearch" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wbengine" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WarpJITSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WalletService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TapiSrv" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Themes" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TieringEngineService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TokenBroker" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TrkWks" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TroubleshootingSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\tzautoupdate" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\swprv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UdkUserSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\upnphost" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UserManager" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vds" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\VSS" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UevAgentService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\stisvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\ConsentUxUserSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\CoreMessagingRegistrar" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\CredentialEnrollmentManagerUserSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\CscService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\defragsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\CertPropSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DevicePickerUserSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DevicesFlowUserSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DevQueryBroker" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\diagsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DispBrokerDesktopSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DisplayEnhancementService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DmEnrollmentSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DeviceAssociationService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DeviceInstall" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\CDPSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\cbdhsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\CaptureService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AJRouter" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\ALG" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Appinfo" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AppReadiness" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AppVClient" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AssignedAccessManagerSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AarSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\AxInstSV" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\BrokerInfrastructure" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\camsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\autotimesvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\dot3svc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\lltdsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\lmhosts" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\LSM" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\LxpSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\MessagingService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\KtmRm" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\msiserver" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NaturalAuthentication" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NcaSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NcbService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NcdAutoSetup" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Netman" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\netprofm" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NetSetupSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\MSDTC" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\MSiSCSI" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\KeyIso" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\IpxlatCfgSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DsmSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DsSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DusmSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Eaphost" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\EFS" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\embeddedmode" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\EntAppSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\fdPHost" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DPS" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\FDResPub" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\FontCache" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\FontCache3.0.0.0" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\FrameServer" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\GraphicsPerfSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\icssvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\InstallService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\fhsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WwanSvc" /v "Start" /t REG_DWORD /d "4" /f

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play