arrow_back
search
close

WORM_AUTORUN.ZMZ

October 08, 2012
 Analysis by: Roland Marco Dela Paz
 Modified by: jasperm
 ALIASES:

Symantec : Trojan.KillAV ; Microsoft : Trojan:Win32/Startpage.RH ; Kaspersky : Worm.Win32.AutoRun.hnv

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives


This worm arrives by connecting affected removable drives to a system. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.

  TECHNICAL DETAILS

File Size:

85,412 bytes

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

19 Jan 2011

Payload:

Terminates processes, Drops files

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops and executes the following files:

  • %Program Files%\Common Files\BOSC.dll - detected as SPYW_SPYMYPC

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops the following copies of itself into the affected system:

  • %System Root%\VSPS\VSPS.exe
  • %System%\wduxopmdit\explorer.exe
  • %System%\dipklufmkj\smss.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

  • %System Root%\VSPS
  • %System%\wduxopmdit
  • %System%\dipklufmkj

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

  • axoigcwcrd.exe

Other System Modifications

This worm adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}

It also creates the following registry entry(ies) as part of its installation routine:

HKEY_CLASSES_ROOT\exefile
NeverShowExt = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
ModRiskFileTypes = .exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\StorageDevicePolicies
WriteProtect = 0

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {¸ßÇåÊÓƵ}.exe

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • cmd.exe
  • netsh.exe
  • conime.exe
  • regedit.exe
  • wscript.exe
  • regsvr32.exe
  • rundll32.exe
  • wmiprvse.exe
  • ipconfig.exe

Web Browser Home Page and Search Page Modification

This worm modifies the user's Internet Explorer home page to the following websites:

  • http://www.sfc007.com/?Activex101

Other Details

This worm does the following:

  • It drops the following files which are links to the URL http://www.{BLOCKED}7.com/taobao.htm:
    • %User Profile%\Favorites\&çÍ·×ÍøÖ·µ¼º½&.url
    • %System Root%\Documents and Settings\All Users\Desktop\Intennet Exploner.lnk
    • %System Root%\Documents and Settings\All Users\Desktop\¸Ä±äÄãµÄÒ»Éú.url
    • %System Root%\Documents and Settings\All Users\Desktop\ÌÔ±¦¹ºÎïA.url
    • %System Root%\Documents and Settings\All Users\Desktop\Ãâ·ÑµçÓ°C.url
  • It also drops copies of itself in removable drives using names of the folders located on the said drives for their file names.
  • It deletes the following registry keys related to Safe mode:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

  • It also creates registry entries for certain application names located under the following key to prevent these applications from executing:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT CurrentVersion\Image File Execution Options

  • Affected application keys are as follows:
    360Safe.exe
    360rpt.exe
    360safebox.exe
    360sd.exe
    360sdrun.exe
    360tray.exe
    799d.exe
    AST.exe
    AgentSvr.exe
    AntiU.exe
    AoYun.exe
    AppSvc32.exe
    ArSwp.exe
    ArSwp2.exe
    ArSwp3.exe
    AutoRun.exe
    AvMonitor.exe
    AvU3Launcher.exe
    AvastU3.exe
    CCenter.exe
    DSMain.exe
    Discovery.exe
    EGHOST.exe
    FTCleanerShell.exe
    FYFireWall.exe
    FileDsty.exe
    HijackThis.exe
    IceSword.exe
    Iparmor.exe
    KASMain.exe
    KASTask.exe
    KAV32.exe
    KAVDX.exe
    KAVPF.exe
    KAVPFW.exe
    KAVSetup.exe
    KISLnchr.exe
    KMFilter.exe
    KMailMon.exe
    KPFW32.exe
    KPFW32X.exe
    KPfwSvc.exe
    KRegEx.exe
    KRepair.com
    KSWebShield.exe
    KVCenter.kxp
    KVMonXP.kxp
    KVMonXP_1.kxp
    KVScan.kxp
    KVScan.kxp
    KVSrvXP.exe
    KVStub.kxp
    KVStub.kxp
    KWSMain.exe
    KWSUpd.exe
    KWatch.exe
    KWatch9x.exe
    KWatchX.exe
    KaScrScn.SCR
    KsLoader.exe
    KvDetect.exe
    KvReport.kxp
    KvXP.kxp
    KvXP.kxp
    KvXP_1.kxp
    KvXP_1.kxp
    KvfwMcl.exe
    MagicSet.exe
    NAVSetup.exe
    NPFMntor.exe
    Navapsvc.exe
    Navapw32.exe
    PFW.exe
    PFWLiveUpdate.exe
    QHSET.exe
    QQDoctor.exe
    QQDoctorMain.exe
    QQDoctorRtp.exe
    QQKav.exe
    QQPCMgr.exe
    QQPCRTP.exe
    QQPCSmashFile.exe
    QQPCTray.exe
    QQSC.exe
    Ras.exe
    Rav.exe
    RavMon.exe
    RavMonD.exe
    RavStub.exe
    RavTask.exe
    RegClean.exe
    RsAgent.exe
    RsTray.exe
    Rsaupd.exe
    SDGames.exe
    SREng.EXE
    SREng.exe
    SREngPS.EXE
    ScanFrm.exe
    ScanU3.exe
    SelfUpdate.exe
    SmartUp.exe
    SysSafe.exe
    TNT.Exe
    TNT.exe
    TrojDie.kxp
    TrojanDetector.exe
    Trojanwall.exe
    TxoMoU.Exe
    TxoMoU.exe
    UFO.exe
    UIHost.exe
    USBCleaner.exe
    UmxAgent.exe
    UmxAttachment.exe
    UmxCfg.exe
    UmxFwHlp.exe
    UmxPol.exe
    UpLive.exe
    WoptiClean.exe
    Wsyscheck.exe
    XDelBox.exe
    XP.exe
    adam.exe
    appdllman.exe
    atpup.exe
    auto.exe
    autoruns.exe
    av.exe
    avconsol.exe
    avgrssvc.exe
    avp.com
    avp.exe
    ccSvcHst.exe
    cross.exe
    filmst.exe
    ghost.exe
    guangd.exe
    iparmo.exe
    irsetup.exe
    isPwdSvc.exe
    jisu.exe
    kabaload.exe
    kavstart.exe
    kernelwind32.exe
    kissvc.exe
    knsd.exe
    knsdave.exe
    knsdtray.exe
    kvol.exe
    kvolself.exe
    kvupload.exe
    kvwsc.exe
    kwstray.exe
    loaddll.exe
    logogo.exe
    mcconsol.exe
    mmqczj.exe
    mmsk.exe
    niu.exe
    nod32.exe
    nod32krn.exe
    nod32kui.exe
    pagefile.exe
    pagefile.pif
    pfserver.exe
    qheart.exe
    qsetup.exe
    ravcopy.exe
    rfwProxy.exe
    rfwcfg.exe
    rfwmain.exe
    rfwsrv.exe
    rsnetsvr.exe
    rstrui.exe
    runiep.exe
    safeboxTray.exe
    safelive.exe
    scan32.exe
    servet.exe
    shcfg32.exe
    sos.exe
    stormii.exe
    sxgame.exe
    symlcsvc.exe
    tmp.exe
    upiea.exe
    vsstat.exe
    wbapp.exe
    webscanx.exe
    zhudongfangyu.exe
    zjb.exe
    zxsweep.exe
    ~.exe
  • The created entry contains the following data value:
    Debugger = "ntsd"
  • It redirects user to the URL http://www.{BLOCKED}7.com whenever the user tries to visit the following websites:
    • iq123.com
    • yijidh.com
    • 250dh.cn
    • 223.la
    • kuku123.com
    • 930930.com
    • 9123.com
    • hao123e.com
    • 020.com
    • youxi777.com
    • 1616.net
    • 1188.com
    • urldh.com
    • daohang.la
    • pp55.com
    • 9605.com
    • 05505.cn
    • 7055.net
    • 0056.com
    • 6655.com
    • 1166.com
    • 5kip.com
    • 114xia.com
    • 265dh.com
    • 3567.com
    • 6565.cn
    • 666t.com
    • 9223.com
    • dduu.com
    • hao123.cn
    • 5snow.com
    • 2523.com
    • 5599.net
    • tt98.com
    • zhaodao123.com
    • kuhao123.com
    • 5151la.net
    • 6h.com.cn
    • zeibi.com
    • 6e8e.com
    • th123.com
    • 9991.com
    • hao123ol.com
    • wu123.com
    • t220.cn
    • ttver.net
    • 188HI.com
    • go2000.com
    • 5igb.com
    • bb2000.net
    • 9wa.com
    • qq5.com
    • 365j.com
    • 7345.com
    • 2760.com
    • 361la.com
    • haojs.com
    • 5zd.com
    • i8866.com
    • 100wz.com
    • 114hi.com
    • 234.la
    • 657.com
    • 339.la
    • 365wz.net
    • 7792.com
    • 9495.com
    • dazuimao.com
    • 71314.com
    • 265.com
    • gouwo.com
    • huai456.com
    • ku256.com
    • my180.com
    • 2522.cn
    • 405.cn
    • 44244.com
    • 111dh.com
    • 115ku.com
    • 13387.com
    • 163yes.com
    • 256s.com
    • 2676.com
    • 3355.net
    • 365lo.com
    • 4168.com
    • 4545.cn
    • 4688.com
    • 566.net
    • 5666.net
    • 5733.com
    • 6461.cn
    • 7356.com
    • 800186.com
    • 85851.com
    • asp51.com
    • 361dh.com
    • 5566.net
    • yulinweb.com
    • 6296.com.cn
    • mianfeia.com
    • ai1234.com
    • k369.com
    • msncn.com
    • ss256.com
    • min513.com
    • 88-888.com
    • lggg.cn
    • 7771.cn
    • leeboo.com
    • jjol.cn
    • 5566.com
    • 9166.net
    • hao253.com
    • 7b.com.cn
    • haoei.com
    • 77114.com
    • 21310.cn
    • weiduomei.net
    • kk3000.cn
    • 7241.cn
    • 44384.com
    • daohang1234.com
    • 131.cc
    • 223224.com
    • 537.com
    • 9348.cn
    • bju123.cn
    • i4455.com
    • jia123.com
    • 0666.com.cn
    • 553.la
    • 5566.org
    • 37021.com
    • 88488.com
    • 99986.net
    • 37021.net
    • k986.com
    • cc62.com
    • 5518.cn
    • 55620.com
    • 52416.com
    • 7357.cn
    • 8c8c.net
    • 9999q.com
    • 123shi123.com
    • yl234.cn
    • 3322.com
    • hao222.com
    • 6313.com
    • f127.com
    • 5599cn.cn
    • 99499.com
    • 2548.cn
    • 133.net
    • ie30.com
    • 8751.com
    • se:home
    • haidaowan.net
    • 160dh.com
    • 114115.com
    • 1322.cn
    • hh361.com
    • 2800.cc
    • 52daohang.com
    • 186.me
    • diyidh.com
    • zaodezhu.com
    • 7832.com
    • 3073.com
    • 2058.cc
    • 3456.cc
    • 7771.com
    • q6789.com
    • 7k.cc
    • dianzi88.com
    • 7802.com
    • xinbut.com
    • 59688.com
    • gjj.cc
    • youla.com
    • ok1616.com
    • i2345.cn
    • gg8000.com
    • daohang12345.cn
    • inina.cn
    • dowei.com
    • 1515.net
    • 41119.cn
    • 21230.cn
    • 97youku.com
    • fast35.net
    • m32.cn
    • tom155.cn
    • 668yo.com
    • online.cq.cn
    • shagua.cn
    • 007247.cn
    • 603467.cn
    • 197326.cn
    • wwwoj.cn
    • xp22.cn
    • 84022.cn
    • 520593.cn
    • 448789.cn
    • 141321.cn
    • 36gggg.cn
    • 427842.cn
    • niubihao123.cn
    • ovooo.cn
    • rtys520.net
    • rtxzw.com
    • uurenti.cc
    • bo.dy288.com
    • renti11.com
    • 123.cd
    • 336655.com
    • 9978.net
    • 520.com
    • 6l.cn
    • 420.cn
    • v989.com
    • 16551.com
    • 2tvv.com
    • m4455.com
    • mylovewebs.com
    • 5987.net
    • 7999.com
    • caipopo.com
    • wndhw.com
    • henku123.com
    • qu123.com
    • 94176.com
    • u526.com
    • haokan123.com
    • uusee.net
    • 9733.com
    • 173com
    • qnrwz.com
    • 999w.com
    • h935.com
    • 33250.com
    • tz911.net
    • 639e.com
    • 920xx.cn
    • 13393.com
    • tncdh.com
    • sou185.com
    • 3566.cc
    • 580so.com
    • 2001.cc
    • hnhao123.com
    • zz5.net.cn
    • abc123.name
    • ekan123.com
    • 1266.cc
    • hao123.cc
    • 126.cc
    • ie1788.com
    • 58daohang.com
    • 6dh.com
    • 991.cn
    • 114la.me
    • 1133.cc
    • ads8.com
    • haoz.com
    • jsing.net
    • 123.sogou.com
    • 3321.com
    • 1155.cc
    • hao123.com
    • hao123.net
    • 6700.cn
    • 168.com
    • uu881.com
    • 6264.cn
    • 606600.com
    • 2345.com
    • 5607.cn
    • 1111116.com
    • v7799.com
    • ie7.com.cn
    • 365t.cc
    • 89679.com
    • se:blank
    • 35029.com
    • 8d9a.cn
    • 400zm.com
    • 58816.com
    • 727dh.cn
    • hao123w.com
    • 114td.com
    • 28101.cn
    • 03336.cn
    • 79001.cn
    • 133132.com
    • 3434.com.cn
    • 828dh.cn
    • 64500.cn
    • 22q.cc
    • jj77.com
    • vvyy.net
    • ie567.com
    • 5d5e.com
    • 212dh.cn
    • 911g.cn
    • 1616.la
    • tomatolei.com
    • 96nn.com
    • 5543.com
    • 2288i>3322.org
    • 9966.org
    • 8800.org
    • 8866.org
    • 7766.org
    • 22409.com
    • se-se.info
    • 26043.com
    • 34414.com
    • gaoav1.info
    • 0558114.com
    • 3333dh.cn
    • zjialin.com
    • 22dao.com
    • soupay.com
    • langlangdoor.com
    • 99cu.com
    • 5555dh.cn
    • wang123.net
    • hxdlink
    • haaoo123.com
    • 3645.com
    • hao123q.com
    • tvsooo.com
    • gaituba.com
    • 45566.net
    • 2298.cn
    • iexx.com
    • dh115.com
    • 97sp.cn
    • 39r.cn
    • f8f8.cn
    • 391kk.cn
    • 266.cc
    • jysoso.net
    • wg510.cn
    • 114d.org
    • ie3721.com
    • 2142.cn
    • go2000.cc
    • go2000.cn
    • 99521.com
    • yeooo.com
    • haha123.com
    • hao.360.cn
    • 07707.cn
    • yy2000.net
    • 1111118.com
    • 26281.com
    • 960dh.cn
    • 300.cc
    • 163333333.com.cn
    • kz300.cn
    • i3525.cn
    • 67881.net
    • t2t2.net
    • mm4000.cn
    • 669dh.cn
    • k58n.com
    • haoha123.com
    • ab99.com
    • i2255.com
    • 054.cc
    • fffggqq.cn
    • k2345.net
    • vv33.com
    • tuku6.com
    • mmpp654.com
    • 228dh.cn
    • seibb.com
    • 14164.com
    • 552dh.cn
    • hao969.com
    • lalamao.com
    • 21225.cn
    • 5k5.net
    • 65630.cn
    • at46.cn
    • 98928.cn
    • ads.eorezo.com
    • 661dh.cn
    • 6320.com
    • henbianjie.com
    • xiushe.com
    • 5mqxmq.com
    • 989228.com
    • i8844.cn
    • g1476.cn
    • 4j4j.cn
    • 1777zzw5.com
    • 989228.cn
    • henbucuo.com
    • 886dh.cn
    • 2255.net
    • 160yes.com
    • u8s.cn
    • 16711.com
    • 626dh.cn
    • rfwow.cn
    • baiyici.cn
    • lalamao.cn
    • 136s.com
    • huhuyy.cn
    • 8diq.com
    • d2fs.cn
    • 0229.com
    • yy4000.com
    • 9934.cn
    • 3883.net
    • 151dh.com
    • 26dh.cn
    • kkwwxx.com
    • t67.net
    • 29dao.cn
    • 58ju.com
    • dnc8.net
    • yl177.com.cn
    • xj.cn
    • 950990.cn
    • 114.com.cn
    • xxxip.cn
    • 3628.com
    • 265.cc
    • 26.la
    • 5654.com
    • zg115.com
    • 969dh.cn
    • 111555.com.cn
    • pic.jinti.com
    • kk8000.com
    • wokaokao.cn
    • duoxxppmmkoo.com
    • kanlink.cn
    • 91youa.com
    • shinia.cn
    • pp9pp9.cn
    • ma80.com
    • 556dh.cn
    • bu4.cn
    • 8555.com
    • e23.la
    • flash678.cn
    • yy4000.cn
    • wo333.com
    • mv700.com
    • xcwhgx.cn
    • 3s11.cn
    • sp16888.com
    • k7k7.com
    • zzw5.com
    • okdianying.com
    • 789bb.com
    • antuoo.com
    • so06.com
    • 665532.cn
    • 7f7f.com
    • k261.com
    • fanbaidu.org.cn
    • iu888.cn
    • 977k.com
    • 93w.com
    • 68566.com.cn
    • zhidao163.cn
    • it958.cn
    • lx8000.cn
    • sc.cn
    • ucuc.cc
    • kkdowns.com
    • 189189.com
    • 0002.com
    • 4737.cn
    • 226dh.cn
    • bb115.cn
    • 06000.cn
    • u87.cn
    • sohao123.com
    • k887.com
    • hao602.com
    • t7t7.net
    • ku4000.cn
    • v6677.cn
    • hong666.com
    • 4000a.com
    • kk4000.cn
    • 7767.com
    • 11227.cn
    • u9u9.net
    • 28113.cn
    • rr55.com
    • a4000.cn
    • yunfujkw.cn
    • 886.com
    • 2800.cer.cn
    • zyyu.com
    • 49la.com
    • hi3000.cn
    • sogouliulanqi.com
    • 888ge.com
    • 00333.cn
    • 29wz.com
    • soso126.com
    • 180wan.com
    • kan888.com
    • 4929.cn
    • v2233.com
    • m345.cn
    • tt265.net
    • 18ttt.com
    • 153.cc
    • 00664.cn
    • gugogo.com
    • kk4000.com
    • 185b.com
    • uuent.com
    • 6666dh.cn
    • 25dao.com
    • shangla.com
    • 77177.cn
    • about:blank
    • haoq123.com
    • baiduo.org
    • lejiu.net
    • dianxin.cn
    • u7758.com
    • dao234.com
    • 85692.com
    • xiaosb.com
    • soso313.cn
    • 939dh.com
    • 85952.com
    • 31346.com
    • 71528.com
    • 788dh.com
    • 91695.com
    • 5566x.com
    • 131u.com
    • 1149.cn
    • 9281.net
    • my115.net
    • 4119.cn
    • 9m1.net
    • dh818.com
    • iehwz.com
    • wa200.com
    • hao234.cc
    • 6781.com
    • 652dh.com
    • 16811.com
    • zhongshu.net
    • 992k.com
    • 71628.com
    • 6701.com
    • diyou.net
    • iehao123.com
    • laidao123.com
    • yinfen.net
    • wz4321.com
    • shangqu.info
    • 5121.net
    • 668g.com
    • 51150.com
    • 53ff.com
    • dada123.com
    • you2000.com
    • 884599.cn
    • kuaijiong.com
    • 398.cn
    • 32387.com
    • 82vv.com
    • 09tao.com
    • 977dh.com
    • 598.net
    • 211dh.com
    • 9365.info
    • wblive.com
    • e722.com
    • v232.com
    • 7400.net
    • 62106.com
    • ll4xi.com
    • 3932.com
    • puZeng.com
    • 97199.com
    • 447.cc
    • 0749.com
    • 6656.net
    • niebai.com
    • 447.com
    • uuchina.net
    • hao123cn.info
    • dao666.com
    • yidaba.com
    • 161111111.com
    • 009dh.com
    • qsxx.cn
    • geyuan.net
    • 8t8.net
    • xorg.pl
    • bij.pl
    • qqnz.com
    • srpkw.com
    • gggdu.com
    • baiduo.com
    • wys99.com
    • leilei.cc
    • 3633.net
    • fjta.com
    • so11.cn
    • 522dh.com
    • 9249.com
    • 3110.cn
    • 300cc.com
    • 7669.cn
    • 5c6.com
    • 7993.cn
    • 8336.cn
    • 03m.nt
    • ou33.com
    • bv0.net
    • 163333333.cn
    • 45575.com
    • 2637.cn
    • skyhouse.com.cn
    • 98453.com
    • 65642.net
    • 776la.com
    • 256.CC
    • 114king.cn
    • yyyqq.com
    • huhu123.com
    • gyyx.cn
    • 2888.me
    • 4444dh.cn
    • 191pk.com
    • 118.com
    • 57xswz.com
    • how18.cn
    • sohu12333333.com
    • xz26.com
    • 654v.com
    • 280580.cn
    • fjgqw.com
    • 49558.cn
    • pp8000.cn
    • 265it.com
    • soolaa.com
    • 9899.cn
    • 18143.com
    • haoxyz.com
    • 4555.net
    • 10du.net
    • 528988.com
    • wahahaha123.com
    • c256.cn
    • chinaih.com
    • mnv.cn
    • 633dh.com
    • ncjxx.com
    • 51721.net
    • 556w.com
    • 114cc.net
    • 5go.com.cn
    • pp4000.com
    • 8844.com
    • dd335.cn
    • qu163.net
    • itwenba.cn
    • dou2game.cn
    • h220.com
    • neng123.com
    • pleoc.cn
    • 6006.cc
    • 987654.com
    • 39903.com
    • ddoowwnn.cn
    • 788111.com
    • zhidao001.com
    • 5hao123.com
    • 978.la
    • 135968.cn
    • bb112.com
    • r220.cn
    • 365kong.com
    • woainame.cn
    • okgouwu.cn
    • hao006.com
    • jipinla.com
    • 99467.com
    • wawamm.cn
    • qian14.cn
    • ip27.cn
    • 56dh.cn
    • 2966.com
    • game333.net
    • kukuwz.com
    • 1-xiu.cn
    • 92hao123.com
    • lian9.cn
    • 222q.cn
    • jj98.com
    • 73vv.com
    • mubanw.com
    • t262.com
    • x1258.cn
    • weishi66.cn
    • hao990.com
    • 68la.com
    • sowang123.cn
    • 3929.cn
    • 5665.cn
    • 81sf.com
    • kz123.cn
    • qq806.cn
    • ffwyt.com
    • 46.com
    • 1155.com
    • 114la.com

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI PATTERN File:

7.778.18

VSAPI PATTERN Date:

20 Jan 2011

VSAPI PATTERN Date:

1/20/2011 12:00:00 AM

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by WORM_AUTORUN.ZMZ

Step 3

Identify and terminate files detected as WORM_AUTORUN.ZMZ

[ Learn More ]
  1. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  2. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_CLASSES_ROOT\exefile
    • NeverShowExt = 1

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • From: ShowSuperHidden = 1
      To: ShowSuperHidden = 0

Step 6

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_CLASSES_ROOT\CLSID
    • {F986CC17-37C0-4585-B7D9-15F2161F0584}
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
    • Associations
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    • StorageDevicePolicies
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360Safe.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360rpt.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360safebox.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360sd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360sdrun.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360tray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 799d.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AST.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AgentSvr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AntiU.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AoYun.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AppSvc32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ArSwp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ArSwp2.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ArSwp3.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AutoRun.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AvMonitor.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AvU3Launcher.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AvastU3.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • CCenter.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • DSMain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Discovery.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • EGHOST.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • FTCleanerShell.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • FYFireWall.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • FileDsty.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • HijackThis.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • IceSword.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Iparmor.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KASMain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KASTask.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAV32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAVDX.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAVPF.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAVPFW.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAVSetup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KISLnchr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KMFilter.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KMailMon.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KPFW32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KPFW32X.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KPfwSvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KRegEx.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KRepair.com
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KSWebShield.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVCenter.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVMonXP.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVMonXP_1.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVScan.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVSrvXP.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVStub.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWSMain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWSUpd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWatch.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWatch9x.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWatchX.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KaScrScn.SCR
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KsLoader.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvDetect.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvReport.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvXP.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvXP_1.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvfwMcl.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • MagicSet.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • NAVSetup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • NPFMntor.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Navapsvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Navapw32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • PFW.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • PFWLiveUpdate.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QHSET.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQDoctor.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQDoctorMain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQDoctorRtp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQKav.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQPCMgr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQPCRTP.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQPCSmashFile.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQPCTray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQSC.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Ras.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Rav.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavMon.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavMonD.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavStub.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavTask.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RegClean.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RsAgent.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RsTray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Rsaupd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SDGames.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SREng.EXE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SREngPS.EXE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ScanFrm.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ScanU3.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SelfUpdate.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SmartUp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SysSafe.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • TNT.Exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • TrojDie.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • TrojanDetector.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Trojanwall.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • TxoMoU.Exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UFO.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UIHost.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • USBCleaner.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxAgent.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxAttachment.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxCfg.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxFwHlp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxPol.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UpLive.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • WoptiClean.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Wsyscheck.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • XDelBox.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • XP.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • adam.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • appdllman.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • atpup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • auto.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • autoruns.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • av.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • avconsol.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • avgrssvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • avp.com
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • avp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ccSvcHst.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • cross.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • filmst.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ghost.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • guangd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • iparmo.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • irsetup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • isPwdSvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • jisu.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kabaload.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kavstart.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kernelwind32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kissvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • knsd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • knsdave.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • knsdtray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kvol.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kvolself.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kvupload.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kvwsc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kwstray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • loaddll.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • logogo.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • mcconsol.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • mmqczj.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • mmsk.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • niu.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • nod32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • nod32krn.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • nod32kui.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • pagefile.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • pagefile.pif
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • pfserver.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • qheart.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • qsetup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ravcopy.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rfwProxy.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rfwcfg.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rfwmain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rfwsrv.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rsnetsvr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rstrui.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • runiep.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • safeboxTray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • safelive.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • scan32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • servet.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • shcfg32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • sos.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • stormii.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • sxgame.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • symlcsvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • tmp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • upiea.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • vsstat.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • wbapp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • webscanx.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • zhudongfangyu.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • zjb.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • zxsweep.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ~.exe

Step 7

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
%System Root%\Documents and Settings\All Users\Desktop\Intennet Exploner.lnk
%System Root%\Documents and Settings\All Users\Desktop\¸Ä±äÄãµÄÒ»Éú.url
%System Root%\Documents and Settings\All Users\Desktop\ÌÔ±¦¹ºÎïA.url
%System Root%\Documents and Settings\All Users\Desktop\Ãâ·ÑµçÓ°C.url
%User Profile%\Favorites\&çÍ·×ÍøÖ·µ¼º½&.url

Step 8

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
%System Root%\VSPS
%System%\wduxopmdit
%System%\dipklufmkj

Step 9

Reset the Internet Explorer Home and Search pages

[ Learn More ]

Step 10

Restoring Deleted Registry Keys

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Control>SafeBoot>Minimal
  2. Right-click on the key and choose New>Key. Change the value of the new key to:
    {4D36E967-E325-11CE-BFC1-08002BE10318}
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    DiskDrive
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Control>SafeBoot>Network
  5. Right-click on the key and choose New>Key. Change the value of the new key to:
    {4D36E967-E325-11CE-BFC1-08002BE10318}
  6. Right-click on the value name and choose Modify. Change the value data of this entry to:
    DiskDrive
  7. Close Registry Editor.

Step 11

Scan your computer with your Trend Micro product to delete files detected as WORM_AUTORUN.ZMZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.