WORM_KILLAV.AB

 Analysis by: Michael Cabel

 ALIASES:

Symantec: Trojan.KillAV; Microsoft: Trojan:Win32/Startpage.RH

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This worm may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It modifies registry entries to hide files with System and Read-only attributes. It creates certain registry entries to disable applications related to security.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

  TECHNICAL DETAILS

File Size:

83,083 bytes

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

18 Feb 2011

Arrival Details

This worm may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following component file(s):

  • %Program Files%\Common Files\BOSC.dll - detected as SPYW_SPYMYPC

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops the following non-malicious files:

  • %All Users%\Desktop\Intennet Exploner.lnk
  • %All Users%\Desktop\¸Ä±äÄãµÄÒ»Éú.url
  • %All Users%\Desktop\ÌÔ±¦¹ºÎïA.url
  • %All Users%\Desktop\Ãâ·ÑµçÓ°C.url
  • %User Profile%\Favorites\&çÍ·×ÍøÖ·µ¼º½&.url

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System Root%\VSPS\VSPS.exe
  • %Startup%\juahwcsweo.exe
  • %System%\qdlajbhqqq\explorer.exe
  • %System%\mohquqcbsv\smss.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

  • %System%\qdlajbhqqq
  • %System Root%\VSPS
  • %System%\mohquqcbsv

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\exefile
NeverShowExt = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
HideDesktopIcons\NewStartPanel
{871C5380-42A0-1069-A2EA-08002B30309D} = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
ModRiskFileTypes = ".exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\StorageDevicePolicies
WriteProtect = 0

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}

It modifies the following registry entries to hide files with System and Read-only attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

It creates the following registry entries to disable applications related to security:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvDetect.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvfwMcl.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP_1.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvolself.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvReport.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVScan.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVSrvXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVStub.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvupload.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvwsc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvXP_1.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatch.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatch9x.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatchX.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWSMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwstray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWSUpd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
loaddll.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
logogo.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MagicSet.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcconsol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mmqczj.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mmsk.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Navapsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Navapw32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
NAVSetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
niu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32krn.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32kui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
NPFMntor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pagefile.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pagefile.pif
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pfserver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
PFW.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
PFWLiveUpdate.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qheart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QHSET.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctorMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctorRtp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQKav.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCRTP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCSmashFile.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQSC.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qsetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Ras.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rav.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ravcopy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavStub.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RegClean.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwcfg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwmain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwsrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rsaupd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rsnetsvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rstrui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
runiep.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safeboxTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safelive.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
scan32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanFrm.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanU3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SDGames.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SelfUpdate.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
servet.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
shcfg32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SmartUp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sos.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SREng.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SREngPS.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stormii.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sxgame.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
symlcsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SysSafe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
tmp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TNT.Exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TrojanDetector.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Trojanwall.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TrojDie.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TxoMoU.Exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UFO.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UIHost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safebox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sdrun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
799d.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
adam.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AgentSvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AntiU.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AoYun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
appdllman.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AppSvc32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp2.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AST.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
atpup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
auto.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AutoRun.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
autoruns.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
av.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastU3.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avconsol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgrssvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvMonitor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.com
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvU3Launcher.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
CCenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ccSvcHst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
cross.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Discovery.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
DSMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
EGHOST.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FileDsty.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
filmst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FTCleanerShell.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FYFireWall.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ghost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
guangd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
HijackThis.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
IceSword.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
iparmo.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Iparmor.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
irsetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
isPwdSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jisu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kabaload.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KaScrScn.SCR
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KASMain.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KASTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAV32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVDX.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVPF.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVPFW.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVSetup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kavstart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kernelwind32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KISLnchr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kissvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KMailMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KMFilter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdave.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPFW32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPFW32X.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPfwSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KRegEx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KRepair.com
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KsLoader.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSWebShield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVCenter.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxAttachment.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxCfg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxFwHlp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxPol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
upiea.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UpLive.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
USBCleaner.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vsstat.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wbapp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
webscanx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
WoptiClean.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Wsyscheck.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
XDelBox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
XP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zhudongfangyu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zjb.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zxsweep.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
~.exe
Debugger = "ntsd -d"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}

Propagation

This worm drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

HOSTS File Modification

This worm modifies the affected system's HOSTS files to prevent a user from accessing the following websites:

  • iq123.com
  • yijidh.com
  • 250dh.cn
  • 223.la
  • kuku123.com
  • 930930.com
  • 9123.com
  • hao123e.com
  • 020.com
  • youxi777.com
  • 1616.net
  • 1188.com
  • urldh.com
  • daohang.la
  • pp55.com
  • 9605.com
  • 05505.cn
  • 7055.net
  • 0056.com
  • 6655.com
  • 1166.com
  • 5kip.com
  • 114xia.com
  • 265dh.com
  • 3567.com
  • 6565.cn
  • 666t.com
  • 9223.com
  • dduu.com
  • hao123.cn
  • 5snow.com
  • 2523.com
  • 5599.net
  • tt98.com
  • zhaodao123.com
  • kuhao123.com
  • 5151la.net
  • 6h.com.cn
  • zeibi.com
  • 6e8e.com
  • th123.com
  • 9991.com
  • hao123ol.com
  • wu123.com
  • t220.cn
  • ttver.net
  • 188HI.com
  • go2000.com
  • 5igb.com
  • bb2000.net
  • 9wa.com
  • qq5.com
  • 365j.com
  • 7345.com
  • 2760.com
  • 361la.com
  • haojs.com
  • 5zd.com
  • i8866.com
  • 100wz.com
  • 114hi.com
  • 234.la
  • 657.com
  • 339.la
  • 365wz.net
  • 7792.com
  • 9495.com
  • dazuimao.com
  • 71314.com
  • 265.com
  • gouwo.com
  • huai456.com
  • ku256.com
  • my180.com
  • 2522.cn
  • 405.cn
  • 44244.com
  • 111dh.com
  • 115ku.com
  • 13387.com
  • 163yes.com
  • 256s.com
  • 2676.com
  • 3355.net
  • 365lo.com
  • 4168.com
  • 4545.cn
  • 4688.com
  • 566.net
  • 5666.net
  • 5733.com
  • 6461.cn
  • 7356.com
  • 800186.com
  • 85851.com
  • asp51.com
  • 361dh.com
  • 5566.net
  • yulinweb.com
  • 6296.com.cn
  • mianfeia.com
  • ai1234.com
  • k369.com
  • msncn.com
  • ss256.com
  • min513.com
  • 88-888.com
  • lggg.cn
  • 7771.cn
  • leeboo.com
  • jjol.cn
  • 5566.com
  • 9166.net
  • hao253.com
  • 7b.com.cn
  • haoei.com
  • 77114.com
  • 21310.cn
  • weiduomei.net
  • kk3000.cn
  • 7241.cn
  • 44384.com
  • daohang1234.com
  • 131.cc
  • 223224.com
  • 537.com
  • 9348.cn
  • bju123.cn
  • i4455.com
  • jia123.com
  • 0666.com.cn
  • 553.la
  • 5566.org
  • 37021.com
  • 88488.com
  • 99986.net
  • 37021.net
  • k986.com
  • cc62.com
  • 5518.cn
  • 55620.com
  • 52416.com
  • 7357.cn
  • 8c8c.net
  • 9999q.com
  • 123shi123.com
  • yl234.cn
  • 3322.com
  • hao222.com
  • 6313.com
  • f127.com
  • 5599cn.cn
  • 99499.com
  • 2548.cn
  • 133.net
  • ie30.com
  • 8751.com
  • se:home
  • haidaowan.net
  • 160dh.com
  • 114115.com
  • 1322.cn
  • hh361.com
  • 2800.cc
  • 52daohang.com
  • 186.me
  • diyidh.com
  • zaodezhu.com
  • 7832.com
  • 3073.com
  • 2058.cc
  • 3456.cc
  • 7771.com
  • q6789.com
  • 7k.cc
  • dianzi88.com
  • 7802.com
  • xinbut.com
  • 59688.com
  • gjj.cc
  • youla.com
  • ok1616.com
  • i2345.cn
  • gg8000.com
  • daohang12345.cn
  • inina.cn
  • dowei.com
  • 1515.net
  • 41119.cn
  • 21230.cn
  • 97youku.com
  • fast35.net
  • m32.cn
  • tom155.cn
  • 668yo.com
  • online.cq.cn
  • shagua.cn
  • 007247.cn
  • 603467.cn
  • 197326.cn
  • wwwoj.cn
  • xp22.cn
  • 84022.cn
  • 520593.cn
  • 448789.cn
  • 141321.cn
  • 36gggg.cn
  • 427842.cn
  • niubihao123.cn
  • ovooo.cn
  • rtys520.net
  • rtxzw.com
  • uurenti.cc
  • bo.dy288.com
  • renti11.com
  • 123.cd
  • 336655.com
  • 9978.net
  • 520.com
  • 6l.cn
  • 420.cn
  • v989.com
  • 16551.com
  • 2tvv.com
  • m4455.com
  • mylovewebs.com
  • 5987.net
  • 7999.com
  • caipopo.com
  • wndhw.com
  • henku123.com
  • qu123.com
  • 94176.com
  • u526.com
  • haokan123.com
  • uusee.net
  • 9733.com
  • 173com
  • qnrwz.com
  • 999w.com
  • h935.com
  • 33250.com
  • tz911.net
  • 639e.com
  • 920xx.cn
  • 13393.com
  • tncdh.com
  • sou185.com
  • 3566.cc
  • 580so.com
  • 2001.cc
  • hnhao123.com
  • zz5.net.cn
  • abc123.name
  • ekan123.com
  • 1266.cc
  • hao123.cc
  • 126.cc
  • ie1788.com
  • 58daohang.com
  • 6dh.com
  • 991.cn
  • 114la.me
  • 1133.cc
  • ads8.com
  • haoz.com
  • jsing.net
  • 123.sogou.com
  • 3321.com
  • 1155.cc
  • hao123.com
  • hao123.net
  • 6700.cn
  • 168.com
  • uu881.com
  • 6264.cn
  • 606600.com
  • 2345.com
  • 5607.cn
  • 1111116.com
  • v7799.com
  • ie7.com.cn
  • 365t.cc
  • 89679.com
  • se:blank
  • 35029.com
  • 8d9a.cn
  • 400zm.com
  • 58816.com
  • 727dh.cn
  • hao123w.com
  • 114td.com
  • 28101.cn
  • 03336.cn
  • 79001.cn
  • 133132.com
  • 3434.com.cn
  • 828dh.cn
  • 64500.cn
  • 22q.cc
  • jj77.com
  • vvyy.net
  • ie567.com
  • 5d5e.com
  • 212dh.cn
  • 911g.cn
  • 1616.la
  • tomatolei.com
  • 96nn.com
  • 5543.com
  • 2288.org
  • 3322.org
  • 9966.org
  • 8800.org
  • 8866.org
  • 7766.org
  • 22409.com
  • se-se.info
  • 26043.com
  • 34414.com
  • gaoav1.info
  • 0558114.com
  • 3333dh.cn
  • zjialin.com
  • 22dao.com
  • soupay.com
  • langlangdoor.com
  • 99cu.com
  • 5555dh.cn
  • wang123.net
  • hxdlink
  • haaoo123.com
  • 3645.com
  • hao123q.com
  • tvsooo.com
  • gaituba.com
  • 45566.net
  • 2298.cn
  • iexx.com
  • dh115.com
  • 97sp.cn
  • 39r.cn
  • f8f8.cn
  • 391kk.cn
  • 266.cc
  • jysoso.net
  • wg510.cn
  • 114d.org
  • ie3721.com
  • 2142.cn
  • go2000.cc
  • go2000.cn
  • 99521.com
  • yeooo.com
  • haha123.com
  • hao.360.cn
  • 07707.cn
  • yy2000.net
  • 1111118.com
  • 26281.com
  • 960dh.cn
  • 300.cc
  • 163333333.com.cn
  • kz300.cn
  • i3525.cn
  • 67881.net
  • t2t2.net
  • mm4000.cn
  • 669dh.cn
  • k58n.com
  • haoha123.com
  • ab99.com
  • i2255.com
  • 054.cc
  • fffggqq.cn
  • k2345.net
  • vv33.com
  • tuku6.com
  • mmpp654.com
  • 228dh.cn
  • seibb.com
  • 14164.com
  • 552dh.cn
  • hao969.com
  • lalamao.com
  • 21225.cn
  • 5k5.net
  • 65630.cn
  • at46.cn
  • 98928.cn
  • ads.eorezo.com
  • 661dh.cn
  • 6320.com
  • henbianjie.com
  • xiushe.com
  • 5mqxmq.com
  • 989228.com
  • i8844.cn
  • g1476.cn
  • 4j4j.cn
  • 1777zzw5.com
  • 989228.cn
  • henbucuo.com
  • 886dh.cn
  • 2255.net
  • 160yes.com
  • u8s.cn
  • 16711.com
  • 626dh.cn
  • rfwow.cn
  • baiyici.cn
  • lalamao.cn
  • 136s.com
  • huhuyy.cn
  • 8diq.com
  • d2fs.cn
  • 0229.com
  • yy4000.com
  • 9934.cn
  • 3883.net
  • 151dh.com
  • 26dh.cn
  • kkwwxx.com
  • t67.net
  • 29dao.cn
  • 58ju.com
  • dnc8.net
  • yl177.com.cn
  • xj.cn
  • 950990.cn
  • 114.com.cn
  • xxxip.cn
  • 3628.com
  • 265.cc
  • 26.la
  • 5654.com
  • zg115.com
  • 969dh.cn
  • 111555.com.cn
  • pic.jinti.com
  • kk8000.com
  • wokaokao.cn
  • duoxxppmmkoo.com
  • kanlink.cn
  • 91youa.com
  • shinia.cn
  • pp9pp9.cn
  • ma80.com
  • 556dh.cn
  • bu4.cn
  • 8555.com
  • e23.la
  • flash678.cn
  • yy4000.cn
  • wo333.com
  • mv700.com
  • xcwhgx.cn
  • 3s11.cn
  • sp16888.com
  • k7k7.com
  • zzw5.com
  • okdianying.com
  • 789bb.com
  • antuoo.com
  • so06.com
  • 665532.cn
  • 7f7f.com
  • k261.com
  • fanbaidu.org.cn
  • iu888.cn
  • 977k.com
  • 93w.com
  • 68566.com.cn
  • zhidao163.cn
  • it958.cn
  • lx8000.cn
  • sc.cn
  • ucuc.cc
  • kkdowns.com
  • 189189.com
  • 0002.com
  • 4737.cn
  • 226dh.cn
  • bb115.cn
  • 06000.cn
  • u87.cn
  • sohao123.com
  • k887.com
  • hao602.com
  • t7t7.net
  • ku4000.cn
  • v6677.cn
  • hong666.com
  • 4000a.com
  • kk4000.cn
  • 7767.com
  • 11227.cn
  • u9u9.net
  • 28113.cn
  • rr55.com
  • a4000.cn
  • yunfujkw.cn
  • 886.com
  • 2800.cer.cn
  • zyyu.com
  • 49la.com
  • hi3000.cn
  • sogouliulanqi.com
  • 888ge.com
  • 00333.cn
  • 29wz.com
  • soso126.com
  • 180wan.com
  • kan888.com
  • 4929.cn
  • v2233.com
  • m345.cn
  • tt265.net
  • 18ttt.com
  • 153.cc
  • 00664.cn
  • gugogo.com
  • kk4000.com
  • 185b.com
  • uuent.com
  • 6666dh.cn
  • 25dao.com
  • shangla.com
  • 77177.cn
  • about:blank
  • haoq123.com
  • baiduo.org
  • lejiu.net
  • dianxin.cn
  • u7758.com
  • dao234.com
  • 85692.com
  • xiaosb.com
  • soso313.cn
  • 939dh.com
  • 85952.com
  • 31346.com
  • 71528.com
  • 788dh.com
  • 91695.com
  • 5566x.com
  • 131u.com
  • 1149.cn
  • 9281.net
  • my115.net
  • 4119.cn
  • 9m1.net
  • dh818.com
  • iehwz.com
  • wa200.com
  • hao234.cc
  • 6781.com
  • 652dh.com
  • 16811.com
  • zhongshu.net
  • 992k.com
  • 71628.com
  • 6701.com
  • diyou.net
  • iehao123.com
  • laidao123.com
  • yinfen.net
  • wz4321.com
  • shangqu.info
  • 5121.net
  • 668g.com
  • 51150.com
  • 53ff.com
  • dada123.com
  • you2000.com
  • 884599.cn
  • kuaijiong.com
  • 398.cn
  • 32387.com
  • 82vv.com
  • 09tao.com
  • 977dh.com
  • 598.net
  • 211dh.com
  • 9365.info
  • wblive.com
  • e722.com
  • v232.com
  • 7400.net
  • 62106.com
  • ll4xi.com
  • 3932.com
  • puZeng.com
  • 97199.com
  • 447.cc
  • 0749.com
  • 6656.net
  • niebai.com
  • 447.com
  • uuchina.net
  • hao123cn.info
  • dao666.com
  • 9813.org
  • 91kk.com
  • freedh.info
  • yidaba.com
  • 161111111.com
  • 009dh.com
  • qsxx.cn
  • geyuan.net
  • 8t8.net
  • xorg.pl
  • bij.pl
  • qqnz.com
  • srpkw.com
  • gggdu.com
  • baiduo.com
  • wys99.com
  • leilei.cc
  • 3633.net
  • fjta.com
  • so11.cn
  • 522dh.com
  • 9249.com
  • 3110.cn
  • 300cc.com
  • 7669.cn
  • 5c6.com
  • 7993.cn
  • 8336.cn
  • 03m.net
  • ou33.com
  • bv0.net
  • 163333333.cn
  • 45575.com
  • 2637.cn
  • skyhouse.com.cn
  • 98453.com
  • 65642.net
  • 776la.com
  • 256.CC
  • 114king.cn
  • yyyqq.com
  • huhu123.com
  • gyyx.cn
  • 2888.me
  • 4444dh.cn
  • 191pk.com
  • 118.com
  • 57xswz.com
  • how18.cn
  • sohu12333333.com
  • xz26.com
  • 654v.com
  • 280580.cn
  • fjgqw.com
  • 49558.cn
  • pp8000.cn
  • 265it.com
  • soolaa.com
  • 9899.cn
  • 18143.com
  • haoxyz.com
  • 4555.net
  • 10du.net
  • 528988.com
  • wahahaha123.com
  • c256.cn
  • chinaih.com
  • mnv.cn
  • 633dh.com
  • ncjxx.com
  • 51721.net
  • 556w.com
  • 114cc.net
  • 5go.com.cn
  • pp4000.com
  • 8844.com
  • dd335.cn
  • qu163.net
  • itwenba.cn
  • dou2game.cn
  • h220.com
  • neng123.com
  • pleoc.cn
  • 6006.cc
  • 987654.com
  • 39903.com
  • ddoowwnn.cn
  • 788111.com
  • zhidao001.com
  • 5hao123.com
  • 978.la
  • 135968.cn
  • bb112.com
  • r220.cn
  • 365kong.com
  • woainame.cn
  • okgouwu.cn
  • hao006.com
  • jipinla.com
  • 99467.com
  • wawamm.cn
  • qian14.cn
  • ip27.cn
  • 56dh.cn
  • 2966.com
  • game333.net
  • kukuwz.com
  • 1-xiu.cn
  • 92hao123.com
  • lian9.cn
  • 222q.cn
  • jj98.com
  • 73vv.com
  • mubanw.com
  • t262.com
  • x1258.cn
  • weishi66.cn
  • hao990.com
  • 68la.com
  • sowang123.cn
  • 3929.cn
  • 5665.cn
  • 81sf.com
  • kz123.cn
  • qq806.cn
  • ffwyt.com

  SOLUTION

Minimum Scan Engine:

8.900

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by WORM_KILLAV.AB

    SPYW_SPYMYPC

Step 3

Terminate a process file/s detected as WORM_KILLAV.AB

[ Learn More ]

*Note: If the detected file/s is/are not displayed in theWindows Task Manager, continue doing the next steps.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_CLASSES_ROOT\exefile
    • NeverShowExt = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
    • WriteProtect = 0
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    • ModRiskFileTypes = .exe
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
    • {871C5380-42A0-1069-A2EA-08002B30309D} = 1

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • From: ShowSuperHidden = 0
      To: 1

Step 6

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360Safe.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360rpt.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360safebox.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360sd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360sdrun.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 360tray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • 799d.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AST.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AgentSvr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AntiU.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AoYun.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AppSvc32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ArSwp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ArSwp2.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ArSwp3.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AutoRun.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AvMonitor.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AvU3Launcher.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • AvastU3.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • CCenter.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • DSMain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Discovery.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • EGHOST.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • FTCleanerShell.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • FYFireWall.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • FileDsty.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • HijackThis.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • IceSword.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Iparmor.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KASMain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KASTask.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAV32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAVDX.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAVPF.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAVPFW.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KAVSetup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KISLnchr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KMFilter.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KMailMon.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KPFW32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KPFW32X.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KPfwSvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KRegEx.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KRepair.com
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KSWebShield.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVCenter.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVMonXP.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVMonXP_1.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVScan.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVSrvXP.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KVStub.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWSMain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWSUpd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWatch.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWatch9x.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KWatchX.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KaScrScn.SCR
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KsLoader.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvDetect.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvReport.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvXP.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvXP_1.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • KvfwMcl.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • MagicSet.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • NAVSetup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • NPFMntor.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Navapsvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Navapw32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • PFW.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • PFWLiveUpdate.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QHSET.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQDoctor.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQDoctorMain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQDoctorRtp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQKav.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQPCMgr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQPCRTP.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQPCSmashFile.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQPCTray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • QQSC.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Ras.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Rav.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavMon.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavMonD.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavStub.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RavTask.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RegClean.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RsAgent.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • RsTray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Rsaupd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SDGames.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SREng.EXE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SREngPS.EXE
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ScanFrm.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ScanU3.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SelfUpdate.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SmartUp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SysSafe.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • TNT.Exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • TrojDie.kxp
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • TrojanDetector.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Trojanwall.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • TxoMoU.Exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UFO.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UIHost.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • USBCleaner.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxAgent.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxAttachment.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxCfg.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxFwHlp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UmxPol.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • UpLive.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • WoptiClean.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • Wsyscheck.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • XDelBox.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • XP.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • adam.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • appdllman.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • atpup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • auto.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • autoruns.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • av.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • avconsol.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • avgrssvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • avp.com
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • avp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ccSvcHst.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • cross.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • filmst.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ghost.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • guangd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • iparmo.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • irsetup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • isPwdSvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • jisu.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kabaload.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kavstart.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kernelwind32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kissvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • knsd.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • knsdave.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • knsdtray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kvol.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kvolself.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kvupload.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kvwsc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • kwstray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • loaddll.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • logogo.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • mcconsol.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • mmqczj.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • mmsk.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • niu.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • nod32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • nod32krn.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • nod32kui.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • pagefile.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • pagefile.pif
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • pfserver.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • qheart.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • qsetup.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ravcopy.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rfwProxy.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rfwcfg.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rfwmain.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rfwsrv.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rsnetsvr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • rstrui.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • runiep.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • safeboxTray.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • safelive.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • scan32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • servet.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • shcfg32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • sos.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • stormii.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • sxgame.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • symlcsvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • tmp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • upiea.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • vsstat.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • wbapp.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • webscanx.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • zhudongfangyu.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • zjb.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • zxsweep.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • ~.exe

Step 7

Restoring Deleted Registry Keys

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Control>SafeBoot>Minimal
  2. Right-click on the key and choose New>Key. Change the value of the new key to:
    {4D36E967-E325-11CE-BFC1-08002BE10318}
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    DiskDrive
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Control>SafeBoot>Network
  5. Right-click on the key and choose New>Key. Change the value of the new key to:
    {4D36E967-E325-11CE-BFC1-08002BE10318}
  6. Right-click on the value name and choose Modify. Change the value data of this entry to:
    DiskDrive
  7. Close Registry Editor.

Step 8

Remove these strings added by the malware/grayware/spyware in the HOSTS file

[ Learn More ]
    iq123.com
    yijidh.com
    250dh.cn
    223.la
    kuku123.com
    930930.com
    9123.com
    hao123e.com
    020.com
    youxi777.com
    1616.net
    1188.com
    urldh.com
    daohang.la
    pp55.com
    9605.com
    05505.cn
    7055.net
    0056.com
    6655.com
    1166.com
    5kip.com
    114xia.com
    265dh.com
    3567.com
    6565.cn
    666t.com
    9223.com
    dduu.com
    hao123.cn
    5snow.com
    2523.com
    5599.net
    tt98.com
    zhaodao123.com
    kuhao123.com
    5151la.net
    6h.com.cn
    zeibi.com
    6e8e.com
    th123.com
    9991.com
    hao123ol.com
    wu123.com
    t220.cn
    ttver.net
    188HI.com
    go2000.com
    5igb.com
    bb2000.net
    9wa.com
    qq5.com
    365j.com
    7345.com
    2760.com
    361la.com
    haojs.com
    5zd.com
    i8866.com
    100wz.com
    114hi.com
    234.la
    657.com
    339.la
    365wz.net
    7792.com
    9495.com
    dazuimao.com
    71314.com
    265.com
    gouwo.com
    huai456.com
    ku256.com
    my180.com
    2522.cn
    405.cn
    44244.com
    111dh.com
    115ku.com
    13387.com
    163yes.com
    256s.com
    2676.com
    3355.net
    365lo.com
    4168.com
    4545.cn
    4688.com
    566.net
    5666.net
    5733.com
    6461.cn
    7356.com
    800186.com
    85851.com
    asp51.com
    361dh.com
    5566.net
    yulinweb.com
    6296.com.cn
    mianfeia.com
    ai1234.com
    k369.com
    msncn.com
    ss256.com
    min513.com
    88-888.com
    lggg.cn
    7771.cn
    leeboo.com
    jjol.cn
    5566.com
    9166.net
    hao253.com
    7b.com.cn
    haoei.com
    77114.com
    21310.cn
    weiduomei.net
    kk3000.cn
    7241.cn
    44384.com
    daohang1234.com
    131.cc
    223224.com
    537.com
    9348.cn
    bju123.cn
    i4455.com
    jia123.com
    0666.com.cn
    553.la
    5566.org
    37021.com
    88488.com
    99986.net
    37021.net
    k986.com
    cc62.com
    5518.cn
    55620.com
    52416.com
    7357.cn
    8c8c.net
    9999q.com
    123shi123.com
    yl234.cn
    3322.com
    hao222.com
    6313.com
    f127.com
    5599cn.cn
    99499.com
    2548.cn
    133.net
    ie30.com
    8751.com
    se:home
    haidaowan.net
    160dh.com
    114115.com
    1322.cn
    hh361.com
    2800.cc
    52daohang.com
    186.me
    diyidh.com
    zaodezhu.com
    7832.com
    3073.com
    2058.cc
    3456.cc
    7771.com
    q6789.com
    7k.cc
    dianzi88.com
    7802.com
    xinbut.com
    59688.com
    gjj.cc
    youla.com
    ok1616.com
    i2345.cn
    gg8000.com
    daohang12345.cn
    inina.cn
    dowei.com
    1515.net
    41119.cn
    21230.cn
    97youku.com
    fast35.net
    m32.cn
    tom155.cn
    668yo.com
    online.cq.cn
    shagua.cn
    007247.cn
    603467.cn
    197326.cn
    wwwoj.cn
    xp22.cn
    84022.cn
    520593.cn
    448789.cn
    141321.cn
    36gggg.cn
    427842.cn
    niubihao123.cn
    ovooo.cn
    rtys520.net
    rtxzw.com
    uurenti.cc
    bo.dy288.com
    renti11.com
    123.cd
    336655.com
    9978.net
    520.com
    6l.cn
    420.cn
    v989.com
    16551.com
    2tvv.com
    m4455.com
    mylovewebs.com
    5987.net
    7999.com
    caipopo.com
    wndhw.com
    henku123.com
    qu123.com
    94176.com
    u526.com
    haokan123.com
    uusee.net
    9733.com
    173com
    qnrwz.com
    999w.com
    h935.com
    33250.com
    tz911.net
    639e.com
    920xx.cn
    13393.com
    tncdh.com
    sou185.com
    3566.cc
    580so.com
    2001.cc
    hnhao123.com
    zz5.net.cn
    abc123.name
    ekan123.com
    1266.cc
    hao123.cc
    126.cc
    ie1788.com
    58daohang.com
    6dh.com
    991.cn
    114la.me
    1133.cc
    ads8.com
    haoz.com
    jsing.net
    123.sogou.com
    3321.com
    1155.cc
    hao123.com
    hao123.net
    6700.cn
    168.com
    uu881.com
    6264.cn
    606600.com
    2345.com
    5607.cn
    1111116.com
    v7799.com
    ie7.com.cn
    365t.cc
    89679.com
    se:blank
    35029.com
    8d9a.cn
    400zm.com
    58816.com
    727dh.cn
    hao123w.com
    114td.com
    28101.cn
    03336.cn
    79001.cn
    133132.com
    3434.com.cn
    828dh.cn
    64500.cn
    22q.cc
    jj77.com
    vvyy.net
    ie567.com
    5d5e.com
    212dh.cn
    911g.cn
    1616.la
    tomatolei.com
    96nn.com
    5543.com
    2288.org
    3322.org
    9966.org
    8800.org
    8866.org
    7766.org
    22409.com
    se-se.info
    26043.com
    34414.com
    gaoav1.info
    0558114.com
    3333dh.cn
    zjialin.com
    22dao.com
    soupay.com
    langlangdoor.com
    99cu.com
    5555dh.cn
    wang123.net
    hxdlink
    haaoo123.com
    3645.com
    hao123q.com
    tvsooo.com
    gaituba.com
    45566.net
    2298.cn
    iexx.com
    dh115.com
    97sp.cn
    39r.cn
    f8f8.cn
    391kk.cn
    266.cc
    jysoso.net
    wg510.cn
    114d.org
    ie3721.com
    2142.cn
    go2000.cc
    go2000.cn
    99521.com
    yeooo.com
    haha123.com
    hao.360.cn
    07707.cn
    yy2000.net
    1111118.com
    26281.com
    960dh.cn
    300.cc
    163333333.com.cn
    kz300.cn
    i3525.cn
    67881.net
    t2t2.net
    mm4000.cn
    669dh.cn
    k58n.com
    haoha123.com
    ab99.com
    i2255.com
    054.cc
    fffggqq.cn
    k2345.net
    vv33.com
    tuku6.com
    mmpp654.com
    228dh.cn
    seibb.com
    14164.com
    552dh.cn
    hao969.com
    lalamao.com
    21225.cn
    5k5.net
    65630.cn
    at46.cn
    98928.cn
    ads.eorezo.com
    661dh.cn
    6320.com
    henbianjie.com
    xiushe.com
    5mqxmq.com
    989228.com
    i8844.cn
    g1476.cn
    4j4j.cn
    1777zzw5.com
    989228.cn
    henbucuo.com
    886dh.cn
    2255.net
    160yes.com
    u8s.cn
    16711.com
    626dh.cn
    rfwow.cn
    baiyici.cn
    lalamao.cn
    136s.com
    huhuyy.cn
    8diq.com
    d2fs.cn
    0229.com
    yy4000.com
    9934.cn
    3883.net
    151dh.com
    26dh.cn
    kkwwxx.com
    t67.net
    29dao.cn
    58ju.com
    dnc8.net
    yl177.com.cn
    xj.cn
    950990.cn
    114.com.cn
    xxxip.cn
    3628.com
    265.cc
    26.la
    5654.com
    zg115.com
    969dh.cn
    111555.com.cn
    pic.jinti.com
    kk8000.com
    wokaokao.cn
    duoxxppmmkoo.com
    kanlink.cn
    91youa.com
    shinia.cn
    pp9pp9.cn
    ma80.com
    556dh.cn
    bu4.cn
    8555.com
    e23.la
    flash678.cn
    yy4000.cn
    wo333.com
    mv700.com
    xcwhgx.cn
    3s11.cn
    sp16888.com
    k7k7.com
    zzw5.com
    okdianying.com
    789bb.com
    antuoo.com
    so06.com
    665532.cn
    7f7f.com
    k261.com
    fanbaidu.org.cn
    iu888.cn
    977k.com
    93w.com
    68566.com.cn
    zhidao163.cn
    it958.cn
    lx8000.cn
    sc.cn
    ucuc.cc
    kkdowns.com
    189189.com
    0002.com
    4737.cn
    226dh.cn
    bb115.cn
    06000.cn
    u87.cn
    sohao123.com
    k887.com
    hao602.com
    t7t7.net
    ku4000.cn
    v6677.cn
    hong666.com
    4000a.com
    kk4000.cn
    7767.com
    11227.cn
    u9u9.net
    28113.cn
    rr55.com
    a4000.cn
    yunfujkw.cn
    886.com
    2800.cer.cn
    zyyu.com
    49la.com
    hi3000.cn
    sogouliulanqi.com
    888ge.com
    00333.cn
    29wz.com
    soso126.com
    180wan.com
    kan888.com
    4929.cn
    v2233.com
    m345.cn
    tt265.net
    18ttt.com
    153.cc
    00664.cn
    gugogo.com
    kk4000.com
    185b.com
    uuent.com
    6666dh.cn
    25dao.com
    shangla.com
    77177.cn
    about:blank
    haoq123.com
    baiduo.org
    lejiu.net
    dianxin.cn
    u7758.com
    dao234.com
    85692.com
    xiaosb.com
    soso313.cn
    939dh.com
    85952.com
    31346.com
    71528.com
    788dh.com
    91695.com
    5566x.com
    131u.com
    1149.cn
    9281.net
    my115.net
    4119.cn
    9m1.net
    dh818.com
    iehwz.com
    wa200.com
    hao234.cc
    6781.com
    652dh.com
    16811.com
    zhongshu.net
    992k.com
    71628.com
    6701.com
    diyou.net
    iehao123.com
    laidao123.com
    yinfen.net
    wz4321.com
    shangqu.info
    5121.net
    668g.com
    51150.com
    53ff.com
    dada123.com
    you2000.com
    884599.cn
    kuaijiong.com
    398.cn
    32387.com
    82vv.com
    09tao.com
    977dh.com
    598.net
    211dh.com
    9365.info
    wblive.com
    e722.com
    v232.com
    7400.net
    62106.com
    ll4xi.com
    3932.com
    puZeng.com
    97199.com
    447.cc
    0749.com
    6656.net
    niebai.com
    447.com
    uuchina.net
    hao123cn.info
    dao666.com
    9813.org
    91kk.com
    freedh.info
    yidaba.com
    161111111.com
    009dh.com
    qsxx.cn
    geyuan.net
    8t8.net
    xorg.pl
    bij.pl
    qqnz.com
    srpkw.com
    gggdu.com
    baiduo.com
    wys99.com
    leilei.cc
    3633.net
    fjta.com
    so11.cn
    522dh.com
    9249.com
    3110.cn
    300cc.com
    7669.cn
    5c6.com
    7993.cn
    8336.cn
    03m.net
    ou33.com
    bv0.net
    163333333.cn
    45575.com
    2637.cn
    skyhouse.com.cn
    98453.com
    65642.net
    776la.com
    256.CC
    114king.cn
    yyyqq.com
    huhu123.com
    gyyx.cn
    2888.me
    4444dh.cn
    191pk.com
    118.com
    57xswz.com
    how18.cn
    sohu12333333.com
    xz26.com
    654v.com
    280580.cn
    fjgqw.com
    49558.cn
    pp8000.cn
    265it.com
    soolaa.com
    9899.cn
    18143.com
    haoxyz.com
    4555.net
    10du.net
    528988.com
    wahahaha123.com
    c256.cn
    chinaih.com
    mnv.cn
    633dh.com
    ncjxx.com
    51721.net
    556w.com
    114cc.net
    5go.com.cn
    pp4000.com
    8844.com
    dd335.cn
    qu163.net
    itwenba.cn
    dou2game.cn
    h220.com
    neng123.com
    pleoc.cn
    6006.cc
    987654.com
    39903.com
    ddoowwnn.cn
    788111.com
    zhidao001.com
    5hao123.com
    978.la
    135968.cn
    bb112.com
    r220.cn
    365kong.com
    woainame.cn
    okgouwu.cn
    hao006.com
    jipinla.com
    99467.com
    wawamm.cn
    qian14.cn
    ip27.cn
    56dh.cn
    2966.com
    game333.net
    kukuwz.com
    1-xiu.cn
    92hao123.com
    lian9.cn
    222q.cn
    jj98.com
    73vv.com
    mubanw.com
    t262.com
    x1258.cn
    weishi66.cn
    hao990.com
    68la.com
    sowang123.cn
    3929.cn
    5665.cn
    81sf.com
    kz123.cn
    qq806.cn
    ffwyt.com
"

Step 9

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %System%\qdlajbhqqq
  • %System Root%\VSPS
  • %System%\mohquqcbsv

Step 10

Search and delete these files

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %All Users%\Desktop\Intennet Exploner.lnk
  • %All Users%\Desktop\¸Ä±äÄãµÄÒ»Éú.url
  • %All Users%\Desktop\ÌÔ±¦¹ºÎïA.url
  • %All Users%\Desktop\Ãâ·ÑµçÓ°C.url
  • %User Profile%\Favorites\&çÍ·×ÍøÖ·µ¼º½&.url

Step 11

Scan your computer with your Trend Micro product to delete files detected as WORM_KILLAV.AB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.