TROJ_DROPPER.VVE
Trojan.Win32.Generic!BT (Sunbelt)
Windows 2000, Windows XP, Windows Server 2003
Threat Type:
Trojan
Destructiveness:
No
Encrypted:
In the wild::
Yes
OVERVIEW
Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.
Este malware se elimina tras la ejecución.
TECHNICAL DETAILS
Técnica de inicio automático
Se registra como un servicio del sistema para garantizar su ejecución automática cada vez que se inicia el sistema mediante la introducción de las siguientes claves de registro:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaieSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyncSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyndSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyneSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyngSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyniSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynlSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynnSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynsSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsyntSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynuSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyncSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyndSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyneSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyngSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsyniSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynlSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynnSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\XsynpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakcSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakdSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakeSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakgSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakiSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaklSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaknSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaksSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaktSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakuSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WakzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalcSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaldSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaleSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalgSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaliSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaljSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WallSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalnSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaloSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalsSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaltSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaluSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WalzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WambSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamcSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamdSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WameSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamiSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamlSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WammSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamnSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WampSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamsSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamtSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamuSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WamzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanbSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WancSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WandSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaneSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WangSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanhSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaniSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanjSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WankSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanlSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanmSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WannSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WansSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WantSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanuSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanvSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanwSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanxSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WanzSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaoaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaobSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaocSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaodSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaoeSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaofSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaogSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaohSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaoiSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaojSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaokSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaolSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaomSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaonSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaooSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaopSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaoqSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WaorSvc
Otras modificaciones del sistema
Elimina los archivos siguientes:
- %Windows%\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.184.42718
- %Windows%\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.184.42734
- %User Profile%\v2.0.50727.42\security.config.cch.184.42859
- %System Root%\Tcpz-x86.sys
- %Windows%\SoftwareDistribution\DataStore\Logs\edbtmp.log
(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).
. %User Profile% es la carpeta de perfil del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario} y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}).. %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).)Agrega las siguientes entradas de registro como parte de la rutina de instalación:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
Service1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\lib32waos
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
ESENT\Process\lib32waos\
DEBUG
HKEY_LOCAL_MACHINE\Software\Description\
Microsoft\Rpc\UuidTemporaryData
Agrega las siguientes entradas de registro:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\WaosSvc
Description = "{random characters}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\WaosSvc
FailureActions = "{random values}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
Service1
EventMessageFile = "%Windows%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Description\
Microsoft\Rpc\UuidTemporaryData
NetworkAddress = "{random values}"
HKEY_LOCAL_MACHINE\SOFTWARE\Description\
Microsoft\Rpc\UuidTemporaryData
NetworkAddressLocal = "0"
Modifica las siguientes entradas de registro:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application
Sources = "{random characters}"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
EventMessageFile = "%System%\ESENT.dll"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
CategoryMessageFile = "%System%\ESENT.dll"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
CategoryCount = "1"
(Note: The default value data of the said registry entry is 10.)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
TypesSupported = "7"
(Note: The default value data of the said registry entry is 7.)
Rutina de infiltración
Infiltra los archivos siguientes:
- mrwyAFH.exe
- lnquxEK.exe
Otros detalles
Este malware se elimina tras la ejecución.
SOLUTION
Step 1
Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.
Step 2
Reiniciar en modo seguro
Step 3
Eliminar esta clave del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaieSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyncSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyndSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyneSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyngSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyniSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynlSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynnSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynsSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsyntSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynuSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WsynzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyncSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyndSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyneSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyngSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsyniSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynlSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynnSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- XsynpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakcSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakdSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakeSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakgSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakiSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaklSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaknSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaksSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaktSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakuSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WakzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalcSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaldSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaleSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalgSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaliSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaljSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WallSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalnSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaloSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalsSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaltSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaluSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WalzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WambSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamcSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamdSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WameSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamiSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamkSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamlSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WammSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamnSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WampSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamsSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamtSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamuSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WamzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanbSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WancSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WandSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaneSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanfSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WangSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanhSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaniSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanjSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WankSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanlSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanmSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WannSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanoSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanpSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanrSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WansSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WantSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanuSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanvSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanwSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanxSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanySvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WanzSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaoaSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaobSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaocSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaodSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaoeSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaofSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaogSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaohSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaoiSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaojSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaokSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaolSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaomSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaonSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaooSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaopSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaoqSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- WaorSvc
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application
- Service1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process
- lib32waos
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lib32waos
- DEBUG
- In HKEY_LOCAL_MACHINE\Software\Description\Microsoft\Rpc
- UuidTemporaryData
Step 4
Eliminar este valor del Registro
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WaosSvc
- Description = "{random characters}"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WaosSvc
- FailureActions = "{random values}"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Service1
- EventMessageFile = "%Windows%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
- NetworkAddress = "{random values}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
- NetworkAddressLocal = "0"
Step 5
Restaurar este valor del Registro modificado
Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application
- From: Sources = "{random characters}"
To: Sources = ""{random values}""
- From: Sources = "{random characters}"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
- From: EventMessageFile = "%System%\ESENT.dll"
To: EventMessageFile = ""{random values}""
- From: EventMessageFile = "%System%\ESENT.dll"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
- From: CategoryMessageFile = "%System%\ESENT.dll"
To: CategoryMessageFile = ""{random values}""
- From: CategoryMessageFile = "%System%\ESENT.dll"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
- From: CategoryCount = "1"
To: CategoryCount = ""10""
- From: CategoryCount = "1"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
- From: TypesSupported = "7"
To: TypesSupported = ""7""
- From: TypesSupported = "7"
Step 6
Buscar y eliminar estos archivos
- mrwyAFH.exe
- lnquxEK.exe
Step 7
Reinicie en modo normal y explore el equipo con su producto de Trend Micro para buscar los archivos identificados como TROJ_DROPPER.VVE En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Did this description help? Tell us how we did.