WORM_AUTORUN.GYF
PLATFORM:
Windows 2000, Windows XP, Windows Server 2003
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It disables Task Manager, Registry Editor, and Folder Options. It modifies registry entries to hide files with System and Read-only attributes.
It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection. It modifies the user's Internet Explorer search page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.
It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.
TECHNICAL DETAILS
File Size: 66,560 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 03 Nov 2011
Arrival Details
This worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %User Profile%\{Random Characters}\winlogon.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %User Profile%\{Random Characters}
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random Characters} = "%User Profile%\{Random Characters}\winlogon.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Random Characters} = "%User Profile%\{Random Characters}\winlogon.exe"
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%User Profile%\{Random Characters}\winlogon.exe = "RUNASADMIN"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{Application Name}
Debugger = ""%User Profile%\{Random Characters}\winlogon.exe""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Script Host\Settings
Enabled = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoRebootWithLoggedOnUsers = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DisableNotifications = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
DoNotAllowExceptions = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile
EnableFirewall = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = 0
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
RunInvalidSignatures = 1
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://25hpuq24qnn61t8.directorio-w.com"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://82c04i133wv5dz1.directorio-w.com"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFile = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%User Profile%\{Random Characters}\winlogon.exe = "RUNASADMIN"
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Internet Explorer\Control Panel
HomePage = 1
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiSpyWareDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AutoUpdateDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
cval = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
InternetSettingsDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Monitoring
DisableMonitoring = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Monitoring\SymantecAntiVirus
DisableMonitoring = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Monitoring\SymantecFirewall
DisableMonitoring = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirstRunDisabled = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiSpywareOverride = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer
NoFolderOptions = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorAdmin = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
PromptOnSecureDesktop = 1
It modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_CLASSES_ROOT\ftp\shell\
open\command
(Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
(Note: The default value data of the said registry entry is ""%Program Files%\Internet Explorer\iexplore.exe" %1".)
HKEY_CLASSES_ROOT\http\shell\
open\command
(Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
(Note: The default value data of the said registry entry is ""%Program Files%\Internet Explorer\iexplore.exe" -nohome".)
HKEY_CLASSES_ROOT\https\shell\
open\command
(Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
(Note: The default value data of the said registry entry is ""%Program Files%\Internet Explorer\iexplore.exe" -nohome".)
HKEY_CURRENT_USER\Control Panel\Sound
Beep = "no"
(Note: The default value data of the said registry entry is "yes".)
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
CheckExeSignatures = "no"
(Note: The default value data of the said registry entry is "yes".)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = 4
(Note: The default value data of the said registry entry is 2.)
It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = 1
It modifies the following registry entries to hide files with System and Read-only attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 3
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%User Profile%\{Random Characters}\winlogon.exe = "%User Profile%\{Random Characters}\winlogon.exe:*:Enabled:@xpsp2res.dll,-7895004"
Where {application name} may be any of the following:
- BullGuard.exe
- ChromeSetup.exe
- ComboFix.exe
- Diskmon.exe
- EHttpSrv.exe
- FPAVServer.exe
- Filemon.exe
- FirewallControlPanel.exe
- FirewallSettings.exe
- GenericRenosFix.exe
- GoogleToolbarInstaller_download_signed.exe
- HJTInstall.exe
- HelpPane.exe
- HiJackThis.exe
- HostsChk.exe
- IEDFix.exe
- MSASCui.exe
- Netscape.exe
- Opera_964_int_Setup.exe
- Process.exe
- Procmon.exe
- Regmon.exe
- Restart.exe
- Safari.exe
- SandboxieBITS.exe
- SandboxieCrypto.exe
- SandboxieDcomLaunch.exe
- SandboxieRpcSs.exe
- SandboxieWUAU.exe
- SbieCtrl.exe
- SbieSvc.exe
- SmitfraudFix.exe
- SrchSTS.exe
- UCCLSID.exe
- UI0Detect.exe
- UserAccountControlSettings.exe
- VACFix.exe
- WS2Fix.exe
- WerFault.exe
- _avp.exe
- _avp32.exe
- _avpcc.exe
- _avpm.exe
- _findviru.exe
- a2servic.exe
- ackwin32.exe
- acs.exe
- advxdwin.exe
- agentsvr.exe
- agentw.exe
- ahnsd.exe
- alerter.exe
- alertsvc.exe
- alogserv.exe
- amon.exe
- amon9x.exe
- anti-trojan.exe
- antigen.exe
- antivirus.exe
- ants.exe
- apimonitor.exe
- aplica32.exe
- apvxdwin.exe
- ashWebSv.exe
- atcon.exe
- atguard.exe
- atro55en.exe
- atupdater.exe
- atwatch.exe
- aupdate.exe
- autodown.exe
- autotrace.exe
- autoupdate.exe
- avcenter.exe
- avconfig.exe
- avconsol.exe
- ave32.exe
- avgcc32.exe
- avgctrl.exe
- avgemc.exe
- avgnt.exe
- avgserv.exe
- avgserv9.exe
- avguard.exe
- avgw.exe
- avkpop.exe
- avkserv.exe
- avkservice.exe
- avkwcl9.exe
- avkwctl9.exe
- avnotify.exe
- avnt.exe
- avp.exe
- avp32.exe
- avpcc.exe
- avpdos32.exe
- avpexec.exe
- avpinst.exe
- avpm.exe
- avpmon.exe
- avpnt.exe
- avptc32.exe
- avpupd.exe
- avrescue.exe
- avscanavshadow.exe
- avsched32.exe
- avsynmgr.exe
- avupgsvc.exe
- avwebloader.exe
- avwin95.exe
- avwinnt.exe
- avwsc.exe
- avwupd32.exe
- avxmonitor9x.exe
- avxmonitornt.exe
- avxquar.exe
- avxw.exe
- azonealarm.exe
- bd_professional.exe
- bidef.exe
- bidserver.exe
- bipcp.exe
- bipcpevalsetup.exe
- bisp.exe
- blackd.exe
- blackice.exe
- boot.exe
- bootwarn.exe
- borg2.exe
- bs120.exe
- callmsi.exe
- ccapp.exe
- ccevtmgr.exe
- cclaw.exe
- ccpxysvc.exe
- ccsetmgr.exe
- ccshtdwn.exe
- cdp.exe
- cfgwiz.exe
- cfiadmin.exe
- cfiaudit.exe
- cfind.exe
- cfinet.exe
- cfinet32.exe
- clamauto.exe
- claw95.exe
- claw95cf.exe
- claw95ct.exe
- clean.exe
- cleaner.exe
- cleaner3.exe
- cleanpc.exe
- cmd.exe
- cmgrdian.exe
- cmon016.exe
- connectionmonitor.exe
- cpd.exe
- cpdclnt.exe
- cpf.exe
- cpf9x206.exe
- cpfnt206.exe
- csinject.exe
- csinsm32.exe
- css1631.exe
- ctfmon.exe
- ctrl.exe
- cv.exe
- cwnb181.exe
- cwntdwmo.exe
- defalert.exe
- defscangui.exe
- defwatch.exe
- deputy.exe
- doors.exe
- dpf.exe
- drvins32.exe
- drwatson.exe
- drweb32.exe
- dumphive.exe
- dv95.exe
- dv95_o.exe
- dvp95.exe
- dvp95_0.exe
- earthagent.exe
- ecengine.exe
- ecls.exe
- ecmd.exe
- edi.exe
- efinet32.exe
- efpeadm.exe
- egui.exe
- ekrn.exe
- ent.exe
- esafe.exe
- escanh95.exe
- escanhnt.exe
- escanv95.exe
- espwatch.exe
- etrustcipe.exe
- evpn.exe
- ewido.exe
- exantivirus-cnet.exe
- exit.exe
- expert.exe
- explored.exe
- f-agnt95.exe
- f-prot.exe
- f-prot95.exe
- f-stopw.exe
- fa-setup.exe
- fact.exe
- fameh32.exe
- fast.exe
- fch32.exe
- fih32.exe
- findviru.exe
- firewall.exe
- fix-it.exe
- flowprotector.exe
- fnrb32.exe
- fp-win.exe
- fp-win_trial.exe
- fprot.exe
- fprot95.exe
- frw.exe
- fsaa.exe
- fsav.exe
- fsav32.exe
- fsav530stbyb.exe
- fsav530wtbyb.exe
- fsav95.exe
- fsave32.exe
- fsgk32.exe
- fslaunch.exe
- fsm32.exe
- fsma32.exe
- fsmb32.exe
- fssm32.exe
- fwenc.exe
- fwinstall.exe
- gbmenu.exe
- gbpoll.exe
- generics.exe
- gibe.exe
- gpedit.exe
- guard.exe
- guarddog.exe
- guardgui.exe
- guardhlp.exe
- hacktracersetup.exe
- hidec.exe
- htlog.exe
- hwpe.exe
- iamapp.exe
- iamserv.exe
- iamstats.exe
- ibmasn.exe
- ibmavsp.exe
- icload95.exe
- icloadnt.exe
- icmon.exe
- icmoon.exe
- icssuppnt.exe
- icsupp.exe
- icsupp95.exe
- icsuppnt.exe
- iface.exe
- ifw2000.exe
- iomon98.exe
- iparmor.exe
- iris.exe
- isrv95.exe
- jammer.exe
- jed.exe
- jedi.exe
- kav8.0.0.357es.exe
- kavlite40eng.exe
- kavpers40eng.exe
- kavsvc.exe
- kerio-pf-213-en-win.exe
- kerio-wrl-421-en-win.exe
- kerio-wrp-421-en-win.exe
- killprocesssetup161.exe
- kis8.0.0.506latam.exe
- kpf.exe
- kpfw32.exe
- ldnetmon.exe
- ldpro.exe
- ldpromenu.exe
- ldscan.exe
- licmgr.exe
- localnet.exe
- lockdown.exe
- lockdown2000.exe
- lookout.exe
- lsetup.exe
- luall.exe
- luau.exe
- lucomserver.exe
- luinit.exe
- luspt.exe
- mbam.exe
- mbamgui.exe
- mbamservice.exe
- mcagent.exe
- mcmnhdlr.exe
- mcshield.exe
- mctool.exe
- mcuimgr.exe
- mcupdate.exe
- mcvsrte.exe
- mcvsshld.exe
- mdll.exe
- mfw2en.exe
- mfweng3.02d30.exe
- mgavrtcl.exe
- mgavrte.exe
- mghtml.exe
- mgui.exe
- minilog.exe
- monitor.exe
- monsys32.exe
- monsysnt.exe
- monwow.exe
- moolive.exe
- mpfagent.exe
- mpfservice.exe
- mpftray.exe
- mrflux.exe
- msblast.exe
- msconfig.exe
- msinfo32.exe
- msn.exe
- mspatch.exe
- mssmmc32.exe
- mu0311ad.exe
- mwatch.exe
- mxtask.exe
- n32scan.exe
- n32scanw.exe
- nai_vs_stat.exe
- nav32_loader.exe
- nav80try.exe
- navap.exe
- navapsvc.exe
- navapw32.exe
- navauto-protect.exe
- navdx.exe
- naveng.exe
- navengnavex15.exe
- navex15.exe
- navlu32.exe
- navnt.exe
- navrunr.exe
- navsched.exe
- navstub.exe
- navw.exe
- navw32.exe
- navwnt.exe
- nc2000.exe
- ncinst4.exe
- nd98spst.exe
- ndd32.exe
- ndntspst.exe
- neomonitor.exe
- neowatchlog.exe
- netarmor.exe
- netcfg.exe
- netinfo.exe
- netmon.exe
- netscanpro.exe
- netspyhunter-1.2.exe
- netstat.exe
- netutils.exe
- nisserv.exe
- nisum.exe
- nmain.exe
- nod32.exe
- normist.exe
- norton_internet_secu_3.0_407.exe
- notstart.exe
- npf40_tw_98_nt_me_2k.exe
- npfmessenger.exe
- nprotect.exe
- npscheck.exe
- npssvc.exe
- nsched32.exe
- ntdetect.exe
- ntrtscan.exe
- ntxconfig.exe
- nui.exe
- nupdate.exe
- nupgrade.exe
- nvapsvc.exe
- nvarch16.exe
- nvc95.exe
- nvlaunch.exe
- nvsvc32.exe
- nwinst4.exe
- nwservice.exe
- nwtool16.exe
- offguard.exe
- ogrc.exe
- opera.exe
- ostronet.exe
- outpost.exe
- outpostinstall.exe
- outpostproinstall.exe
- padmin.exe
- panixk.exe
- pathping.exe
- pavcl.exe
- pavproxy.exe
- pavsched.exe
- pavw.exe
- pcc2002s902.exe
- pcc2k_76_1436.exe
- pccclient.exe
- pccguide.exe
- pcciomon.exe
- pccmain.exe
- pccntmon.exe
- pccpfw.exe
- pccwin97.exe
- pccwin98.exe
- pcdsetup.exe
- pcfwallicon.exe
- pcip10117_0.exe
- pcscan.exe
- pcscanpdsetup.exe
- penis32.exe
- periscope.exe
- persfw.exe
- perswf.exe
- pev.exe
- pf2.exe
- pfwadmin.exe
- ping.exe
- pingscan.exe
- platin.exe
- pop3trap.exe
- poproxy.exe
- popscan.exe
- portdetective.exe
- portmon.exe
- portmonitor.exe
- ppinupdt.exe
- pptbc.exe
- ppvstop.exe
- prckiller.exe
- processmonitor.exe
- procexp.exe
- procexplorerv1.0.exe
- programauditor.exe
- proport.exe
- protectx.exe
- pspf.exe
- purge.exe
- pview.exe
- pview95.exe
- qconsole.exe
- qserver.exe
- rapapp.exe
- rav.exe
- rav7.exe
- rav7win.exe
- rav8win32eng.exe
- realmon.exe
- regedit.exe
- regedt32.exe
- rescue.exe
- rescue32.exe
- route.exe
- routemon.exe
- rrguard.exe
- rshell.exe
- rstrui.exe
- rtvscn95.exe
- rulaunch.exe
- safeweb.exe
- sbserv.exe
- scan32.exe
- scan95.exe
- scanpm.exe
- sched.exe
- schedapp.exe
- scrscan.exe
- scvhosl.exe
- sd.exe
- sdclt.exe
- serv95.exe
- setup_flowprotector_us.exe
- setupvameeval.exe
- sgssfw32.exe
- sh.exe
- sharedaccess.exe
- shellspyinstall.exe
- shn.exe
- smc.exe
- sofi.exe
- spf.exe
- sphinx.exe
- spider.exe
- spysweeper.exe
- spyxx.exe
- srwatch.exe
- ss3edit.exe
- st2.exe
- supftrl.exe
- supporter5.exe
- sweep.exe
- sweep95.exe
- sweepnet.exe
- sweepsrv.sys.exe
- swnetsup.exe
- swreg.exe
- swsc.exe
- swxcacls.exe
- symproxysvc.exe
- symtray.exe
- sysdoc32.exe
- syshelp.exe
- taskkill.exe
- tasklist.exe
- taskmgr.exe
- taskmon.exe
- taumon.exe
- tauscan.exe
- tbscan.exe
- tc.exe
- tca.exe
- tcm.exe
- tcpsvs32.exe
- tds-3.exe
- tds2-98.exe
- tds2-nt.exe
- tds2.exe
- tfak.exe
- tfak5.exe
- tftpd.exe
- tgbob.exe
- titanin.exe
- titaninxp.exe
- tmlisten.exe
- tmntsrv.exe
- tracerpt.exe
- tracert.exe
- trjscan.exe
- trjsetup.exe
- trojantrap3.exe
- undoboot.exe
- unzip.exe
- update.exe
- vbcmserv.exe
- vbcons.exe
- vbust.exe
- vbwin9x.exe
- vbwinntw.exe
- vccmserv.exe
- vcleaner.exe
- vcontrol.exe
- vcsetup.exe
- vet32.exe
- vet95.exe
- vet98.exe
- vettray.exe
- vfsetup.exe
- vir-help.exe
- virusmdpersonalfirewall.exe
- vmsrvc.exe
- vnlan300.exe
- vnpc3000.exe
- vpc32.exe
- vpc42.exe
- vpcmap.exe
- vpfw30s.exe
- vptray.exe
- vscan.exe
- vscan40.exe
- vscenu6.02d30.exe
- vsched.exe
- vsecomr.exe
- vshwin32.exe
- vsisetup.exe
- vsmain.exe
- vsmon.exe
- vsscan40.exe
- vsstat.exe
- vswin9xe.exe
- vswinntse.exe
- vswinperse.exe
- vvstat.exe
- w32dsm89.exe
- w9x.exe
- watchdog.exe
- webscan.exe
- webscanx.exe
- webtrap.exe
- wfindv32.exe
- wgfe95.exe
- whoswatchingme.exe
- wimmun32.exe
- wingate.exe
- winhlpp32.exe
- wink.exe
- winmgm32.exe
- winppr32.exe
- winrecon.exe
- winroute.exe
- winservices.exe
- winsfcm.exe
- wmias.exe
- wmiav.exe
- wnt.exe
- wradmin.exe
- wrctrl.exe
- wsbgate.exe
- wuauclt.exe
- wyvernworksfirewall.exe
- xpf202en.exe
- xscan.exe
- zapro.exe
- zapsetup3001.exe
- zatutor.exe
- zatutorzauinst.exe
- zauinst.exe
- zlh.exe
- zonalarm.exe
- zonalm2601.exe
- zonealarm.exe
Propagation
This worm drops copies of itself in all removable drives.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
;{Garbage Characters}
[autorun]
;{Garbage Characters}
open=Sl0zPz1458syhXV8z54flEE05yzL4uFQe3F\S-1-3-01-4631104401-7414418267-104546834-1055\uIaU3k3kzmh4Otjy73o.exe
;{Garbage Characters}
icon=%SystemRoot%\system32\SHELL32.dll,4
;{Garbage Characters}
action=Abrir la carpeta para ver los archivos
;{Garbage Characters}
shell\open=Open
;{Garbage Characters}
shell\open\command=Sl0zPz1458syhXV8z54flEE05yzL4uFQe3F\S-1-3-01-4631104401-7414418267-104546834-1055\uIaU3k3kzmh4Otjy73o.exe
;{Garbage Characters}
shell\open\default=1
;{Garbage Characters}
shell\open\default=1
;{Garbage Characters}
Web Browser Home Page and Search Page Modification
This worm modifies the user's Internet Explorer home page to the following websites:
- http://u1n15y543n9k6hp.directorio-w.com
- http://x4ndyy9498p1206.directorio-w.com
It modifies the user's Internet Explorer search engine into the following websites:
- http://5538d19dc60vfxv.directorio-w.com
HOSTS File Modification
This worm modifies the affected system's HOSTS files to prevent a user from accessing the following websites:
- {BLOCKED}8.247.79 www.pandasecurity.com
- {BLOCKED}8.247.79 go.mcafee.com
- {BLOCKED}.240.135 malwarecity.netmalwarecity.org
- {BLOCKED}.240.135 download4.emsisoft.com
- {BLOCKED}.240.135 www.antiy.net
- {BLOCKED}.240.135 45pounds.com
- {BLOCKED}3.155.0 www.esafe.com
- {BLOCKED}4.161.131 smbstore.trendmicro.com
- {BLOCKED}4.161.131 sophos.com
- {BLOCKED}6.250.109 www.globalhauri.com
- {BLOCKED}6.250.109 seasonsecurity.com
- {BLOCKED}3.83.127 www.npin.co.kr
- {BLOCKED}0.76.184 archive.bitdefender.com
- {BLOCKED}0.76.184 www.emsisoft.net
- {BLOCKED}0.76.184 lists.clamav.net
- {BLOCKED}0.76.184 fortinet.com
- {BLOCKED}0.76.184 natsko.com
- {BLOCKED}.165.41 www.iseclab.org
- {BLOCKED}8.179.236 chickensroamfree.com
- {BLOCKED}8.179.236 kaspersky.com
- {BLOCKED}9.253.180 antivirus.sunbeltsoftware.com
- {BLOCKED}9.253.180 go.trendmicro.com
- {BLOCKED}.100.232 download5.emsisoft.com
- {BLOCKED}.100.232 linux.bitdefender.com
- {BLOCKED}.100.232 ribbonwarehouse.com
- {BLOCKED}.100.232 www.ahnlab.com
- {BLOCKED}8.175.107 www.engyro.com
- {BLOCKED}.161.168 www.secure-elements.com
- {BLOCKED}.161.168 new-partners.drweb.com
- {BLOCKED}.1.21 kioskea.net
- {BLOCKED}.82.96 www.hxproduction.com
- {BLOCKED}.82.96 www.bitdefende.de
- {BLOCKED}.82.96 www.barder.com
- {BLOCKED}.82.96 www.ikarus.at
- {BLOCKED}.157.228 www.exchangeyourcareer.com
- {BLOCKED}0.253.148 network.drweb.com
- {BLOCKED}0.253.148 www.fortinet.ch
- {BLOCKED}1.4.92 www.trendmicro.com
- {BLOCKED}3.93.69 anubis.iseclab.org
- {BLOCKED}7.37 canada.karuna-shechen.org
- {BLOCKED}7.37 www.bitdefender.com.au
- {BLOCKED}7.37 www.professorbeyer.com
- {BLOCKED}7.37 www.norman.com
- {BLOCKED}7.37 buscafacil.com
- {BLOCKED}91.30 tecniservicioslys.com
- {BLOCKED}92.237 mop.pandasecurity.com
- {BLOCKED}92.237 nai.com
- {BLOCKED}106.150 virusfreezone.info
- {BLOCKED}187.157 cacomvip.ca.com
- {BLOCKED}194.33 jp.trendmicro.com
- {BLOCKED}194.33 www.freerav.com
- {BLOCKED}116.217 together.pctools.com
- {BLOCKED}116.217 www.mcafee.at
- {BLOCKED}109.85 www.antivirus-tools.com
- {BLOCKED}109.85 www.gokidding.com
- {BLOCKED}109.85 www.f-secure.com
- {BLOCKED}109.85 www.willsee.com
- {BLOCKED}102.22 fortinet.co.at
- {BLOCKED}102.22 drweb.com
- {BLOCKED}8.198 viruschief.com
- {BLOCKED}23.206 latin.bitdefender.com
- {BLOCKED}23.206 www.emsisoft.com
- {BLOCKED}23.206 www.mamutu.de
- {BLOCKED}23.206 www.smf.org
- {BLOCKED}8.149 cou85.com
- {BLOCKED}94.2 global.jiangmin.com
- {BLOCKED}94.2 secure.av-desk.com
- {BLOCKED}01.201 marian.symantec.com
- {BLOCKED}115.254 www.contentverification.com
- {BLOCKED}115.254 scan.anti-trojan.net
- {BLOCKED}115.254 buy.bitdefender.de
- {BLOCKED}115.254 rising-global.com
- {BLOCKED}115.254 www.2xlgames.com
- {BLOCKED}34.179 www.tecniservicioslys.com
- {BLOCKED}190.129 www.nprotect.com
- {BLOCKED}.16.43 configurarequipos.com
- {BLOCKED}30.50 usa.kaspersky.com
- {BLOCKED}30.50 drwebinside.com
- {BLOCKED}.37.182 housecall60.trendmicro.com
- {BLOCKED}.37.182 www.retento.com
- {BLOCKED}.207.46 www.bitdefender.fr
- {BLOCKED}.207.46 www.authentium.com
- {BLOCKED}.207.46 www.sophos.com
- {BLOCKED}.207.46 authentium.com
- {BLOCKED}.207.46 welkam.co.jp
- {BLOCKED}.214.177 reg.eset.es
- {BLOCKED}.200.170 updates.drweb.com
- {BLOCKED}.200.170 fortilog.com
- {BLOCKED}.40.91 www.jotti.org
- {BLOCKED}.122.166 www.cambridge-steiner-school.co.uk
- {BLOCKED}.122.166 www.sunbeltsoftware.com
- {BLOCKED}.122.166 asap.authentium.com
- {BLOCKED}.122.166 www.bitdefender.hk
- {BLOCKED}.122.166 avast.com
- {BLOCKED}.197.42 www.eugrantsadvisor.com
- {BLOCKED}36.219 products.drweb.com
- {BLOCKED}36.219 www.fortiid.com
- {BLOCKED}111.94 sun.symantec.com
- {BLOCKED}214.214 www.internationalservicecheck.com
- {BLOCKED}214.214 www.stadiumpage.com
- {BLOCKED}214.214 nl.bitdefender.com
- {BLOCKED}214.214 www.avg.com
- {BLOCKED}132.139 www.scan4you.net
- {BLOCKED}33.90 www.microsoft.com
- {BLOCKED}33.90 www.prevx1.com
- {BLOCKED}.115.4 www.softfaq.com
- {BLOCKED}128.11 support.drweb.com
- {BLOCKED}128.11 www.virus.fi
- {BLOCKED}135.142 search.symantec.com
- {BLOCKED}.43.131 www.ca.com
- {BLOCKED}.124.138 networkassociates.com
- {BLOCKED}.124.138 biz.nprotect.com
- {BLOCKED}50.195 www.rising-global.com
- {BLOCKED}50.195 www.bitdefender.es
- {BLOCKED}50.195 bobbondart.com
- {BLOCKED}50.195 ruben.bzin.net
- {BLOCKED}50.195 antiy.net
- {BLOCKED}.207.52 esecurity.livecall.co.kr
- {BLOCKED}.207.52 ibusca.me
- {BLOCKED}.227.190 go.symantec.com
- {BLOCKED}.32.59 www.flairweddings.co.uk
- {BLOCKED}.32.59 www.comodoantispam.com
- {BLOCKED}.32.59 bitdefender.org
- {BLOCKED}.32.59 kaspersky.com
- {BLOCKED}.32.59 mamutu.com
- {BLOCKED}.210.55 firewall.sunbeltsoftware.com
- {BLOCKED}.210.55 shop.trendmicro.com
- {BLOCKED}.135.179 support.mcafee.com
- {BLOCKED}.135.179 www.aks.com
- {BLOCKED}.56.107 neunet.orgnews.bitdefender.com
- {BLOCKED}.56.107 www.hackshields.com
- {BLOCKED}.56.107 roysephotos.com
- {BLOCKED}.56.107 www.avast.com
- {BLOCKED}.231.32 static.yoreparo.com
- {BLOCKED}131.239 eugrantsadvisor.de
- {BLOCKED}.213.220 www.mygeekside.com
- {BLOCKED}227.159 company.drweb.com
- {BLOCKED}227.159 www.fortinet.com
- {BLOCKED}46.103 www.sunbeltsoftware.com
- {BLOCKED}46.103 store.trendmicro.com
- {BLOCKED}.209.24 training.drweb.com
- {BLOCKED}.209.24 arwww.fortinet.cz
- {BLOCKED}148.155 us.bitdefender.com
- {BLOCKED}148.155 www.aladdin.com
- {BLOCKED}148.155 www.owen.org
- {BLOCKED}148.155 pvtc.org
- {BLOCKED}223.31 15660808.co.kr
- {BLOCKED}.49.201 www.threatexpert.com
- {BLOCKED}.69.83 education.symantec.com
- {BLOCKED}.131.20 www.anti-trojan-software.net
- {BLOCKED}.131.20 ixostore.ixomodels.com
- {BLOCKED}.131.20 backup.comodo.com
- {BLOCKED}.131.20 bitdefender.com
- {BLOCKED}.131.20 jiangmin.com
- {BLOCKED}.52.203 vos.symantec.com
- {BLOCKED}.233.72 internetsecurity.comodo.com
- {BLOCKED}.233.72 frisk-software.com
- {BLOCKED}.223.68 onlinecheck.emsisoft.com
- {BLOCKED}.223.68 bitdefenderusa.com
- {BLOCKED}.223.68 pandasecurity.com
- {BLOCKED}.223.68 www.trustix.com
- {BLOCKED}.223.68 bestofewan.com
- {BLOCKED}.73.249 virusbuster.hu
- {BLOCKED}.229.199 exchangeyourcareer.net
- {BLOCKED}9.120 www.fortinet.com
- {BLOCKED}9.120 store.drweb.com
- {BLOCKED}56.113 scanner.novirusthanks.org
- {BLOCKED}144.252 eval.symantec.com
- {BLOCKED}144.252 www.vba.com.by
- {BLOCKED}.52.240 forum.kaspersky.com
- {BLOCKED}.52.240 daniloff.net
- {BLOCKED}247.48 www.nottinghampoetryseries.com
- {BLOCKED}247.48 avx.rob-have.net
- {BLOCKED}247.48 www.emsisoft.it
- {BLOCKED}247.48 bugs.clamav.net
- {BLOCKED}247.48 gdata.es
- {BLOCKED}65.247 eos.eset.es
- {BLOCKED}.148.161 spycheck.es
- {BLOCKED}.196 www.pichincha.com
- {BLOCKED}.196 pichincha.com
- {BLOCKED}.229.236 www.deborahshelton.net
- {BLOCKED}.229.236 www.bitdefender.de
- {BLOCKED}.229.236 elblogdemanu.com
- {BLOCKED}.229.236 www.prevx.com
- {BLOCKED}.229.236 antivir.es
- {BLOCKED}168.44 www4.symantec.com
- {BLOCKED}.150.164 esupport.trendmicro.com
- {BLOCKED}.150.164 superboy2010.com.au
- {BLOCKED}.144.33 i-vault.comodo.com
- {BLOCKED}.144.33 www.f-prot.com
- {BLOCKED}.65.216 www.bitdefender-es.com
- {BLOCKED}.65.216 www.wellgousa.com
- {BLOCKED}.65.216 www.jiangmin.com
- {BLOCKED}.65.216 www.antivir.es
- {BLOCKED}.239.209 www.virusbuster.hu
- {BLOCKED}.239.209 www.inicioid.com
- {BLOCKED}.72.160 spywarefiles.prevx.com
- {BLOCKED}.72.160 privacy.microsoft.com
- {BLOCKED}.242.212 enterprisesecur.symantec.com
- {BLOCKED}.242.212 bg.virusblokada.com
- {BLOCKED}.168.13 fsecure.nlwebyard.com
- {BLOCKED}.168.13 www.nsclean.com
- {BLOCKED}154.74 www.virus.org
- {BLOCKED}150.201 www.kaspersky.com
- {BLOCKED}150.201 www.freedrweb.ru
- {BLOCKED}.89.9 futurenow.bitdefender.com
- {BLOCKED}.89.9 onlinecheck.emsisoft.net
- {BLOCKED}.89.9 online-backup.comodo.com
- {BLOCKED}.89.9 trackingtheworld.com
- {BLOCKED}.89.9 symantec.com
- {BLOCKED}64.140 cybercrime.pandasecurity.com
- {BLOCKED}64.140 jp.mcafee.com
- {BLOCKED}246.54 intranet.cidiroax.ipn.mx
- {BLOCKED}78.193 servicenews.symantec.com
- {BLOCKED}72.129 www.testmypcsecurity.com
- {BLOCKED}72.129 www.reviewsofbooks.com
- {BLOCKED}72.129 it.bitdefender.com
- {BLOCKED}72.129 hacksoft.com.pe
- {BLOCKED}72.129 blitzblank.com
- {BLOCKED}.249.125 support.rising-global.com
- {BLOCKED}.249.125 itw.trendmicro.com
- {BLOCKED}.242.181 me.kaspersky.com
- {BLOCKED}.242.181 ealaddin.net
- {BLOCKED}.82.102 www.spycheck.co.uk
- {BLOCKED}.163.177 www.malwarecity.com
- {BLOCKED}.163.177 www.mtr-design.com
- {BLOCKED}.163.177 www.trendmicro.com
- {BLOCKED}.163.177 quickheal.com
- {BLOCKED}.163.177 www.avast.com
- {BLOCKED}.170.53 fsc.norman.com
- {BLOCKED}.85.105 ru.trendmicro.com
- {BLOCKED}.85.105 kr.sophos.com
- {BLOCKED}.10.229 new-solutions.drweb.com
- {BLOCKED}.10.229 jiangmin.com
- {BLOCKED}52.222 virus.org
- {BLOCKED}249.94 customers.drweb.com
- {BLOCKED}249.94 www.fortinet.co.il
- {BLOCKED}.255.225 onlinecheck.emsisoft.org
- {BLOCKED}.255.225 sunbeltsoftware.com
- {BLOCKED}.255.225 fr.bitdefender.com
- {BLOCKED}.255.225 basetendencies.com
- {BLOCKED}.255.225 www.comodo.tv
- {BLOCKED}.6.101 schemas.microsoft.com
- {BLOCKED}88.15 iseclab.org
- {BLOCKED}177.153 www.rising-global.com
- {BLOCKED}177.153 de.trendmicro.com
- {BLOCKED}170.90 www.latin-mass-society.org
- {BLOCKED}170.90 store.bitdefender.com
- {BLOCKED}170.90 pineleafboys.com
- {BLOCKED}170.90 www.comodo.com
- {BLOCKED}.85.142 vms.drweb.com
- {BLOCKED}.85.142 fortinet.com
- {BLOCKED}91.18 hostedmailsecur.symantec.com
- {BLOCKED}.180.63 www.viruschief.com
- {BLOCKED}.6.70 www.1stavenuelimousines.co.uk
- {BLOCKED}.6.70 www.bitdefenderme.com
- {BLOCKED}.6.70 www.hacksoft.com.pe
- {BLOCKED}.6.70 bitdefender.com
- {BLOCKED}.6.70 avast.com
- {BLOCKED}.13.13 nprotect.seoul.go.kr
- {BLOCKED}.13.13 mx.mcafee.com
- {BLOCKED}.95.183 virobot.co.kr
- {BLOCKED}.95.183 inicioid.com
- {BLOCKED}.183.66 tms.symantec.com
- {BLOCKED}.176.190 www.ealaddin.com
- {BLOCKED}.98.118 sarahmcconnellphotography.net
- {BLOCKED}.98.118 malwarescan.emsisoft.com
- {BLOCKED}.98.118 lurker.clamav.net
- {BLOCKED}.98.118 www.grisoft.com
- {BLOCKED}.98.118 f-prot.com
- {BLOCKED}.105.250 www.eugrantsadvisor.ie
- {BLOCKED}187.231 www.configurarequipos.com
- {BLOCKED}187.231 company.hauri.net
- {BLOCKED}.19.114 ushousecall02.trendmicro.com
- {BLOCKED}.19.114 antispam.sunbeltsoftware.com
- {BLOCKED}12.238 square.bitdefender.com
- {BLOCKED}12.238 www.indielisboa.com
- {BLOCKED}12.238 www.beautybar.com
- {BLOCKED}12.238 www.clamav.net
- {BLOCKED}190.234 antispyware.sunbeltsoftware.com
- {BLOCKED}190.234 subwiz.trendmicro.com
- {BLOCKED}183.35 www.fortinet.sg
- {BLOCKED}183.35 free.drweb.com
- {BLOCKED}23.211 in.answers.yahoo.com
- {BLOCKED}.179.162 liveprotect.net
- {BLOCKED}.179.162 au.mcafee.com
- {BLOCKED}104.31 www.fortinet.com
- {BLOCKED}104.31 defalcos.com
- {BLOCKED}104.31 halmapr.com
- {BLOCKED}104.31 www.avx.ro
- {BLOCKED}.5.76 es.answers.yahoo.com
- {BLOCKED}.19.83 www.ealaddin.com
- {BLOCKED}.19.83 home.mcafee.com
- {BLOCKED}26.26 www.hacksoft.pe
- {BLOCKED}.196.79 renewals.bitdefender.com
- {BLOCKED}.196.79 www.elvis-express.com
- {BLOCKED}.196.79 www.bitdefender.com
- {BLOCKED}.196.79 www.irangoals.com
- {BLOCKED}.203.210 pandasecurity.com
- {BLOCKED}.203.210 obscgi.mcafee.com
- {BLOCKED}.111.199 de.bitdefender.com
- {BLOCKED}.111.199 www.trojaner.info
- {BLOCKED}.111.199 idauthority.com
- {BLOCKED}.111.199 kimzimmer.net
- {BLOCKED}.111.199 sophos.com
- {BLOCKED}.29.124 www.novirusthanks.org
- {BLOCKED}.118.7 oem.sunbeltsoftware.com
- {BLOCKED}.118.7 trial.trendmicro.com
- {BLOCKED}00.127 et.symantec.com
- {BLOCKED}00.127 www.hauri.co.kr
- {BLOCKED}.39.2 us.mcafee.com
- {BLOCKED}.39.2 nprotect.net
- {BLOCKED}25.251 www.fortinet.nl
- {BLOCKED}25.251 cureit.ru
- {BLOCKED}121.172 www.forospyware.com
- {BLOCKED}22.123 vicentevirtual.com
- {BLOCKED}203.247 bitdefenderchina.com
- {BLOCKED}203.247 easy-vpn.comodo.com
- {BLOCKED}203.247 www.fimasys.com
- {BLOCKED}203.247 www.emsisoft.es
- {BLOCKED}203.247 mcafee.com
- {BLOCKED}7.104.36 www.computing.net
- {BLOCKED}.124.175 hacksoft.pe
- {BLOCKED}.117.44 new-forum.drweb.com
- {BLOCKED}.117.44 www.ikarus.at
- {BLOCKED}2.39.227 www.manchester-offices.co.uk
- {BLOCKED}2.39.227 hishomeforchildren.com
- {BLOCKED}2.39.227 www.bitdefender.co.uk
- {BLOCKED}2.39.227 www.microsoft.com
- {BLOCKED}2.39.227 buscalo.in
- {BLOCKED}3.114.171 eugrantsadvisor.cz
- {BLOCKED}5.21.92 www.phoenixtrikeworks.com
- {BLOCKED}5.21.92 www.bitdefender.com
- {BLOCKED}5.21.92 saverssite.com
- {BLOCKED}5.21.92 www.buscalo.in
- {BLOCKED}5.21.92 www.eset.es
- {BLOCKED}1.196.85 novirusthanks.org
- {BLOCKED}0.216.223 emea.trendmicro.com
- {BLOCKED}124.212 pda.drweb.com
- {BLOCKED}124.212 fortihero.com
- {BLOCKED}7.137.151 shop.pandasecurity.com
- {BLOCKED}7.137.151 service.mcafee.com
- {BLOCKED}4.199.88 investor.symantec.com
- {BLOCKED}4.199.88 www.hauri.net
- {BLOCKED}.220.65 jotti.org
- {BLOCKED}.45.140 ccslaughterspdx.com
- {BLOCKED}.45.140 kb.bitdefender.de
- {BLOCKED}.45.140 www.mamutu.com
- {BLOCKED}.45.140 hauri.net
- {BLOCKED}3.120.15 soporte.pandasecurity.com
- {BLOCKED}3.120.15 br.mcafee.com
- {BLOCKED}4.202.253 computing.net
- {BLOCKED}.35.136 dell.symantec.com
- {BLOCKED}.216.192 www.comodopartners.com
- {BLOCKED}.216.192 www.frisk.is
- {BLOCKED}.137.188 www.brightoctober.com
- {BLOCKED}.137.188 www.iniciorapido.info
- {BLOCKED}.137.188 www.bitdefender.cl
- {BLOCKED}.137.188 www.dr-bull.com
- {BLOCKED}.137.188 www.mcafee.com
- {BLOCKED}0.212.64 webadmin.norman.no
- {BLOCKED}3.120.52 www.emsisoft.com
- {BLOCKED}3.120.52 www.clamav.net
- {BLOCKED}3.120.52 www.avg.com
- {BLOCKED}3.120.52 aladdin.com
- {BLOCKED}3.120.52 etrr.co.uk
- {BLOCKED}9.38.233 softfaq.com
- {BLOCKED}.59.116 beta.anti-virus.by
- {BLOCKED}.59.116 symantec.com
- {BLOCKED}8.222.105 support.kaspersky.co
- {BLOCKED}8.222.105 drweb-inside.com
- {BLOCKED}5.236.112 cloudprotection.pandasecurity.com
- {BLOCKED}5.236.112 cn.mcafee.com
- {BLOCKED}1.41.48 training.trendmicro.com
- {BLOCKED}1.41.48 go.sunbeltsoftware.com
- {BLOCKED}3.62.26 www.spycheck.es
- {BLOCKED}0.218.232 www.xmlsoap.org
- {BLOCKED}7.212.101 kb.bitdefender.com
- {BLOCKED}7.212.101 www.renningers.com
- {BLOCKED}7.212.101 www.emsisoft.jp
- {BLOCKED}7.212.101 anti-virus.by
- {BLOCKED}1.45.146 forospyware.com
- {BLOCKED}6.133.28 es.trendmicro.com
- {BLOCKED}6.133.28 www.sophos.com
- {BLOCKED}.58.153 www.apsecure.com
- {BLOCKED}.58.153 my.drweb.com
- {BLOCKED}5.54.24 register.norman.com
- {BLOCKED}.236.81 www.authentium.com
- {BLOCKED}.236.81 isotopecomics.com
- {BLOCKED}.236.81 global.ahnlab.com
- {BLOCKED}.236.81 malwarepedia.com
- {BLOCKED}0.218.13 www.peterhearnwaste.co.uk
- {BLOCKED}0.218.13 www.virusbuster.hu
- {BLOCKED}0.218.13 www.quickheal.com
- {BLOCKED}0.218.13 drweb.com
- {BLOCKED}0.218.13 avg.com
- {BLOCKED}6.137.194 scan4you.net
- {BLOCKED}.157.77 www.symantec.com
- {BLOCKED}6.65.65 www.safenet-inc.com
- {BLOCKED}2.146.5 siren24.nprotect.com
- {BLOCKED}9.140.197 visualtracking.symantec.com
- {BLOCKED}0.229.242 removetrojanvirus.org
- {BLOCKED}0.229.242 hauri.co.kr
- {BLOCKED}8.61.193 grv.microsoft.com
- {BLOCKED}4.54.249 b-have.orgbitdefender-ar.com
- {BLOCKED}4.54.249 system-cleaner.comodo.com
- {BLOCKED}4.54.249 www.sheffieldmind.co.uk
- {BLOCKED}4.54.249 www.emsisoft.de
- {BLOCKED}4.54.249 ikarus.at
- {BLOCKED}3.231.245 channelpartner.trendmicro.com
- {BLOCKED}3.231.245 shop.sunbeltsoftware.com
- {BLOCKED}0.157.46 news.drweb.com
- {BLOCKED}0.157.46 fortiwifi.com
- {BLOCKED}2.153.173 www.eugrantsadvisor.de
- {BLOCKED}78.41 www.malwarecity.fr
- {BLOCKED}78.41 www.anti-virus.by
- {BLOCKED}78.41 dev.depeuter.org
- {BLOCKED}78.41 files.avast.com
- {BLOCKED}78.41 clamav.net
- {BLOCKED}7.61.162 blog.titanium-jewelry.com
- {BLOCKED}7.61.162 www.bitdefender.be
- {BLOCKED}7.61.162 iniciorapido.info
- {BLOCKED}7.61.162 www.kaspersky.com
- {BLOCKED}7.61.162 www.buraka.tv
- {BLOCKED}.67.37 smallbiz.symantec.com
- {BLOCKED}3.235.87 es.kioskea.net
- {BLOCKED}3.231.214 www.hasp.se
- {BLOCKED}6.238.158 us.trendmicro.com
- {BLOCKED}.245.221 encarta.msn.com
- {BLOCKED}8.71.135 www.seasonsecurity.com
- {BLOCKED}8.71.135 shop.hauri.co.kr
- {BLOCKED}5.159.86 free.pandasecurity.com
- {BLOCKED}5.159.86 mcafeeb2b.com
- {BLOCKED}2.153.210 www.mountainlakeslodge.com
- {BLOCKED}2.153.210 store.de.bitdefender.com
- {BLOCKED}2.153.210 www.drweb.com
- {BLOCKED}2.153.210 www.arpia.be
- {BLOCKED}1.74.138 feeds.trendmicro.com
- {BLOCKED}1.74.138 sunbeltsoftware.com
- {BLOCKED}8.255.6 www.ccssforum.org
- {BLOCKED}8.255.6 cai.com
- {BLOCKED}9.251.134 networkassociates.nai.com
- {BLOCKED}9.251.134 chollian.nprotect.co.kr
- {BLOCKED}6.244.2 www.livepcsupport.com
- {BLOCKED}6.244.2 bitdefendertaiwan.com
- {BLOCKED}6.244.2 vivo-austin.com
- {BLOCKED}6.244.2 www.emsisoft.fr
- {BLOCKED}6.244.2 norman.com
- {BLOCKED}.91.54 auwww.ealaddin.nl
- {BLOCKED}5.166.186 service1.symantec.com
- {BLOCKED}5.166.186 www.anti-virus.by
- {BLOCKED}.77.47 www.kioskea.net
- {BLOCKED}.74.175 www.jiangmin.com.cn
- {BLOCKED}.74.175 new-www.drweb.com
- {BLOCKED}4.87.182 descargas.eset.es
- {BLOCKED}.80.50 housecall65.trendmicro.com
- {BLOCKED}5.169.96 www.virusfreezone.info
- {BLOCKED}2.2.46 blogs.protegerse.com
- {BLOCKED}9.251.103 www.residentphotography.com
- {BLOCKED}9.251.103 www.bitdefender.com.tw
- {BLOCKED}9.251.103 www.pandasecurity.com
- {BLOCKED}9.251.103 www.imddomains.co.uk
- {BLOCKED}9.251.103 emsisoft.com
- {BLOCKED}8.172.99 www.risingav.com.au
- {BLOCKED}8.172.99 it.trendmicro.com
- {BLOCKED}5.166.223 www.fortinetuk.com
- {BLOCKED}5.166.223 info.drweb.com
- {BLOCKED}7.94.94 info.prevx.com
- {BLOCKED}7.94.94 it.mcafee.com
- {BLOCKED}4.87.151 bitdefendermalaysia.com
- {BLOCKED}4.87.151 ww.emsisoft.com
- {BLOCKED}4.87.151 ztl.comodo.com
- {BLOCKED}4.87.151 qqjkw.net
- {BLOCKED}4.87.151 eset.es
- {BLOCKED}.176.8 scanner.virus.org
- {BLOCKED}2.8.147 housecall.trendmicro.com
- {BLOCKED}9.189.203 f-secure.frf-secure.hk
- {BLOCKED}9.189.203 timestamp.wosign.com
- {BLOCKED}.172.67 f-secure.nlfsecure.com
- {BLOCKED}.172.67 rover800.gaima.co.uk
- {BLOCKED}.179.11 securitycheck.symantec.com
- {BLOCKED}1.186.75 demos.eset.es
- {BLOCKED}2.12.244 virustotal.com
- {BLOCKED}6.93.63 www.secondchanceboxer.com
- {BLOCKED}6.93.63 www.bitdefender.com.sg
- {BLOCKED}6.93.63 developmentdrums.org
- {BLOCKED}6.93.63 www.buscafacil.com
- {BLOCKED}6.93.63 www.nprotect.com
- {BLOCKED}.168.195 www.nprotect.co.kr
- {BLOCKED}5.15.59 sfdoccentral.symantec.com
- {BLOCKED}2.8.116 latam.kaspersky.com
- {BLOCKED}2.8.116 alladdin.ru
- {BLOCKED}4.192.243 mcafeeretail.com
- {BLOCKED}4.192.243 www.prevx.com
- {BLOCKED}1.185.112 www.authentium.com.au
- {BLOCKED}1.185.112 www.bitdefender.us
- {BLOCKED}1.185.112 naturesimages.net
- {BLOCKED}1.185.112 www.symantec.com
- {BLOCKED}1.185.112 avg.com
- {BLOCKED}.18.157 spycheck.co.uk
- {BLOCKED}0.107.39 la.trendmicro.com
- {BLOCKED}0.107.39 cn.sophos.com
- {BLOCKED}7.32.164 secure-email.comodo.com
- {BLOCKED}7.32.164 f-secure.com
- {BLOCKED}2.14.28 www.fortinet-apac.com
- {BLOCKED}2.14.28 promotions.drweb.com
- {BLOCKED}.89.160 uk.trendmicro.com
- {BLOCKED}.89.160 tw.sophos.com
- {BLOCKED}8.28.35 specs.xmlsoap.org
- {BLOCKED}8.28.35 howsafeismypc.com
- {BLOCKED}.192.24 www.tomorrowsedge.net
- {BLOCKED}.192.24 sales.bitdefender.com
- {BLOCKED}.192.24 www.quickheal.com
- {BLOCKED}.192.24 ixomodels.com
- {BLOCKED}.110.205 www.avhide.com
- {BLOCKED}.11.156 global.nprotect.com
- {BLOCKED}.106.76 brazil.kaspersky.com
- {BLOCKED}.106.76 aladdin.com
- {BLOCKED}.113.208 sitedirector.symantec.com
- {BLOCKED}8.28.4 malwarescan.emsisoft.es
- {BLOCKED}8.28.4 www.briarhurst.com
- {BLOCKED}8.28.4 kb.bitdefender.us
- {BLOCKED}8.28.4 virusbuster.hu
- {BLOCKED}.103.204 www.nprotect.com.br
- {BLOCKED}.103.204 tr.mcafee.com
- {BLOCKED}8.117.117 company.hauri.co.kr
- {BLOCKED}8.117.117 busco.in
- {BLOCKED}7.205.0 tw.trendmicro.com
- {BLOCKED}7.205.0 esp.sophos.com
- {BLOCKED}4.198.57 www.aladdin.com
- {BLOCKED}4.198.57 msr.mcafee.com
- {BLOCKED}8.105.79 scotiaenlinea.scotiabank.com.pe
- {BLOCKED}8.105.79 www.bbvabancocontinental.com
- {BLOCKED}8.105.79 www.peb1.bbvanetlatam.com
- {BLOCKED}8.105.79 bcpzonasegura.viabcp.com
- {BLOCKED}8.105.79 bbvabancocontinental.com
- {BLOCKED}8.105.79 zonasegura1.bn.com.pe
- {BLOCKED}8.105.79 www.scotiabank.com.pe
- {BLOCKED}8.105.79 peb1.bbvanetlatam.com
- {BLOCKED}8.105.79 scotiabank.com.pe
- {BLOCKED}8.105.79 www.viabcp.com
- {BLOCKED}8.105.79 www.bn.com.pe
- {BLOCKED}8.105.79 viabcp.com
- {BLOCKED}8.105.79 bn.com.pe
- {BLOCKED}0.113.245 new-support.drweb.com
- {BLOCKED}0.113.245 www.fortimail.com
- {BLOCKED}1.188.120 threatinfo.trendmicro.com
- {BLOCKED}1.188.120 security.symantec.com
- {BLOCKED}6.127.184 sandbox.norman.com
- {BLOCKED}.34.173 www.anti-trojan.net
- {BLOCKED}.34.173 www.avoncourt.com
- {BLOCKED}.34.173 cgi.clamav.net
- {BLOCKED}.34.173 grisoft.com
- {BLOCKED}.34.173 ca.com
- {BLOCKED}.209.98 avhide.com
- {BLOCKED}109.116 www.eset.es
- {BLOCKED}.205.225 license.drweb.com
- {BLOCKED}.205.225 www.fortinet.net
- {BLOCKED}.24.169 liveupdate.symantec.com
- {BLOCKED}.201.96 www.eugrantsadvisor.se
- {BLOCKED}.126.221 baristamagazine.com
- {BLOCKED}.126.221 wedoantivirus.com
- {BLOCKED}.126.221 www.f-prot.com
- {BLOCKED}.126.221 www.zarya.info
- {BLOCKED}5.27.10 mall.hauri.co.kr
- {BLOCKED}5.27.10 www.ibusca.me
- {BLOCKED}4.48.149 www.hacksoft.com.pe
- {BLOCKED}1.41.17 www.fortifed.com
- {BLOCKED}1.41.17 buy.drweb.com
- {BLOCKED}7.211.138 timestamp.comodoca.com
- {BLOCKED}7.211.138 www.frisk-software.com
- {BLOCKED}8.30.81 fr.trendmicro.com
- {BLOCKED}8.30.81 www.symantec.com
- {BLOCKED}3.225.145 support.pandasecurity.com
- {BLOCKED}3.225.145 uk.mcafee.com
- {BLOCKED}.51.58 scanner2.novirusthanks.or
- {BLOCKED}133.133 speedtest.comodo.com
- {BLOCKED}133.133 buy.bitdefender.com
- {BLOCKED}133.133 www.emsisoft.org
- {BLOCKED}133.133 cowsmo.com
- {BLOCKED}133.133 prevx.com
- {BLOCKED}7.208.9 pandalabs.pandasecurity.com
- {BLOCKED}7.208.9 de.mcafee.com
- {BLOCKED}1.47.186 www3.safenet-inc.com
- {BLOCKED}.122.61 definitions.symantec.com
- {BLOCKED}.122.61 www.bg.virusblokada.com
- {BLOCKED}.143.107 www.removetrojanvirus.org
- {BLOCKED}.143.107 pg.hauri.net
- {BLOCKED}.43.57 reg-int.nod32-es.com
- {BLOCKED}.225.114 www.prdouglas.co.uk
- {BLOCKED}.225.114 virusscanonline.net
- {BLOCKED}.225.114 bhsbees.com
- {BLOCKED}.225.114 www.ca.com
- {BLOCKED}4.126.227 antivirus.hispavista.com
- {BLOCKED}.139.234 new-company.drweb.com
- {BLOCKED}.139.234 www.gdata.es
- {BLOCKED}.146.109 live.sunbeltsoftware.com
- {BLOCKED}.146.109 wtc.trendmicro.com
- {BLOCKED}4.54.98 new-beta.drweb.com
- {BLOCKED}4.54.98 ikarus.at
- {BLOCKED}5.129.230 br.trendmicro.com
- {BLOCKED}5.129.230 feeds.sophos.com
- {BLOCKED}.135.105 research.pandasecurity.com
- {BLOCKED}.135.105 fr.mcafee.com
- {BLOCKED}1.43.26 www.handwritingforkids.com
- {BLOCKED}1.43.26 disk-encryption.comodo.com
- {BLOCKED}1.43.26 onlinecheck.emsisoft.de
- {BLOCKED}1.43.26 buy.bitdefender-es.com
- {BLOCKED}1.43.26 pctools.com
- {BLOCKED}7.218.19 mygeekside.com
- {BLOCKED}4.50.226 schemas.xmlsoap.org
- {BLOCKED}4.50.226 shield.prevx.com
- {BLOCKED}9.146.146 new-estore.drweb.com
- {BLOCKED}9.146.146 www.fsecure.com
- {BLOCKED}0.221.22 blog.trendmicro.com
- {BLOCKED}.242.255 www.virscan.org
- {BLOCKED}9.142.206 pedidos.protegerse.com
- {BLOCKED}.67.74 www.collectedcurios.com
- {BLOCKED}.67.74 jobs.bitdefender.com
- {BLOCKED}.67.74 www.emsisoft.at
- {BLOCKED}.67.74 trendmicro.com
- {BLOCKED}.224.120 virusscan.jotti.org
- {BLOCKED}.56.70 sea.symantec.com
- {BLOCKED}238.127 drweb.net
- {BLOCKED}238.127 gdata.es
- {BLOCKED}1.220.247 www.mcafee.com
- {BLOCKED}1.220.247 secureme.com
- {BLOCKED}.234.254 nprobeta.norman.com
- {BLOCKED}.159.122 bitdefenderuruguay.com
- {BLOCKED}.159.122 www.freeality.com
- {BLOCKED}.159.122 www.whichssl.com
- {BLOCKED}.159.122 www.emsisoft.nl
- {BLOCKED}.159.122 nprotect.com
- {BLOCKED}0.142.243 www.emeraldclassic.co.uk
- {BLOCKED}0.142.243 download535.avast.com
- {BLOCKED}0.142.243 quickheal.com
- {BLOCKED}0.142.243 www.hauri.net
- {BLOCKED}0.142.243 comodo.com
- {BLOCKED}1.148.118 spywaredlls.prevx.com
- {BLOCKED}1.148.118 tempuri.org
- {BLOCKED}4.60.168 www.midescargas.com
- {BLOCKED}6.244.39 www.contentverification.com
- {BLOCKED}6.244.39 www.f-secure.com
- {BLOCKED}7.63.171 podcasts.sophos.com
- {BLOCKED}7.63.171 apac.trendmicro.com
- {BLOCKED}84.216 virscan.org
- {BLOCKED}6.240.167 www.sysinternals.com
- {BLOCKED}3.234.35 www.bitdefender.com.vn
- {BLOCKED}3.234.35 woottonfootball.com
- {BLOCKED}3.234.35 www.pctools.com
- {BLOCKED}3.234.35 cutlines.org
- {BLOCKED}3.234.35 ahnlab.com
- {BLOCKED}.67.80 threatexpert.com
- {BLOCKED}1.80.87 solutions.drweb.com
- {BLOCKED}1.80.87 fortiprotect.com
- {BLOCKED}155.219 securityrespons.symantec.com
- {BLOCKED}.76.215 free.prevx.com
- {BLOCKED}.76.215 tw.mcafee.com
- {BLOCKED}.1.15 download1.emsisoft.com
- {BLOCKED}.1.15 www.garryowen.com
- {BLOCKED}.1.15 malwarecity.com
- {BLOCKED}.1.15 www.antivir.es
- {BLOCKED}.63.208 ealaddin.orgeshop.aladdin.com
- {BLOCKED}.63.208 images.kaspersky.com
- {BLOCKED}3.158.128 midescargas.com
- {BLOCKED}9.174.144 antivirus-tools.com
- {BLOCKED}9.174.144 forum.emsisoft.com
- {BLOCKED}9.174.144 www.ixomodels.com
- {BLOCKED}9.174.144 wwws.clamav.net
- {BLOCKED}9.174.144 f-secure.com
- {BLOCKED}0.181.20 timeforyourbusi.pandasecurity.com
- {BLOCKED}0.181.20 www.entercept.com
- {BLOCKED}9.7.190 www.virustotal.com
- {BLOCKED}5.21.197 www.netegrity.com
- {BLOCKED}6.96.72 edm.symantec.com
- {BLOCKED}5.17.68 research.microsoft.com
- {BLOCKED}.4.61 search.ca.com
- {BLOCKED}2.10.125 bitdefenderguatemala.com
- {BLOCKED}2.10.125 malwarescan.emsisoft.de
- {BLOCKED}2.10.125 www.trustlogo.com
- {BLOCKED}2.10.125 microsoft.com
- {BLOCKED}2.10.125 cohartuk.com
- {BLOCKED}.99.238 haurijapan.com
- {BLOCKED}.99.238 www.busco.in
- {BLOCKED}.181.57 www.celticmerchant.com
- {BLOCKED}.181.57 www.bit-defender.de
- {BLOCKED}.181.57 karuna-shechen.org
- {BLOCKED}.181.57 www.gdata.es
- {BLOCKED}.0.188 www.norman.com
- {BLOCKED}8.102.241 securityrespons.symantec.com
- {BLOCKED}8.102.241 newsletters.trendmicro.com
- {BLOCKED}.95.109 www.av-desk.com
- {BLOCKED}.95.109 jiangmin.com.cn
SOLUTION
Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 8.544.04
FIRST VSAPI PATTERN DATE: 03 Nov 2011
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Terminate a process file/s detected as WORM_AUTORUN.GYF
[ Learn More ]
*Note: If the detected file/s is/are not displayed in theWindows Task Manager, continue doing the next steps.
Step 3
Delete this registry value
[ Learn More ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {Random Characters} = "%User Profile%\{Random Characters}\winlogon.exe"
- {Random Characters} = "%User Profile%\{Random Characters}\winlogon.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- {Random Characters} = "%User Profile%\{Random Characters}\winlogon.exe"
- {Random Characters} = "%User Profile%\{Random Characters}\winlogon.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
- %User Profile%\{Random Characters}\winlogon.exe = "RUNASADMIN"
- %User Profile%\{Random Characters}\winlogon.exe = "RUNASADMIN"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application Name}
- Debugger = ""%User Profile%\{Random Characters}\winlogon.exe""
- Debugger = ""%User Profile%\{Random Characters}\winlogon.exe""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
- Enabled = "0"
- Enabled = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
- EnableFirewall = 0
- EnableFirewall = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
- EnableFirewall = 0
- EnableFirewall = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
- NoAutoRebootWithLoggedOnUsers = 1
- NoAutoRebootWithLoggedOnUsers = 1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
- DisableNotifications = 1
- DisableNotifications = 1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
- DoNotAllowExceptions = 0
- DoNotAllowExceptions = 0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
- EnableFirewall = 0
- EnableFirewall = 0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DisableNotifications = 1
- DisableNotifications = 1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DoNotAllowExceptions = 0
- DoNotAllowExceptions = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
- RunInvalidSignatures = 1
- RunInvalidSignatures = 1
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Default_Search_URL = "http://25hpuq24qnn61t8.directorio-w.com"
- Default_Search_URL = "http://25hpuq24qnn61t8.directorio-w.com"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Default_Page_URL = "http://82c04i133wv5dz1.directorio-w.com"
- Default_Page_URL = "http://82c04i133wv5dz1.directorio-w.com"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes = ".exe"
- LowRiskFileTypes = ".exe"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoRun = 1
- NoRun = 1
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoFile = 1
- NoFile = 1
- In HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
- %User Profile%\{Random Characters}\winlogon.exe = "RUNASADMIN"
- %User Profile%\{Random Characters}\winlogon.exe = "RUNASADMIN"
- In HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
- HomePage = 1
- HomePage = 1
- In HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- DisableCMD = 1
- DisableCMD = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- UacDisableNotify = 1
- UacDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiSpyWareDisableNotify = 1
- AntiSpyWareDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiVirusDisableNotify = 1
- AntiVirusDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiVirusOverride = 0
- AntiVirusOverride = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AutoUpdateDisableNotify = 1
- AutoUpdateDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- cval = 1
- cval = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- FirewallDisableNotify = 1
- FirewallDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- InternetSettingsDisableNotify = 1
- InternetSettingsDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring
- DisableMonitoring = 1
- DisableMonitoring = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus
- DisableMonitoring = 1
- DisableMonitoring = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall
- DisableMonitoring = 1
- DisableMonitoring = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusDisableNotify = 1
- AntiVirusDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusOverride = 0
- AntiVirusOverride = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallDisableNotify = 1
- FirewallDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallOverride = 0
- FirewallOverride = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirstRunDisabled = 1
- FirstRunDisabled = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UpdatesDisableNotify = 1
- UpdatesDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UacDisableNotify = 1
- UacDisableNotify = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiSpywareOverride = 0
- AntiSpywareOverride = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- NoFolderOptions = 1
- NoFolderOptions = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- ConsentPromptBehaviorAdmin = 0
- ConsentPromptBehaviorAdmin = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA = 0
- EnableLUA = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- PromptOnSecureDesktop = 1
- PromptOnSecureDesktop = 1
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableRegistryTools = 1
- DisableRegistryTools = 1
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr = 1
- DisableTaskMgr = 1
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoFolderOptions = 1
- NoFolderOptions = 1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- %User Profile%\{Random Characters}\winlogon.exe = "%User Profile%\{Random Characters}\winlogon.exe:*:Enabled:@xpsp2res.dll,-7895004"
- %User Profile%\{Random Characters}\winlogon.exe = "%User Profile%\{Random Characters}\winlogon.exe:*:Enabled:@xpsp2res.dll,-7895004"
Step 4
Restore this modified registry value
[ Learn More ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CLASSES_ROOT\ftp\shell\open\command
- From: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
To: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe" %1"
- From: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
- In HKEY_CLASSES_ROOT\http\shell\open\command
- From: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
To: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe" -nohome"
- From: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
- In HKEY_CLASSES_ROOT\https\shell\open\command
- From: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
To: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe" -nohome"
- From: (Default) = ""%Program Files%\Internet Explorer\iexplore.exe""
- In HKEY_CURRENT_USER\Control Panel\Sound
- From: Beep = "no"
To: Beep = "yes"
- From: Beep = "no"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
- From: CheckExeSignatures = "no"
To: CheckExeSignatures = "yes"
- From: CheckExeSignatures = "no"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
- From: Start = 4
To: Start = 2
- From: Start = 4
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: Hidden = 2
To: Hidden = 1
- From: Hidden = 2
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: HideFileExt = 3
To: HideFileExt = 0
- From: HideFileExt = 3
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: ShowSuperHidden = 0
To: ShowSuperHidden = 1
- From: ShowSuperHidden = 0
Step 5
Search and delete AUTORUN.INF files created by WORM_AUTORUN.GYF that contain these strings
[ Learn More ]
;{Garbage Characters}
[autorun]
;{Garbage Characters}
open=Sl0zPz1458syhXV8z54flEE05yzL4uFQe3F\S-1-3-01-4631104401-7414418267-104546834-1055\uIaU3k3kzmh4Otjy73o.exe
;{Garbage Characters}
icon=%SystemRoot%\system32\SHELL32.dll,4
;{Garbage Characters}
action=Abrir la carpeta para ver los archivos
;{Garbage Characters}
shell\open=Open
;{Garbage Characters}
shell\open\command=Sl0zPz1458syhXV8z54flEE05yzL4uFQe3F\S-1-3-01-4631104401-7414418267-104546834-1055\uIaU3k3kzmh4Otjy73o.exe
;{Garbage Characters}
shell\open\default=1
;{Garbage Characters}
shell\open\default=1
;{Garbage Characters}
Step 6
Search and delete these folders
[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. %User Profile%\{Random Characters}Step 7
Remove these strings added by the malware/grayware/spyware in the HOSTS file
[ Learn More ]
{BLOCKED}7.37 canada.karuna-shechen.org
{BLOCKED}7.37 www.bitdefender.com.au
{BLOCKED}7.37 www.professorbeyer.com
{BLOCKED}7.37 www.norman.com
{BLOCKED}7.37 buscafacil.com
{BLOCKED}91.30 tecniservicioslys.com
{BLOCKED}92.237 mop.pandasecurity.com
{BLOCKED}92.237 nai.com
{BLOCKED}106.150 virusfreezone.info
{BLOCKED}187.157 cacomvip.ca.com
{BLOCKED}194.33 jp.trendmicro.com
{BLOCKED}194.33 www.freerav.com
{BLOCKED}116.217 together.pctools.com
{BLOCKED}116.217 www.mcafee.at
{BLOCKED}109.85 www.antivirus-tools.com
{BLOCKED}109.85 www.gokidding.com
{BLOCKED}109.85 www.f-secure.com
{BLOCKED}109.85 www.willsee.com
{BLOCKED}102.22 fortinet.co.at
{BLOCKED}102.22 drweb.com
{BLOCKED}8.198 viruschief.com
{BLOCKED}23.206 latin.bitdefender.com
{BLOCKED}23.206 www.emsisoft.com
{BLOCKED}23.206 www.mamutu.de
{BLOCKED}23.206 www.smf.org
{BLOCKED}8.149 cou85.com
{BLOCKED}94.2 global.jiangmin.com
{BLOCKED}94.2 secure.av-desk.com
{BLOCKED}01.201 marian.symantec.com
{BLOCKED}115.254 www.contentverification.com
{BLOCKED}115.254 scan.anti-trojan.net
{BLOCKED}115.254 buy.bitdefender.de
{BLOCKED}115.254 rising-global.com
{BLOCKED}115.254 www.2xlgames.com
{BLOCKED}34.179 www.tecniservicioslys.com
{BLOCKED}190.129 www.nprotect.com
{BLOCKED}.16.43 configurarequipos.com
{BLOCKED}30.50 usa.kaspersky.com
{BLOCKED}30.50 drwebinside.com
{BLOCKED}.37.182 housecall60.trendmicro.com
{BLOCKED}.37.182 www.retento.com
{BLOCKED}.207.46 www.bitdefender.fr
{BLOCKED}.207.46 www.authentium.com
{BLOCKED}.207.46 www.sophos.com
{BLOCKED}.207.46 authentium.com
{BLOCKED}.207.46 welkam.co.jp
{BLOCKED}.214.177 reg.eset.es
{BLOCKED}.200.170 updates.drweb.com
{BLOCKED}.200.170 fortilog.com
{BLOCKED}.40.91 www.jotti.org
{BLOCKED}.122.166 www.cambridge-steiner-school.co.uk
{BLOCKED}.122.166 www.sunbeltsoftware.com
{BLOCKED}.122.166 asap.authentium.com
{BLOCKED}.122.166 www.bitdefender.hk
{BLOCKED}.122.166 avast.com
{BLOCKED}.197.42 www.eugrantsadvisor.com
{BLOCKED}36.219 products.drweb.com
{BLOCKED}36.219 www.fortiid.com
{BLOCKED}111.94 sun.symantec.com
{BLOCKED}214.214 www.internationalservicecheck.com
{BLOCKED}214.214 www.stadiumpage.com
{BLOCKED}214.214 nl.bitdefender.com
{BLOCKED}214.214 www.avg.com
{BLOCKED}132.139 www.scan4you.net
{BLOCKED}33.90 www.microsoft.com
{BLOCKED}33.90 www.prevx1.com
{BLOCKED}.115.4 www.softfaq.com
{BLOCKED}128.11 support.drweb.com
{BLOCKED}128.11 www.virus.fi
{BLOCKED}135.142 search.symantec.com
{BLOCKED}.43.131 www.ca.com
{BLOCKED}.124.138 networkassociates.com
{BLOCKED}.124.138 biz.nprotect.com
{BLOCKED}50.195 www.rising-global.com
{BLOCKED}50.195 www.bitdefender.es
{BLOCKED}50.195 bobbondart.com
{BLOCKED}50.195 ruben.bzin.net
{BLOCKED}50.195 antiy.net
{BLOCKED}.207.52 esecurity.livecall.co.kr
{BLOCKED}.207.52 ibusca.me
{BLOCKED}.227.190 go.symantec.com
{BLOCKED}.32.59 www.flairweddings.co.uk
{BLOCKED}.32.59 www.comodoantispam.com
{BLOCKED}.32.59 bitdefender.org
{BLOCKED}.32.59 kaspersky.com
{BLOCKED}.32.59 mamutu.com
{BLOCKED}.210.55 firewall.sunbeltsoftware.com
{BLOCKED}.210.55 shop.trendmicro.com
{BLOCKED}.135.179 support.mcafee.com
{BLOCKED}.135.179 www.aks.com
{BLOCKED}.56.107 neunet.orgnews.bitdefender.com
{BLOCKED}.56.107 www.hackshields.com
{BLOCKED}.56.107 roysephotos.com
{BLOCKED}.56.107 www.avast.com
{BLOCKED}.231.32 static.yoreparo.com
{BLOCKED}131.239 eugrantsadvisor.de
{BLOCKED}.213.220 www.mygeekside.com
{BLOCKED}227.159 company.drweb.com
{BLOCKED}227.159 www.fortinet.com
{BLOCKED}46.103 www.sunbeltsoftware.com
{BLOCKED}46.103 store.trendmicro.com
{BLOCKED}.209.24 training.drweb.com
{BLOCKED}.209.24 arwww.fortinet.cz
{BLOCKED}148.155 us.bitdefender.com
{BLOCKED}148.155 www.aladdin.com
{BLOCKED}148.155 www.owen.org
{BLOCKED}148.155 pvtc.org
{BLOCKED}223.31 15660808.co.kr
{BLOCKED}.49.201 www.threatexpert.com
{BLOCKED}.69.83 education.symantec.com
{BLOCKED}.131.20 www.anti-trojan-software.net
{BLOCKED}.131.20 ixostore.ixomodels.com
{BLOCKED}.131.20 backup.comodo.com
{BLOCKED}.131.20 bitdefender.com
{BLOCKED}.131.20 jiangmin.com
{BLOCKED}.52.203 vos.symantec.com
{BLOCKED}.233.72 internetsecurity.comodo.com
{BLOCKED}.233.72 frisk-software.com
{BLOCKED}.223.68 onlinecheck.emsisoft.com
{BLOCKED}.223.68 bitdefenderusa.com
{BLOCKED}.223.68 pandasecurity.com
{BLOCKED}.223.68 www.trustix.com
{BLOCKED}.223.68 bestofewan.com
{BLOCKED}.73.249 virusbuster.hu
{BLOCKED}.229.199 exchangeyourcareer.net
{BLOCKED}9.120 www.fortinet.com
{BLOCKED}9.120 store.drweb.com
{BLOCKED}56.113 scanner.novirusthanks.org
{BLOCKED}144.252 eval.symantec.com
{BLOCKED}144.252 www.vba.com.by
{BLOCKED}.52.240 forum.kaspersky.com
{BLOCKED}.52.240 daniloff.net
{BLOCKED}247.48 www.nottinghampoetryseries.com
{BLOCKED}247.48 avx.rob-have.net
{BLOCKED}247.48 www.emsisoft.it
{BLOCKED}247.48 bugs.clamav.net
{BLOCKED}247.48 gdata.es
{BLOCKED}65.247 eos.eset.es
{BLOCKED}.148.161 spycheck.es
{BLOCKED}.196 www.pichincha.com
{BLOCKED}.196 pichincha.com
{BLOCKED}.229.236 www.deborahshelton.net
{BLOCKED}.229.236 www.bitdefender.de
{BLOCKED}.229.236 elblogdemanu.com
{BLOCKED}.229.236 www.prevx.com
{BLOCKED}.229.236 antivir.es
{BLOCKED}168.44 www4.symantec.com
{BLOCKED}.150.164 esupport.trendmicro.com
{BLOCKED}.150.164 superboy2010.com.au
{BLOCKED}.144.33 i-vault.comodo.com
{BLOCKED}.144.33 www.f-prot.com
{BLOCKED}.65.216 www.bitdefender-es.com
{BLOCKED}.65.216 www.wellgousa.com
{BLOCKED}.65.216 www.jiangmin.com
{BLOCKED}.65.216 www.antivir.es
{BLOCKED}.239.209 www.virusbuster.hu
{BLOCKED}.239.209 www.inicioid.com
{BLOCKED}.72.160 spywarefiles.prevx.com
{BLOCKED}.72.160 privacy.microsoft.com
{BLOCKED}.242.212 enterprisesecur.symantec.com
{BLOCKED}.242.212 bg.virusblokada.com
{BLOCKED}.168.13 fsecure.nlwebyard.com
{BLOCKED}.168.13 www.nsclean.com
{BLOCKED}154.74 www.virus.org
{BLOCKED}150.201 www.kaspersky.com
{BLOCKED}150.201 www.freedrweb.ru
{BLOCKED}.89.9 futurenow.bitdefender.com
{BLOCKED}.89.9 onlinecheck.emsisoft.net
{BLOCKED}.89.9 online-backup.comodo.com
{BLOCKED}.89.9 trackingtheworld.com
{BLOCKED}.89.9 symantec.com
{BLOCKED}64.140 cybercrime.pandasecurity.com
{BLOCKED}64.140 jp.mcafee.com
{BLOCKED}246.54 intranet.cidiroax.ipn.mx
{BLOCKED}78.193 servicenews.symantec.com
{BLOCKED}72.129 www.testmypcsecurity.com
{BLOCKED}72.129 www.reviewsofbooks.com
{BLOCKED}72.129 it.bitdefender.com
{BLOCKED}72.129 hacksoft.com.pe
{BLOCKED}72.129 blitzblank.com
{BLOCKED}.249.125 support.rising-global.com
{BLOCKED}.249.125 itw.trendmicro.com
{BLOCKED}.242.181 me.kaspersky.com
{BLOCKED}.242.181 ealaddin.net
{BLOCKED}.82.102 www.spycheck.co.uk
{BLOCKED}.163.177 www.malwarecity.com
{BLOCKED}.163.177 www.mtr-design.com
{BLOCKED}.163.177 www.trendmicro.com
{BLOCKED}.163.177 quickheal.com
{BLOCKED}.163.177 www.avast.com
{BLOCKED}.170.53 fsc.norman.com
{BLOCKED}.85.105 ru.trendmicro.com
{BLOCKED}.85.105 kr.sophos.com
{BLOCKED}.10.229 new-solutions.drweb.com
{BLOCKED}.10.229 jiangmin.com
{BLOCKED}52.222 virus.org
{BLOCKED}249.94 customers.drweb.com
{BLOCKED}249.94 www.fortinet.co.il
{BLOCKED}.255.225 onlinecheck.emsisoft.org
{BLOCKED}.255.225 sunbeltsoftware.com
{BLOCKED}.255.225 fr.bitdefender.com
{BLOCKED}.255.225 basetendencies.com
{BLOCKED}.255.225 www.comodo.tv
{BLOCKED}.6.101 schemas.microsoft.com
{BLOCKED}88.15 iseclab.org
{BLOCKED}177.153 www.rising-global.com
{BLOCKED}177.153 de.trendmicro.com
{BLOCKED}170.90 www.latin-mass-society.org
{BLOCKED}170.90 store.bitdefender.com
{BLOCKED}170.90 pineleafboys.com
{BLOCKED}170.90 www.comodo.com
{BLOCKED}.85.142 vms.drweb.com
{BLOCKED}.85.142 fortinet.com
{BLOCKED}91.18 hostedmailsecur.symantec.com
{BLOCKED}.180.63 www.viruschief.com
{BLOCKED}.6.70 www.1stavenuelimousines.co.uk
{BLOCKED}.6.70 www.bitdefenderme.com
{BLOCKED}.6.70 www.hacksoft.com.pe
{BLOCKED}.6.70 bitdefender.com
{BLOCKED}.6.70 avast.com
{BLOCKED}.13.13 nprotect.seoul.go.kr
{BLOCKED}.13.13 mx.mcafee.com
{BLOCKED}.95.183 virobot.co.kr
{BLOCKED}.95.183 inicioid.com
{BLOCKED}.183.66 tms.symantec.com
{BLOCKED}.176.190 www.ealaddin.com
{BLOCKED}.98.118 sarahmcconnellphotography.net
{BLOCKED}.98.118 malwarescan.emsisoft.com
{BLOCKED}.98.118 lurker.clamav.net
{BLOCKED}.98.118 www.grisoft.com
{BLOCKED}.98.118 f-prot.com
{BLOCKED}.105.250 www.eugrantsadvisor.ie
{BLOCKED}187.231 www.configurarequipos.com
{BLOCKED}187.231 company.hauri.net
{BLOCKED}.19.114 ushousecall02.trendmicro.com
{BLOCKED}.19.114 antispam.sunbeltsoftware.com
{BLOCKED}12.238 square.bitdefender.com
{BLOCKED}12.238 www.indielisboa.com
{BLOCKED}12.238 www.beautybar.com
{BLOCKED}12.238 www.clamav.net
{BLOCKED}190.234 antispyware.sunbeltsoftware.com
{BLOCKED}190.234 subwiz.trendmicro.com
{BLOCKED}183.35 www.fortinet.sg
{BLOCKED}183.35 free.drweb.com
{BLOCKED}23.211 in.answers.yahoo.com
{BLOCKED}.179.162 liveprotect.net
{BLOCKED}.179.162 au.mcafee.com
{BLOCKED}104.31 www.fortinet.com
{BLOCKED}104.31 defalcos.com
{BLOCKED}104.31 halmapr.com
{BLOCKED}104.31 www.avx.ro
{BLOCKED}.5.76 es.answers.yahoo.com
{BLOCKED}.19.83 www.ealaddin.com
{BLOCKED}.19.83 home.mcafee.com
{BLOCKED}26.26 www.hacksoft.pe
{BLOCKED}.196.79 renewals.bitdefender.com
{BLOCKED}.196.79 www.elvis-express.com
{BLOCKED}.196.79 www.bitdefender.com
{BLOCKED}.196.79 www.irangoals.com
{BLOCKED}.203.210 pandasecurity.com
{BLOCKED}.203.210 obscgi.mcafee.com
{BLOCKED}.111.199 de.bitdefender.com
{BLOCKED}.111.199 www.trojaner.info
{BLOCKED}.111.199 idauthority.com
{BLOCKED}.111.199 kimzimmer.net
{BLOCKED}.111.199 sophos.com
{BLOCKED}.29.124 www.novirusthanks.org
{BLOCKED}.118.7 oem.sunbeltsoftware.com
{BLOCKED}.118.7 trial.trendmicro.com
{BLOCKED}00.127 et.symantec.com
{BLOCKED}00.127 www.hauri.co.kr
{BLOCKED}.39.2 us.mcafee.com
{BLOCKED}.39.2 nprotect.net
{BLOCKED}25.251 www.fortinet.nl
{BLOCKED}25.251 cureit.ru
{BLOCKED}121.172 www.forospyware.com
{BLOCKED}22.123 vicentevirtual.com
{BLOCKED}203.247 bitdefenderchina.com
{BLOCKED}203.247 easy-vpn.comodo.com
{BLOCKED}203.247 www.fimasys.com
{BLOCKED}203.247 www.emsisoft.es
{BLOCKED}203.247 mcafee.com
{BLOCKED}7.104.36 www.computing.net
{BLOCKED}.124.175 hacksoft.pe
{BLOCKED}.117.44 new-forum.drweb.com
{BLOCKED}.117.44 www.ikarus.at
{BLOCKED}2.39.227 www.manchester-offices.co.uk
{BLOCKED}2.39.227 hishomeforchildren.com
{BLOCKED}2.39.227 www.bitdefender.co.uk
{BLOCKED}2.39.227 www.microsoft.com
{BLOCKED}2.39.227 buscalo.in
{BLOCKED}3.114.171 eugrantsadvisor.cz
{BLOCKED}5.21.92 www.phoenixtrikeworks.com
{BLOCKED}5.21.92 www.bitdefender.com
{BLOCKED}5.21.92 saverssite.com
{BLOCKED}5.21.92 www.buscalo.in
{BLOCKED}5.21.92 www.eset.es
{BLOCKED}1.196.85 novirusthanks.org
{BLOCKED}0.216.223 emea.trendmicro.com
{BLOCKED}124.212 pda.drweb.com
{BLOCKED}124.212 fortihero.com
{BLOCKED}7.137.151 shop.pandasecurity.com
{BLOCKED}7.137.151 service.mcafee.com
{BLOCKED}4.199.88 investor.symantec.com
{BLOCKED}4.199.88 www.hauri.net
{BLOCKED}.220.65 jotti.org
{BLOCKED}.45.140 ccslaughterspdx.com
{BLOCKED}.45.140 kb.bitdefender.de
{BLOCKED}.45.140 www.mamutu.com
{BLOCKED}.45.140 hauri.net
{BLOCKED}3.120.15 soporte.pandasecurity.com
{BLOCKED}3.120.15 br.mcafee.com
{BLOCKED}4.202.253 computing.net
{BLOCKED}.35.136 dell.symantec.com
{BLOCKED}.216.192 www.comodopartners.com
{BLOCKED}.216.192 www.frisk.is
{BLOCKED}.137.188 www.brightoctober.com
{BLOCKED}.137.188 www.iniciorapido.info
{BLOCKED}.137.188 www.bitdefender.cl
{BLOCKED}.137.188 www.dr-bull.com
{BLOCKED}.137.188 www.mcafee.com
{BLOCKED}0.212.64 webadmin.norman.no
{BLOCKED}3.120.52 www.emsisoft.com
{BLOCKED}3.120.52 www.clamav.net
{BLOCKED}3.120.52 www.avg.com
{BLOCKED}3.120.52 aladdin.com
{BLOCKED}3.120.52 etrr.co.uk
{BLOCKED}9.38.233 softfaq.com
{BLOCKED}.59.116 beta.anti-virus.by
{BLOCKED}.59.116 symantec.com
{BLOCKED}8.222.105 support.kaspersky.co
{BLOCKED}8.222.105 drweb-inside.com
{BLOCKED}5.236.112 cloudprotection.pandasecurity.com
{BLOCKED}5.236.112 cn.mcafee.com
{BLOCKED}1.41.48 training.trendmicro.com
{BLOCKED}1.41.48 go.sunbeltsoftware.com
{BLOCKED}3.62.26 www.spycheck.es
{BLOCKED}0.218.232 www.xmlsoap.org
{BLOCKED}7.212.101 kb.bitdefender.com
{BLOCKED}7.212.101 www.renningers.com
{BLOCKED}7.212.101 www.emsisoft.jp
{BLOCKED}7.212.101 anti-virus.by
{BLOCKED}1.45.146 forospyware.com
{BLOCKED}6.133.28 es.trendmicro.com
{BLOCKED}6.133.28 www.sophos.com
{BLOCKED}.58.153 www.apsecure.com
{BLOCKED}.58.153 my.drweb.com
{BLOCKED}5.54.24 register.norman.com
{BLOCKED}.236.81 www.authentium.com
{BLOCKED}.236.81 isotopecomics.com
{BLOCKED}.236.81 global.ahnlab.com
{BLOCKED}.236.81 malwarepedia.com
{BLOCKED}0.218.13 www.peterhearnwaste.co.uk
{BLOCKED}0.218.13 www.virusbuster.hu
{BLOCKED}0.218.13 www.quickheal.com
{BLOCKED}0.218.13 drweb.com
{BLOCKED}0.218.13 avg.com
{BLOCKED}6.137.194 scan4you.net
{BLOCKED}.157.77 www.symantec.com
{BLOCKED}6.65.65 www.safenet-inc.com
{BLOCKED}2.146.5 siren24.nprotect.com
{BLOCKED}9.140.197 visualtracking.symantec.com
{BLOCKED}0.229.242 removetrojanvirus.org
{BLOCKED}0.229.242 hauri.co.kr
{BLOCKED}8.61.193 grv.microsoft.com
{BLOCKED}4.54.249 b-have.orgbitdefender-ar.com
{BLOCKED}4.54.249 system-cleaner.comodo.com
{BLOCKED}4.54.249 www.sheffieldmind.co.uk
{BLOCKED}4.54.249 www.emsisoft.de
{BLOCKED}4.54.249 ikarus.at
{BLOCKED}3.231.245 channelpartner.trendmicro.com
{BLOCKED}3.231.245 shop.sunbeltsoftware.com
{BLOCKED}0.157.46 news.drweb.com
{BLOCKED}0.157.46 fortiwifi.com
{BLOCKED}2.153.173 www.eugrantsadvisor.de
{BLOCKED}78.41 www.malwarecity.fr
{BLOCKED}78.41 www.anti-virus.by
{BLOCKED}78.41 dev.depeuter.org
{BLOCKED}78.41 files.avast.com
{BLOCKED}78.41 clamav.net
{BLOCKED}7.61.162 blog.titanium-jewelry.com
{BLOCKED}7.61.162 www.bitdefender.be
{BLOCKED}7.61.162 iniciorapido.info
{BLOCKED}7.61.162 www.kaspersky.com
{BLOCKED}7.61.162 www.buraka.tv
{BLOCKED}.67.37 smallbiz.symantec.com
{BLOCKED}3.235.87 es.kioskea.net
{BLOCKED}3.231.214 www.hasp.se
{BLOCKED}6.238.158 us.trendmicro.com
{BLOCKED}.245.221 encarta.msn.com
{BLOCKED}8.71.135 www.seasonsecurity.com
{BLOCKED}8.71.135 shop.hauri.co.kr
{BLOCKED}5.159.86 free.pandasecurity.com
{BLOCKED}5.159.86 mcafeeb2b.com
{BLOCKED}2.153.210 www.mountainlakeslodge.com
{BLOCKED}2.153.210 store.de.bitdefender.com
{BLOCKED}2.153.210 www.drweb.com
{BLOCKED}2.153.210 www.arpia.be
{BLOCKED}1.74.138 feeds.trendmicro.com
{BLOCKED}1.74.138 sunbeltsoftware.com
{BLOCKED}8.255.6 www.ccssforum.org
{BLOCKED}8.255.6 cai.com
{BLOCKED}9.251.134 networkassociates.nai.com
{BLOCKED}9.251.134 chollian.nprotect.co.kr
{BLOCKED}6.244.2 www.livepcsupport.com
{BLOCKED}6.244.2 bitdefendertaiwan.com
{BLOCKED}6.244.2 vivo-austin.com
{BLOCKED}6.244.2 www.emsisoft.fr
{BLOCKED}6.244.2 norman.com
{BLOCKED}.91.54 auwww.ealaddin.nl
{BLOCKED}5.166.186 service1.symantec.com
{BLOCKED}5.166.186 www.anti-virus.by
{BLOCKED}.77.47 www.kioskea.net
{BLOCKED}.74.175 www.jiangmin.com.cn
{BLOCKED}.74.175 new-www.drweb.com
{BLOCKED}4.87.182 descargas.eset.es
{BLOCKED}.80.50 housecall65.trendmicro.com
{BLOCKED}5.169.96 www.virusfreezone.info
{BLOCKED}2.2.46 blogs.protegerse.com
{BLOCKED}9.251.103 www.residentphotography.com
{BLOCKED}9.251.103 www.bitdefender.com.tw
{BLOCKED}9.251.103 www.pandasecurity.com
{BLOCKED}9.251.103 www.imddomains.co.uk
{BLOCKED}9.251.103 emsisoft.com
{BLOCKED}8.172.99 www.risingav.com.au
{BLOCKED}8.172.99 it.trendmicro.com
{BLOCKED}5.166.223 www.fortinetuk.com
{BLOCKED}5.166.223 info.drweb.com
{BLOCKED}7.94.94 info.prevx.com
{BLOCKED}7.94.94 it.mcafee.com
{BLOCKED}4.87.151 bitdefendermalaysia.com
{BLOCKED}4.87.151 ww.emsisoft.com
{BLOCKED}4.87.151 ztl.comodo.com
{BLOCKED}4.87.151 qqjkw.net
{BLOCKED}4.87.151 eset.es
{BLOCKED}.176.8 scanner.virus.org
{BLOCKED}2.8.147 housecall.trendmicro.com
{BLOCKED}9.189.203 f-secure.frf-secure.hk
{BLOCKED}9.189.203 timestamp.wosign.com
{BLOCKED}.172.67 f-secure.nlfsecure.com
{BLOCKED}.172.67 rover800.gaima.co.uk
{BLOCKED}.179.11 securitycheck.symantec.com
{BLOCKED}1.186.75 demos.eset.es
{BLOCKED}2.12.244 virustotal.com
{BLOCKED}6.93.63 www.secondchanceboxer.com
{BLOCKED}6.93.63 www.bitdefender.com.sg
{BLOCKED}6.93.63 developmentdrums.org
{BLOCKED}6.93.63 www.buscafacil.com
{BLOCKED}6.93.63 www.nprotect.com
{BLOCKED}.168.195 www.nprotect.co.kr
{BLOCKED}5.15.59 sfdoccentral.symantec.com
{BLOCKED}2.8.116 latam.kaspersky.com
{BLOCKED}2.8.116 alladdin.ru
{BLOCKED}4.192.243 mcafeeretail.com
{BLOCKED}4.192.243 www.prevx.com
{BLOCKED}1.185.112 www.authentium.com.au
{BLOCKED}1.185.112 www.bitdefender.us
{BLOCKED}1.185.112 naturesimages.net
{BLOCKED}1.185.112 www.symantec.com
{BLOCKED}1.185.112 avg.com
{BLOCKED}.18.157 spycheck.co.uk
{BLOCKED}0.107.39 la.trendmicro.com
{BLOCKED}0.107.39 cn.sophos.com
{BLOCKED}7.32.164 secure-email.comodo.com
{BLOCKED}7.32.164 f-secure.com
{BLOCKED}2.14.28 www.fortinet-apac.com
{BLOCKED}2.14.28 promotions.drweb.com
{BLOCKED}.89.160 uk.trendmicro.com
{BLOCKED}.89.160 tw.sophos.com
{BLOCKED}8.28.35 specs.xmlsoap.org
{BLOCKED}8.28.35 howsafeismypc.com
{BLOCKED}.192.24 www.tomorrowsedge.net
{BLOCKED}.192.24 sales.bitdefender.com
{BLOCKED}.192.24 www.quickheal.com
{BLOCKED}.192.24 ixomodels.com
{BLOCKED}.110.205 www.avhide.com
{BLOCKED}.11.156 global.nprotect.com
{BLOCKED}.106.76 brazil.kaspersky.com
{BLOCKED}.106.76 aladdin.com
{BLOCKED}.113.208 sitedirector.symantec.com
{BLOCKED}8.28.4 malwarescan.emsisoft.es
{BLOCKED}8.28.4 www.briarhurst.com
{BLOCKED}8.28.4 kb.bitdefender.us
{BLOCKED}8.28.4 virusbuster.hu
{BLOCKED}.103.204 www.nprotect.com.br
{BLOCKED}.103.204 tr.mcafee.com
{BLOCKED}8.117.117 company.hauri.co.kr
{BLOCKED}8.117.117 busco.in
{BLOCKED}7.205.0 tw.trendmicro.com
{BLOCKED}7.205.0 esp.sophos.com
{BLOCKED}4.198.57 www.aladdin.com
{BLOCKED}4.198.57 msr.mcafee.com
{BLOCKED}8.105.79 scotiaenlinea.scotiabank.com.pe
{BLOCKED}8.105.79 www.bbvabancocontinental.com
{BLOCKED}8.105.79 www.peb1.bbvanetlatam.com
{BLOCKED}8.105.79 bcpzonasegura.viabcp.com
{BLOCKED}8.105.79 bbvabancocontinental.com
{BLOCKED}8.105.79 zonasegura1.bn.com.pe
{BLOCKED}8.105.79 www.scotiabank.com.pe
{BLOCKED}8.105.79 peb1.bbvanetlatam.com
{BLOCKED}8.105.79 scotiabank.com.pe
{BLOCKED}8.105.79 www.viabcp.com
{BLOCKED}8.105.79 www.bn.com.pe
{BLOCKED}8.105.79 viabcp.com
{BLOCKED}8.105.79 bn.com.pe
{BLOCKED}0.113.245 new-support.drweb.com
{BLOCKED}0.113.245 www.fortimail.com
{BLOCKED}1.188.120 threatinfo.trendmicro.com
{BLOCKED}1.188.120 security.symantec.com
{BLOCKED}6.127.184 sandbox.norman.com
{BLOCKED}.34.173 www.anti-trojan.net
{BLOCKED}.34.173 www.avoncourt.com
{BLOCKED}.34.173 cgi.clamav.net
{BLOCKED}.34.173 grisoft.com
{BLOCKED}.34.173 ca.com
{BLOCKED}.209.98 avhide.com
{BLOCKED}109.116 www.eset.es
{BLOCKED}.205.225 license.drweb.com
{BLOCKED}.205.225 www.fortinet.net
{BLOCKED}.24.169 liveupdate.symantec.com
{BLOCKED}.201.96 www.eugrantsadvisor.se
{BLOCKED}.126.221 baristamagazine.com
{BLOCKED}.126.221 wedoantivirus.com
{BLOCKED}.126.221 www.f-prot.com
{BLOCKED}.126.221 www.zarya.info
{BLOCKED}5.27.10 mall.hauri.co.kr
{BLOCKED}5.27.10 www.ibusca.me
{BLOCKED}4.48.149 www.hacksoft.com.pe
{BLOCKED}1.41.17 www.fortifed.com
{BLOCKED}1.41.17 buy.drweb.com
{BLOCKED}7.211.138 timestamp.comodoca.com
{BLOCKED}7.211.138 www.frisk-software.com
{BLOCKED}8.30.81 fr.trendmicro.com
{BLOCKED}8.30.81 www.symantec.com
{BLOCKED}3.225.145 support.pandasecurity.com
{BLOCKED}3.225.145 uk.mcafee.com
{BLOCKED}.51.58 scanner2.novirusthanks.or
{BLOCKED}133.133 speedtest.comodo.com
{BLOCKED}133.133 buy.bitdefender.com
{BLOCKED}133.133 www.emsisoft.org
{BLOCKED}133.133 cowsmo.com
{BLOCKED}133.133 prevx.com
{BLOCKED}7.208.9 pandalabs.pandasecurity.com
{BLOCKED}7.208.9 de.mcafee.com
{BLOCKED}1.47.186 www3.safenet-inc.com
{BLOCKED}.122.61 definitions.symantec.com
{BLOCKED}.122.61 www.bg.virusblokada.com
{BLOCKED}.143.107 www.removetrojanvirus.org
{BLOCKED}.143.107 pg.hauri.net
{BLOCKED}.43.57 reg-int.nod32-es.com
{BLOCKED}.225.114 www.prdouglas.co.uk
{BLOCKED}.225.114 virusscanonline.net
{BLOCKED}.225.114 bhsbees.com
{BLOCKED}.225.114 www.ca.com
{BLOCKED}4.126.227 antivirus.hispavista.com
{BLOCKED}.139.234 new-company.drweb.com
{BLOCKED}.139.234 www.gdata.es
{BLOCKED}.146.109 live.sunbeltsoftware.com
{BLOCKED}.146.109 wtc.trendmicro.com
{BLOCKED}4.54.98 new-beta.drweb.com
{BLOCKED}4.54.98 ikarus.at
{BLOCKED}5.129.230 br.trendmicro.com
{BLOCKED}5.129.230 feeds.sophos.com
{BLOCKED}.135.105 research.pandasecurity.com
{BLOCKED}.135.105 fr.mcafee.com
{BLOCKED}1.43.26 www.handwritingforkids.com
{BLOCKED}1.43.26 disk-encryption.comodo.com
{BLOCKED}1.43.26 onlinecheck.emsisoft.de
{BLOCKED}1.43.26 buy.bitdefender-es.com
{BLOCKED}1.43.26 pctools.com
{BLOCKED}7.218.19 mygeekside.com
{BLOCKED}4.50.226 schemas.xmlsoap.org
{BLOCKED}4.50.226 shield.prevx.com
{BLOCKED}9.146.146 new-estore.drweb.com
{BLOCKED}9.146.146 www.fsecure.com
{BLOCKED}0.221.22 blog.trendmicro.com
{BLOCKED}.242.255 www.virscan.org
{BLOCKED}9.142.206 pedidos.protegerse.com
{BLOCKED}.67.74 www.collectedcurios.com
{BLOCKED}.67.74 jobs.bitdefender.com
{BLOCKED}.67.74 www.emsisoft.at
{BLOCKED}.67.74 trendmicro.com
{BLOCKED}.224.120 virusscan.jotti.org
{BLOCKED}.56.70 sea.symantec.com
{BLOCKED}238.127 drweb.net
{BLOCKED}238.127 gdata.es
{BLOCKED}1.220.247 www.mcafee.com
{BLOCKED}1.220.247 secureme.com
{BLOCKED}.234.254 nprobeta.norman.com
{BLOCKED}.159.122 bitdefenderuruguay.com
{BLOCKED}.159.122 www.freeality.com
{BLOCKED}.159.122 www.whichssl.com
{BLOCKED}.159.122 www.emsisoft.nl
{BLOCKED}.159.122 nprotect.com
{BLOCKED}0.142.243 www.emeraldclassic.co.uk
{BLOCKED}0.142.243 download535.avast.com
{BLOCKED}0.142.243 quickheal.com
{BLOCKED}0.142.243 www.hauri.net
{BLOCKED}0.142.243 comodo.com
{BLOCKED}1.148.118 spywaredlls.prevx.com
{BLOCKED}1.148.118 tempuri.org
{BLOCKED}4.60.168 www.midescargas.com
{BLOCKED}6.244.39 www.contentverification.com
{BLOCKED}6.244.39 www.f-secure.com
{BLOCKED}7.63.171 podcasts.sophos.com
{BLOCKED}7.63.171 apac.trendmicro.com
{BLOCKED}84.216 virscan.org
{BLOCKED}6.240.167 www.sysinternals.com
{BLOCKED}3.234.35 www.bitdefender.com.vn
{BLOCKED}3.234.35 woottonfootball.com
{BLOCKED}3.234.35 www.pctools.com
{BLOCKED}3.234.35 cutlines.org
{BLOCKED}3.234.35 ahnlab.com
{BLOCKED}.67.80 threatexpert.com
{BLOCKED}1.80.87 solutions.drweb.com
{BLOCKED}1.80.87 fortiprotect.com
{BLOCKED}155.219 securityrespons.symantec.com
{BLOCKED}.76.215 free.prevx.com
{BLOCKED}.76.215 tw.mcafee.com
{BLOCKED}.1.15 download1.emsisoft.com
{BLOCKED}.1.15 www.garryowen.com
{BLOCKED}.1.15 malwarecity.com
{BLOCKED}.1.15 www.antivir.es
{BLOCKED}.63.208 ealaddin.orgeshop.aladdin.com
{BLOCKED}.63.208 images.kaspersky.com
{BLOCKED}3.158.128 midescargas.com
{BLOCKED}8.247.79 www.pandasecurity.com
{BLOCKED}8.247.79 go.mcafee.com
{BLOCKED}.240.135 malwarecity.netmalwarecity.org
{BLOCKED}.240.135 download4.emsisoft.com
{BLOCKED}.240.135 www.antiy.net
{BLOCKED}.240.135 45pounds.com
{BLOCKED}3.155.0 www.esafe.com
{BLOCKED}4.161.131 smbstore.trendmicro.com
{BLOCKED}4.161.131 sophos.com
{BLOCKED}6.250.109 www.globalhauri.com
{BLOCKED}6.250.109 seasonsecurity.com
{BLOCKED}3.83.127 www.npin.co.kr
{BLOCKED}0.76.184 archive.bitdefender.com
{BLOCKED}0.76.184 www.emsisoft.net
{BLOCKED}0.76.184 lists.clamav.net
{BLOCKED}0.76.184 fortinet.com
{BLOCKED}0.76.184 natsko.com
{BLOCKED}.165.41 www.iseclab.org
{BLOCKED}8.179.236 chickensroamfree.com
{BLOCKED}8.179.236 kaspersky.com
{BLOCKED}9.253.180 antivirus.sunbeltsoftware.com
{BLOCKED}9.253.180 go.trendmicro.com
{BLOCKED}.100.232 download5.emsisoft.com
{BLOCKED}.100.232 linux.bitdefender.com
{BLOCKED}.100.232 ribbonwarehouse.com
{BLOCKED}.100.232 www.ahnlab.com
{BLOCKED}8.175.107 www.engyro.com
{BLOCKED}.161.168 www.secure-elements.com
{BLOCKED}.161.168 new-partners.drweb.com
{BLOCKED}.1.21 kioskea.net
{BLOCKED}.82.96 www.hxproduction.com
{BLOCKED}.82.96 www.bitdefende.de
{BLOCKED}.82.96 www.barder.com
{BLOCKED}.82.96 www.ikarus.at
{BLOCKED}.157.228 www.exchangeyourcareer.com
{BLOCKED}0.253.148 network.drweb.com
{BLOCKED}0.253.148 www.fortinet.ch
{BLOCKED}1.4.92 www.trendmicro.com
{BLOCKED}3.93.69 anubis.iseclab.org
{BLOCKED}9.174.144 antivirus-tools.com
{BLOCKED}9.174.144 forum.emsisoft.com
{BLOCKED}9.174.144 www.ixomodels.com
{BLOCKED}9.174.144 wwws.clamav.net
{BLOCKED}9.174.144 f-secure.com
{BLOCKED}0.181.20 timeforyourbusi.pandasecurity.com
{BLOCKED}0.181.20 www.entercept.com
{BLOCKED}9.7.190 www.virustotal.com
{BLOCKED}5.21.197 www.netegrity.com
{BLOCKED}6.96.72 edm.symantec.com
{BLOCKED}5.17.68 research.microsoft.com
{BLOCKED}.4.61 search.ca.com
{BLOCKED}2.10.125 bitdefenderguatemala.com
{BLOCKED}2.10.125 malwarescan.emsisoft.de
{BLOCKED}2.10.125 www.trustlogo.com
{BLOCKED}2.10.125 microsoft.com
{BLOCKED}2.10.125 cohartuk.com
{BLOCKED}.99.238 haurijapan.com
{BLOCKED}.99.238 www.busco.in
{BLOCKED}.181.57 www.celticmerchant.com
{BLOCKED}.181.57 www.bit-defender.de
{BLOCKED}.181.57 karuna-shechen.org
{BLOCKED}.181.57 www.gdata.es
{BLOCKED}.0.188 www.norman.com
{BLOCKED}8.102.241 securityrespons.symantec.com
{BLOCKED}8.102.241 newsletters.trendmicro.com
{BLOCKED}.95.109 www.av-desk.com
{BLOCKED}.95.109 jiangmin.com.cn
Step 8
Reset the Internet Explorer Home and Search pages
[ Learn More ]
Step 9
Scan your computer with your Trend Micro product to delete files detected as WORM_AUTORUN.GYF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.