FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.Click2.42153

Added to the Dr.Web virus database: 2012-11-08

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsApplication' = '%APPDATA%\WindowsApplication\bin\wsms.exe'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsApplication' = '%APPDATA%\WindowsApplication\bin\start.exe'
Malicious functions:
Creates and executes the following:
  • %APPDATA%\WindowsApplication\bin\SynTPHelper.exe
  • %APPDATA%\WindowsApplication\bin\VolCtrl.exe
  • %APPDATA%\WindowsApplication\bin\QLBCtrl.exe
  • %APPDATA%\WindowsApplication\bin\SearchIndexer.exe
  • %APPDATA%\WindowsApplication\bin\wsms.exe
  • %APPDATA%\WindowsApplication\bin\start.exe
  • %APPDATA%\WindowsApplication\bin\ATService.exe
  • %APPDATA%\WindowsApplication\bin\WmiPrvSE.exe
Modifies file system :
Creates the following files:
  • %APPDATA%\WindowsApplication\output\1351038398031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038398328125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038397250000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038397593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038398453125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038399953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038401421875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038398781250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038399687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038386484375_1.tmp
  • %TEMP%\1484647845
  • %APPDATA%\WindowsApplication\output\1351038383734375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038384640625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038394890625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038396828125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038396906250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038395453125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038396625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038404687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038412437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038404437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038404562500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038413046875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038413703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038413859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038413390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038413625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038401796875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038402078125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038401687500_1.tmp
  • %TEMP%\9649155981
  • %APPDATA%\WindowsApplication\output\1351038402687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038403859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038404062500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038403031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038403437500_3.tmp
  • %TEMP%\5189834131
  • %APPDATA%\WindowsApplication\output\1351038366796875_3.tmp
  • %TEMP%\1854748970
  • %APPDATA%\WindowsApplication\output\1351038355468750_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038371296875_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038371406250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038371796875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038371343750_3.tmp
  • %TEMP%\9961867082
  • %APPDATA%\WindowsApplication\output\1351038312593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038313093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038312031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038312234375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038313421875_3.tmp
  • %TEMP%\7621401246
  • %APPDATA%\WindowsApplication\output\1351038339468750_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038320484375_10.tmp
  • %APPDATA%\WindowsApplication\output\1351038324234375_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038381218750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038380390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038380656250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038383312500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382562500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038375765625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038376046875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038372625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038373531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038376781250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038378531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038379671875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038377359375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038377859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038413953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038451359375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038451718750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038448468750_1.tmp
  • %TEMP%\5394996728
  • %APPDATA%\WindowsApplication\output\1351038453187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038456687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038459125000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038453625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038454953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038437828125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038440515625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038435828125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038436265625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038441531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038445906250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038446687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038442703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038444484375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038477265625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038478140625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038475453125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038476093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038478781250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038480187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038480859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038479281250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038480046875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038470671875_3.tmp
  • %TEMP%\5309546829
  • %APPDATA%\WindowsApplication\output\1351038463218750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038465265625_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038471234375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038472953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038473812500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038471609375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038472468750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038416375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038416562500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038415359375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038415640625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038416843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038417359375_3.tmp
  • %TEMP%\2924298750
  • %APPDATA%\WindowsApplication\output\1351038416984375_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038416984375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038414218750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038414703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038414031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038414125000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038414812500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038415171875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038415203125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038414875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038414984375_3.tmp
  • %TEMP%\6167702419
  • %APPDATA%\WindowsApplication\output\1351038433453125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038432531250_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038432656250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038433781250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038435093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038435343750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038434593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038434718750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038427812500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038428000000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038426765625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038427281250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038428984375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038431437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038431968750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038429640625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038430671875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038295437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038295953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294562500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038296640625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297046875_5.tmp
  • %APPDATA%\WindowsApplication\output\1351038297093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038296859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297015625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294015625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294062500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294125000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294468750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294328125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294359375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298468750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298281250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298328125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298765625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298578125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297343750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297156250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297265625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298203125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297750000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298031250_3.tmp
  • %APPDATA%\WindowsApplication\bin\PocoCrypto.dll
  • %APPDATA%\WindowsApplication\bin\msvcr100.dll
  • %APPDATA%\WindowsApplication\bin\VolCtrl.exe
  • %APPDATA%\WindowsApplication\bin\PocoFoundation.dll
  • %APPDATA%\WindowsApplication\bin\PocoNet.dll
  • %APPDATA%\WindowsApplication\bin\PocoNetSSL.dll
  • %APPDATA%\WindowsApplication\bin\msvcp100.dll
  • %APPDATA%\WindowsApplication\bin\OSD6D5D.OSD
  • %APPDATA%\WindowsApplication\bin\wsms.exe
  • %APPDATA%\WindowsApplication\bin\RCX1.tmp
  • %APPDATA%\WindowsApplication\bin\Microsoft.CAB
  • %TEMP%\<Virus name>
  • %APPDATA%\WindowsApplication\bin\start.exe
  • %APPDATA%\WindowsApplication\bin\WmiPrvSE.exe
  • %APPDATA%\WindowsApplication\bin\PocoUtil.dll
  • %APPDATA%\WindowsApplication\bin\PocoXML.dll
  • %APPDATA%\WindowsApplication\bin\libeay32.dll
  • %APPDATA%\WindowsApplication\bin\QLBCtrl.exe
  • %APPDATA%\WindowsApplication\output\1351038293562500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038284203125_4.tmp
  • %APPDATA%\WindowsApplication\output\1351038293531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293781250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293812500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293734375_3.tmp
  • %APPDATA%\WindowsApplication\bin\ATService.exe
  • %APPDATA%\WindowsApplication\bin\Microsoft.VC90.CRT.manifest
  • %APPDATA%\WindowsApplication\bin\msvcr90.dll
  • %APPDATA%\WindowsApplication\bin\ssleay32.dll
  • %APPDATA%\WindowsApplication\bin\SynTPHelper.exe
  • %APPDATA%\WindowsApplication\bin\conf.properties
  • %APPDATA%\WindowsApplication\bin\SearchIndexer.exe
  • %APPDATA%\WindowsApplication\bin\Microsoft.conf
  • %APPDATA%\WindowsApplication\output\1351038298875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038307546875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038307203125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038307359375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308796875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308921875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308984375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306156250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038305531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038305812500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038307062500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306671875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306750000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038310031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038310187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309515625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038310843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038311687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038311750000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038311406250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038311640625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309109375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309140625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309015625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309062500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309312500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309218750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309265625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299968750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300046875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299468750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299921875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300140625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300421875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300250000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299125000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299156250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299000000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299203125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299421875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299250000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299296875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038301890625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038302390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038301375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038301703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038303187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038304609375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038305343750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038303578125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038304187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300546875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300484375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300515625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300765625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300890625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300718750_3.tmp
Deletes the following files:
  • %APPDATA%\WindowsApplication\output\1351038311687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038311640625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038311750000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038312234375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038312031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038311406250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309515625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038310031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038310843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038310187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038371296875_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038366796875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038371343750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038371796875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038371406250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038355468750_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038313093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038312593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038313421875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038339468750_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038324234375_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038308687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038307546875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308796875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038307359375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306750000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306671875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038307203125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038307062500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309218750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309265625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309312500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309140625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308984375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038308921875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309015625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309109375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038309062500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038398328125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038398031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038398453125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038399687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038398781250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038397593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038396625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038395453125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038396828125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038397250000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038396906250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038403437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038403031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038403859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038404437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038404062500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038402687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038401421875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038399953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038401687500_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038402078125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038401796875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038378531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038377859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038379671875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038380656250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038380390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038377359375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038373531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038372625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038375765625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038376781250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038376046875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038383734375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038383312500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038384640625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038394890625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038386484375_1.tmp
  • %APPDATA%\WindowsApplication\output\1351038382859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038381218750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038382562500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297265625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297156250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297343750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038295953125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038295437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038296640625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297015625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038296859375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298468750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298578125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298328125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298031250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038297750000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298281250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298203125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293734375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293812500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293781250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293593750_3.tmp
  • %APPDATA%\WindowsApplication\bin\Microsoft.CAB
  • %APPDATA%\WindowsApplication\bin\start.exe
  • %APPDATA%\WindowsApplication\output\1351038284203125_4.tmp
  • %APPDATA%\WindowsApplication\output\1351038293562500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294359375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294468750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294562500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294328125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038293843750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294015625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294125000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038294062500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300890625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300765625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038301375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038301890625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038301703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300718750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300546875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300515625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300687500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300625000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038305812500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038305531250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306156250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306593750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038306437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038305343750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038303187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038302390625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038303578125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038304609375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038304187500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299203125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299156250_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299250000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299296875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299125000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298765625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298703125_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038298875000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299093750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299000000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300375000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300250000_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300421875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300484375_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300437500_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300140625_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299468750_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299421875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299921875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038300046875_3.tmp
  • %APPDATA%\WindowsApplication\output\1351038299968750_3.tmp
Moves the following files:
  • from %APPDATA%\WindowsApplication\bin\RCX1.tmp to %APPDATA%\WindowsApplication\bin\start.exe
Network activity:
Connects to:
  • 'sm##.#oxmail.com':465
UDP:
  • DNS ASK sm##.#oxmail.com
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Indicator' WindowName: ''

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play