FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.StartPage.46962

Added to the Dr.Web virus database: 2012-08-31

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKLM>\SOFTWARE\Classes\Spiralmonkey.DreamAquarium.1\shell\Open\command] '' = '"\Windows\System32\ErrorsAndUpdates.exe" "%1"'
  • [<HKLM>\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command] '' = '"%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE" %1'
  • [<HKLM>\SOFTWARE\Classes\ftp\shell\open\command] '' = '"%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE" %1'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] 'vidc.cvid' = 'iccvid.dll'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] 'vidc.iv31' = 'ir32_32.dll'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] 'vidc.iv32' = 'ir32_32.dll'
Creates the following services:
  • [<HKLM>\SYSTEM\ControlSet001\Services\SamSs] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\Schedule] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\PlugPlay] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\RpcSs] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\SENS] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\TrkWks] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\winmgmt] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\ShellHWDetection] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\Themes] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\LmHosts] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\DcomLaunch] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\Dhcp] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\AudioSrv] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\CryptSvc] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\Dnscache] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\lanmanserver] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\lanmanworkstation] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\Eventlog] 'Start' = '00000002'
  • [<HKLM>\SYSTEM\ControlSet001\Services\EventSystem] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
  • file extensions
blocks the following features:
  • User Account Control (UAC)
Creates and executes the following:
  • %TEMP%\Optimization.exe
Executes the following:
  • <SYSTEM32>\sc.exe config SysMain start= DEMAND
  • <SYSTEM32>\sc.exe config swprv start= DEMAND
  • <SYSTEM32>\sc.exe config TBS start= DEMAND
  • <SYSTEM32>\sc.exe config TapiSrv start= DEMAND
  • <SYSTEM32>\sc.exe config stisvc start= DEMAND
  • <SYSTEM32>\sc.exe config sppuinotify start= DEMAND
  • <SYSTEM32>\sc.exe config sppsvc start= AUTO
  • <SYSTEM32>\sc.exe config SstpSvc start= DEMAND
  • <SYSTEM32>\sc.exe config SSDPSRV start= DEMAND
  • <SYSTEM32>\sc.exe config UmRdpService start= DEMAND
  • <SYSTEM32>\sc.exe config UI0Detect start= DEMAND
  • <SYSTEM32>\sc.exe config UxSms start= AUTO
  • <SYSTEM32>\sc.exe config upnphost start= DEMAND
  • <SYSTEM32>\sc.exe config TrustedInstaller start= DEMAND
  • <SYSTEM32>\sc.exe config Themes start= AUTO
  • <SYSTEM32>\sc.exe config TermService start= DEMAND
  • <SYSTEM32>\sc.exe config TrkWks start= AUTO
  • <SYSTEM32>\sc.exe config THREADORDER start= DEMAND
  • <SYSTEM32>\sc.exe config Spooler start= DEMAND
  • <SYSTEM32>\sc.exe config SamSs start= AUTO
  • <SYSTEM32>\sc.exe config RpcSs start= AUTO
  • <SYSTEM32>\sc.exe config Schedule start= AUTO
  • <SYSTEM32>\sc.exe config SCardSvr start= DEMAND
  • <SYSTEM32>\sc.exe config RpcLocator start= DEMAND
  • <SYSTEM32>\sc.exe config RemoteAccess start= DISABLED
  • <SYSTEM32>\sc.exe config RasMan start= DEMAND
  • <SYSTEM32>\sc.exe config RpcEptMapper start= AUTO
  • <SYSTEM32>\sc.exe config RemoteRegistry start= DEMAND
  • <SYSTEM32>\sc.exe config SharedAccess start= DISABLED
  • <SYSTEM32>\sc.exe config SessionEnv start= DEMAND
  • <SYSTEM32>\sc.exe config SNMPTRAP start= DEMAND
  • <SYSTEM32>\sc.exe config ShellHWDetection start= AUTO
  • <SYSTEM32>\sc.exe config SensrSvc start= DEMAND
  • <SYSTEM32>\sc.exe config SDRSVC start= DEMAND
  • <SYSTEM32>\sc.exe config SCPolicySvc start= DEMAND
  • <SYSTEM32>\sc.exe config SENS start= AUTO
  • <SYSTEM32>\sc.exe config seclogon start= DEMAND
  • <SYSTEM32>\sc.exe config WwanSvc start= DEMAND
  • <SYSTEM32>\sc.exe config wudfsvc start= AUTO
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.bmp\ShellNew /f
  • <SYSTEM32>\powercfg.exe -h off
  • <SYSTEM32>\sc.exe config wuauserv start= DEMAND
  • <SYSTEM32>\sc.exe config WPCSvc start= DEMAND
  • <SYSTEM32>\sc.exe config WMPNetworkSvc start= DEMAND
  • <SYSTEM32>\sc.exe config WSearch start= DISABLED
  • <SYSTEM32>\sc.exe config WPDBusEnum start= AUTO
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.rtf\ShellNew /f
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.contact\ShellNew /f
  • <SYSTEM32>\ping.exe 127.0.0.1 -n 3
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.zip\CompressedFolder\ShellNew /f
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.jnt\jntfile\ShellNew /f
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.zip\ShellNew /f
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.rar\ShellNew /f
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\.xdp\AcroExch.XDPDoc\ShellNew /f
  • <SYSTEM32>\reg.exe delete HKEY_CLASSES_ROOT\Briefcase\ShellNew /f
  • <SYSTEM32>\sc.exe config wmiApSrv start= DEMAND
  • <SYSTEM32>\sc.exe config wcncsvc start= DEMAND
  • <SYSTEM32>\sc.exe config WbioSrvc start= DEMAND
  • <SYSTEM32>\sc.exe config WdiServiceHost start= DEMAND
  • <SYSTEM32>\sc.exe config WcsPlugInService start= DEMAND
  • <SYSTEM32>\sc.exe config wbengine start= DEMAND
  • <SYSTEM32>\sc.exe config vds start= DEMAND
  • <SYSTEM32>\sc.exe config VaultSvc start= DEMAND
  • <SYSTEM32>\sc.exe config W32Time start= DEMAND
  • <SYSTEM32>\sc.exe config VSS start= DEMAND
  • <SYSTEM32>\sc.exe config Winmgmt start= AUTO
  • <SYSTEM32>\sc.exe config WinHttpAutoProxySvc start= DEMAND
  • <SYSTEM32>\sc.exe config Wlansvc start= DEMAND
  • <SYSTEM32>\sc.exe config WinRM start= DEMAND
  • <SYSTEM32>\sc.exe config WerSvc start= DEMAND
  • <SYSTEM32>\sc.exe config WebClient start= DEMAND
  • <SYSTEM32>\sc.exe config WdiSystemHost start= DEMAND
  • <SYSTEM32>\sc.exe config wercplsupport start= DEMAND
  • <SYSTEM32>\sc.exe config Wecsvc start= DEMAND
  • <SYSTEM32>\sc.exe config EapHost start= DEMAND
  • <SYSTEM32>\sc.exe config DPS start= DEMAND
  • <SYSTEM32>\sc.exe config eventlog start= AUTO
  • <SYSTEM32>\sc.exe config EFS start= DEMAND
  • <SYSTEM32>\sc.exe config dot3svc start= DEMAND
  • <SYSTEM32>\sc.exe config defragsvc start= DEMAND
  • <SYSTEM32>\sc.exe config DcomLaunch start= AUTO
  • <SYSTEM32>\sc.exe config Dnscache start= AUTO
  • <SYSTEM32>\sc.exe config Dhcp start= AUTO
  • <SYSTEM32>\sc.exe config hidserv start= DEMAND
  • <SYSTEM32>\sc.exe config gpsvc start= AUTO
  • <SYSTEM32>\sc.exe config HomeGroupListener start= DEMAND
  • <SYSTEM32>\sc.exe config hkmsvc start= DEMAND
  • <SYSTEM32>\sc.exe config FontCache3.0.0.0 start= DEMAND
  • <SYSTEM32>\sc.exe config fdPHost start= DEMAND
  • <SYSTEM32>\sc.exe config EventSystem start= AUTO
  • <SYSTEM32>\sc.exe config FontCache start= AUTO
  • <SYSTEM32>\sc.exe config FDResPub start= DEMAND
  • <SYSTEM32>\sc.exe config CscService start= DEMAND
  • <SYSTEM32>\sc.exe config AudioEndpointBuilder start= AUTO
  • <SYSTEM32>\sc.exe config AppMgmt start= DEMAND
  • <SYSTEM32>\sc.exe config AxInstSV start= DEMAND
  • <SYSTEM32>\sc.exe config AudioSrv start= AUTO
  • <SYSTEM32>\sc.exe config Appinfo start= DEMAND
  • <SYSTEM32>\sc.exe config AeLookupSvc start= DEMAND
  • <SYSTEM32>\cmd.exe /c \Windows\System32\zh-CN\op.bat
  • <SYSTEM32>\sc.exe config AppIDSvc start= DEMAND
  • <SYSTEM32>\sc.exe config ALG start= DEMAND
  • <SYSTEM32>\sc.exe config clr_optimization_v2.0.50727_32 start= DISABLED
  • <SYSTEM32>\sc.exe config CertPropSvc start= DEMAND
  • <SYSTEM32>\sc.exe config CryptSvc start= AUTO
  • <SYSTEM32>\sc.exe config COMSysApp start= DEMAND
  • <SYSTEM32>\sc.exe config bthserv start= DEMAND
  • <SYSTEM32>\sc.exe config BFE start= AUTO
  • <SYSTEM32>\sc.exe config BDESVC start= DEMAND
  • <SYSTEM32>\sc.exe config Browser start= DEMAND
  • <SYSTEM32>\sc.exe config BITS start= DEMAND
  • <SYSTEM32>\sc.exe config PcaSvc start= AUTO
  • <SYSTEM32>\sc.exe config p2psvc start= DEMAND
  • <SYSTEM32>\sc.exe config pla start= DEMAND
  • <SYSTEM32>\sc.exe config PeerDistSvc start= DEMAND
  • <SYSTEM32>\sc.exe config p2pimsvc start= DEMAND
  • <SYSTEM32>\sc.exe config NetTcpPortSharing start= DISABLED
  • <SYSTEM32>\sc.exe config netprofm start= DEMAND
  • <SYSTEM32>\sc.exe config nsi start= AUTO
  • <SYSTEM32>\sc.exe config NlaSvc start= AUTO
  • <SYSTEM32>\sc.exe config ProtectedStorage start= DEMAND
  • <SYSTEM32>\sc.exe config ProfSvc start= AUTO
  • <SYSTEM32>\sc.exe config RasAuto start= DEMAND
  • <SYSTEM32>\sc.exe config QWAVE start= DEMAND
  • <SYSTEM32>\sc.exe config Power start= AUTO
  • <SYSTEM32>\sc.exe config PNRPAutoReg start= DEMAND
  • <SYSTEM32>\sc.exe config PlugPlay start= AUTO
  • <SYSTEM32>\sc.exe config PolicyAgent start= DEMAND
  • <SYSTEM32>\sc.exe config PNRPsvc start= DEMAND
  • <SYSTEM32>\sc.exe config Netman start= DEMAND
  • <SYSTEM32>\sc.exe config KtmRm start= DEMAND
  • <SYSTEM32>\sc.exe config KeyIso start= DEMAND
  • <SYSTEM32>\sc.exe config LanmanWorkstation start= AUTO
  • <SYSTEM32>\sc.exe config LanmanServer start= AUTO
  • <SYSTEM32>\sc.exe config iphlpsvc start= DEMAND
  • <SYSTEM32>\sc.exe config idsvc start= DEMAND
  • <SYSTEM32>\sc.exe config HomeGroupProvider start= DEMAND
  • <SYSTEM32>\sc.exe config IPBusEnum start= DEMAND
  • <SYSTEM32>\sc.exe config IKEEXT start= DEMAND
  • <SYSTEM32>\sc.exe config msiserver start= DEMAND
  • <SYSTEM32>\sc.exe config MSiSCSI start= DEMAND
  • <SYSTEM32>\sc.exe config Netlogon start= DEMAND
  • <SYSTEM32>\sc.exe config napagent start= DEMAND
  • <SYSTEM32>\sc.exe config MSDTC start= DEMAND
  • <SYSTEM32>\sc.exe config lmhosts start= AUTO
  • <SYSTEM32>\sc.exe config lltdsvc start= DEMAND
  • <SYSTEM32>\sc.exe config MpsSvc start= AUTO
  • <SYSTEM32>\sc.exe config MMCSS start= AUTO
Modifies settings of Windows Internet Explorer:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '160A' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1C00' = ''
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] 'CurrentLevel' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnonBadCertRecving' = '00000001'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1601' = '00000000'
Forces autoplay for removable media.
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
  • C:\Users\Public\Desktop\МЪС¶QQ.lnk
  • C:\Users\Public\Desktop\СёАЧ7.lnk
  • C:\Users\Public\Desktop\їб№·ТфАЦ.lnk
  • C:\Users\Public\Desktop\±©·зУ°Тф.lnk
  • C:\Users\Public\Desktop\·юОсУЕ»Ї.lnk
  • C:\Users\Public\Desktop\ј¤»о№¤ѕЯ.lnk
  • <SYSTEM32>\service.exe
  • <SYSTEM32>\zh-CN\op.bat
  • <SYSTEM32>\ОЮПЯНшВз.exe
  • C:\Users\Public\Desktop\Зэ¶Їѕ«Бй.lnk
  • %TEMP%\Optimization.exe
  • <SYSTEM32>\oemlogo.bmp
  • C:\Users\Public\Desktop\ОЮПЯНшВз.lnk
  • C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Жф¶Ї Internet Explorer дЇААЖч.lnk
  • C:\Users\%USERNAME%\Favorites\ЧојСµјєЅ - BestURL.url
  • C:\Users\%USERNAME%\Favorites\їОјюФ°.url
  • %TEMP%\$inst\2.tmp
  • %TEMP%\$inst\7.tmp
  • %TEMP%\$inst\temp_0.tmp
  • C:\Users\Public\Desktop\Microsoft Word 2003.lnk
  • C:\Users\Public\Desktop\PPSУ°Тф.lnk
  • C:\Users\Public\Desktop\З§З§ѕІМэ.lnk
  • C:\Users\%USERNAME%\Favorites\ЅрєьµзДФ№¤ЧчКТ.url
  • C:\Users\Public\Desktop\Internet Explorer.lnk
  • C:\Users\Public\Desktop\Microsoft Excel 2003.lnk
Deletes the following files:
  • %TEMP%\$inst\7.tmp
  • %TEMP%\Optimization.exe
  • %TEMP%\$inst\temp_0.tmp
  • %TEMP%\$inst\2.tmp
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Shell_TrayWnd' WindowName: ''

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play