Поддержка
Круглосуточная поддержка

Позвоните

Бесплатно по России:
8-800-333-79-32

ЧаВо | Форум

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Бесплатно по России:
8-800-333-79-32

Свяжитесь с нами Незакрытые запросы: 

Профиль

Профиль

Trojan.Encoder.699

Добавлен в вирусную базу Dr.Web: 2014-07-15

Описание добавлено:

Техническая информация

Вредоносные функции:
Создает и запускает на исполнение:
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-CA\Wallpaper\CA-wp6.jpg"
  • '%TEMP%\svchost.exe' /pid=0xf20 /log
  • '%TEMP%\svchost.exe' /pid=0x7dc /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-AU\Wallpaper\AU-wp1.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-AU\Wallpaper\AU-wp5.jpg"
  • '%TEMP%\svchost.exe' /pid=0x644 /log
  • '%TEMP%\svchost.exe' /pid=0x494 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-US\Wallpaper\US-wp1.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-GB\Wallpaper\GB-wp4.jpg"
  • '%TEMP%\svchost.exe' /pid=0x4d0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\ehome\CreateDisc\Styles\PAL\Symphony\Symphony\Symphony.psd"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg"
  • '%TEMP%\svchost.exe' /pid=0xf74 /log
  • '%TEMP%\svchost.exe' /pid=0xe5c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif"
  • '%TEMP%\svchost.exe' /pid=0xf24 /log
  • '%TEMP%\svchost.exe' /pid=0xf98 /log
  • '%TEMP%\svchost.exe' /pid=0xd64 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\Public\Pictures\Sample Pictures\Koala.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg"
  • '%TEMP%\svchost.exe' /pid=0xfcc /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif"
  • '%TEMP%\svchost.exe' /pid=0xf70 /log
  • '%TEMP%\svchost.exe' /pid=0xf18 /log
  • '%TEMP%\svchost.exe' /pid=0xf4c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif"
  • '%TEMP%\svchost.exe' /pid=0xcc0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif"
  • '%TEMP%\svchost.exe' /pid=0xcb4 /log
  • '%TEMP%\svchost.exe' /pid=0xf04 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp4.jpg"
  • '%TEMP%\svchost.exe' /pid=0xd38 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp3.jpg"
  • '%TEMP%\svchost.exe' /pid=0xe2c /log
  • '%TEMP%\svchost.exe' /pid=0xd40 /log
  • '%TEMP%\svchost.exe' /pid=0xe24 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg"
  • '%TEMP%\svchost.exe' /pid=0xda4 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp5.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\ApplicationConfigurationPage.cs"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Tiki.gif"
  • '%TEMP%\svchost.exe' /pid=0xf10 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
  • '%TEMP%\svchost.exe' /pid=0xf34 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
  • '%TEMP%\svchost.exe' /pid=0xf00 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
  • '%TEMP%\svchost.exe' /pid=0x738 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"
  • '%TEMP%\svchost.exe' /pid=0xe9c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Small_News.jpg"
  • '%TEMP%\svchost.exe' /pid=0xf60 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Peacock.jpg"
  • '%TEMP%\svchost.exe' /pid=0xc88 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Stucco.gif"
  • '%TEMP%\svchost.exe' /pid=0xd00 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Connectivity.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\SoftBlue.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
  • '%TEMP%\svchost.exe' /pid=0xba0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Monet.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Notebook.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg"
  • '%TEMP%\svchost.exe' /pid=0xe68 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1033\eula.rtf"
  • '%TEMP%\svchost.exe' /pid=0xd30 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1032\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1031\eula.rtf"
  • '%TEMP%\svchost.exe' /pid=0xfdc /log
  • '%TEMP%\svchost.exe' /pid=0xcf0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1043\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1038\eula.rtf"
  • '%TEMP%\svchost.exe' /pid=0xe20 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1037\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1030\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif"
  • '%TEMP%\svchost.exe' /pid=0xf44 /log
  • '%TEMP%\svchost.exe' /pid=0xec0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif"
  • '%TEMP%\svchost.exe' /pid=0xe50 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1029\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1025\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\SplashScreen.bmp"
  • '%TEMP%\svchost.exe' /pid=0xffc /log
  • '%TEMP%\svchost.exe' /pid=0xf30 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1045\eula.rtf"
  • '%TEMP%\svchost.exe' /pid=0xe64 /log
  • '%TEMP%\svchost.exe' /pid=0x3d0 /log
  • '%TEMP%\svchost.exe' /pid=0x368 /log
  • '%TEMP%\svchost.exe' /pid=0xfc0 /log
  • '%TEMP%\svchost.exe' /pid=0xc90 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\2052\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1046\eula.rtf"
  • '%TEMP%\svchost.exe' /pid=0xce4 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1036\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1049\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\2070\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1046\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1044\eula.rtf"
  • '%TEMP%\svchost.exe' /pid=0xed8 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1032\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1033\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1028\eula.rtf"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\header.bmp"
  • '%TEMP%\svchost.exe' /pid=0xb0c /log
  • '%TEMP%\svchost.exe' /pid=0xdc8 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif"
  • '%TEMP%\svchost.exe' /pid=0xcb0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif"
  • '%TEMP%\svchost.exe' /pid=0xd2c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif"
  • '%TEMP%\svchost.exe' /pid=0xd20 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif"
  • '%TEMP%\svchost.exe' /pid=0xdcc /log
  • '%TEMP%\svchost.exe' /pid=0xe6c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\SecurityPage.cs"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif"
  • '%TEMP%\svchost.exe' /pid=0xde0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\WizardPage.cs"
  • '%TEMP%\svchost.exe' /pid=0xf58 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\WebAdminPage.cs"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif"
  • '%TEMP%\svchost.exe' /pid=0xd48 /log
  • '%TEMP%\svchost.exe' /pid=0xd7c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\PasswordValueTextBox.cs"
  • '%TEMP%\svchost.exe' /pid=0xe0c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif"
  • '%TEMP%\svchost.exe' /pid=0xd50 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif"
  • '%TEMP%\svchost.exe' /pid=0xb78 /log
  • '%TEMP%\svchost.exe' /pid=0xf3c /log
  • '%TEMP%\svchost.exe' /pid=0xee0 /log
  • '%TEMP%\svchost.exe' /pid=0x6f0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\icons\Minimize.gif"
  • '%TEMP%\svchost.exe' /pid=0xe18 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\icons\Close.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-up-dis.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-up-hov.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\radio\radio-check.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\scrollbar\slider.gif"
  • '%TEMP%\svchost.exe' /pid=0xbe0 /log
  • '%TEMP%\svchost.exe' /pid=0xe3c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\radio\radio-check-dis.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit.gif"
  • '%TEMP%\svchost.exe' /pid=0xf78 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft-sharp.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft-sharp-end.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft-dis.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft-hov.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit-sharp-end.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit-sharp.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit-hov.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit-dis.gif"
  • '%TEMP%\svchost.exe' /pid=0xcd0 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit-hov.gif"
  • '%TEMP%\svchost.exe' /pid=0xce0 /log
  • '%TEMP%\svchost.exe' /pid=0x448 /log
  • '%TEMP%\svchost.exe' /pid=0xd34 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-up-dis.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-up-hov.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit-sharp-end.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit-sharp.gif"
  • '%TEMP%\svchost.exe' /pid=0xff8 /log
  • '%TEMP%\svchost.exe' /pid=0xf38 /log
  • '%TEMP%\svchost.exe' /pid=0xf80 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\splitter\grip-left.gif"
  • '%TEMP%\svchost.exe' /pid=0xefc /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\splitter\grip-bottom.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-dn-hov.gif"
  • '%TEMP%\svchost.exe' /pid=0xfd0 /log
  • '%TEMP%\svchost.exe' /pid=0xfac /log
  • '%TEMP%\svchost.exe' /pid=0xf8c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-dn-dis.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-dn.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\ShadesOfBlue.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Small_News.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Sand_Paper.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Psychedelic.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Roses.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\White_Chocolate.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Cave_Drawings.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Tanspecks.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\SoftBlue.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Stars.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Pretty_Peacock.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\GreenBubbles.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\HandPrints.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Garden.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Bears.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Blue_Gradient.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Peacock.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Pine_Lumber.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\OrangeCircles.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Monet.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Notebook.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-dn-hov.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-dn-sharp.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\res\arrowd.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\res\arrow.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Wrinkled_Paper.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Services\verisign.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Tiki.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Connectivity.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%CommonProgramFiles%\Microsoft Shared\Stationery\Stucco.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-up-sharp.gif"
  • '%TEMP%\svchost.exe' /pid=0xee4 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\user.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\guest.bmp"
  • '%TEMP%\svchost.exe' /pid=0xe88 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
  • '%TEMP%\svchost.exe' /pid=0xf54 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
  • '%TEMP%\svchost.exe' /pid=0x124 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg"
  • '%TEMP%\svchost.exe' /pid=0xdac /log
  • '%TEMP%\svchost.exe' /pid=0xcd4 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Common Files\microsoft shared\Stationery\Roses.jpg"
  • '%TEMP%\svchost.exe' /pid=0xfec /log
  • '%TEMP%\svchost.exe' /pid=0xe40 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Windows Media Player\Media Renderer\DMR_48.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Common Files\microsoft shared\Stationery\Stars.jpg"
  • '%TEMP%\svchost.exe' /pid=0xdd4 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
  • '%TEMP%\svchost.exe' /pid=0xf94 /log
  • '%TEMP%\svchost.exe' /pid=0xca8 /log
  • '%TEMP%\svchost.exe' /pid=0xf28 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
  • '%TEMP%\svchost.exe' /pid=0xd14 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
  • '%TEMP%\svchost.exe' /pid=0x388 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Common Files\microsoft shared\Stationery\Peacock.jpg"
  • '%TEMP%\svchost.exe' /pid=0xd68 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\toolbar\chevron.gif"
  • '%TEMP%\svchost.exe' /pid=0xccc /log
  • '%TEMP%\svchost.exe' /pid=0xaa4 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\splitter\grip-right.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-row-after-hover.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-row-after.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-row-after-active.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-column-before-active.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-column-before-hover.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\splitter\grip-left.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\icons\Restore.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\radio\radio-check-dis.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\icons\Minimize.gif"
  • '%TEMP%\svchost.exe' /pid=0xea8 /log
  • '%TEMP%\svchost.exe' /pid=0xe54 /log
  • '%TEMP%\svchost.exe' /pid=0x464 /log
  • '%TEMP%\svchost.exe' /pid=0x310 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\scrollbar\slider.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\radio\radio-check.gif"
  • '%TEMP%\svchost.exe' /pid=0xc9c /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_color32.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_color48.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_color120.jpg"
  • '%TEMP%\svchost.exe' /pid=0xd5c /log
  • '%TEMP%\svchost.exe' /pid=0xd54 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg"
  • '%TEMP%\svchost.exe' /pid=0xfa8 /log
  • '%TEMP%\svchost.exe' /pid=0xfbc /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_bw32.bmp"
  • '%TEMP%\svchost.exe' /pid=0xf48 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-remove-column-hover.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-row-before.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-row-before-active.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-row-before-hover.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Media Renderer\DMR_48.jpg"
  • '%TEMP%\svchost.exe' /pid=0xd24 /log
  • '%TEMP%\svchost.exe' /pid=0xc84 /log
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-remove-column.gif"
  • '%TEMP%\svchost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-remove-row-active.gif"
Запускает на исполнение:
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\SecurityPage.cs"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\NavigationBar.cs"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\PasswordValueTextBox.cs"
  • '<SYSTEM32>\conhost.exe' /pid=0xeb4 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe6c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xde0 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Code\WizardPage.cs"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-GB\Wallpaper\GB-wp3.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xf90 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xed4 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-GB\Wallpaper\GB-wp2.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp2.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xda0 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf94 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-US\Wallpaper\US-wp5.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\NavigationBar.cs"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ProvidersPage.cs"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ApplicationConfigurationPage.cs"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xc88 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf08 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif"
  • '%WINDIR%\SysWOW64\chcp.com' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif"
  • '%WINDIR%\SysWOW64\attrib.exe' /pid=0xcf0 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xec4 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xd20 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xdcc /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Roses.jpg"
  • '%WINDIR%\SysWOW64\chcp.com' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xe20 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xbc8 /log
  • '%WINDIR%\SysWOW64\attrib.exe' /pid=0xd24 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Stars.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xee8 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf4c /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Bears.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xe84 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Psychedelic.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0x278 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xff0 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg"
  • '%WINDIR%\SysWOW64\attrib.exe' /pid=0xf68 /log
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-AU\Wallpaper\AU-wp4.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xfe0 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xdb0 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-GB\Wallpaper\GB-wp1.jpg"
  • '%WINDIR%\SysWOW64\attrib.exe' /pid=0x3d0 /log
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Globalization\MCT\MCT-AU\Wallpaper\AU-wp6.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xe3c /log
  • '<SYSTEM32>\DllHost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<LS_APPDATA>\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xe0c /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xf14 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\Public\Pictures\Sample Pictures\Desert.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1029\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xd58 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1025\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xcc0 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1035\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xba0 /log
  • '%WINDIR%\SysWOW64\chcp.com' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1030\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xcd4 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1042\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1055\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xdb8 /log
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1041\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xfe4 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\SplashScreen.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xf7c /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\3082\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\2070\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\3082\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xef0 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe7c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xc98 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "<SYSTEM32>\license.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xf98 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\security\database\tmp.edb"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1041\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1042\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1037\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1038\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1044\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1049\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xe04 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\1043\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\SecurityPage.cs"
  • '<SYSTEM32>\conhost.exe' /pid=0xf64 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\yellowCORNER.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Code\ApplicationConfigurationPage.cs"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xfc8 /log
  • '%WINDIR%\SysWOW64\chcp.com' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\folder.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image2.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\aspx_file.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xc94 /log
  • '<SYSTEM32>\conhost.exe' /pid=0x368 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xe1c /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\requiredBang.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0x388 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1028\eula.rtf"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xc9c /log
  • '<SYSTEM32>\conhost.exe' /pid=0x4f8 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\1035\eula.rtf"
  • '<SYSTEM32>\conhost.exe' /pid=0xca0 /log
  • '%WINDIR%\SysWOW64\chcp.com' /pid=0xccc /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xcac /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0x4b4 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xd00 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\checkbox\cbox-check.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xef8 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe8c /log
  • '<SYSTEM32>\DllHost.exe' /pid=0xe6c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf6c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf88 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\console\console-error-caret.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xf1c /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-dn.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-lft-dis.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\console\console-error-dash.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\splitter\grip-top.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xdbc /log
  • '<SYSTEM32>\conhost.exe' /pid=0xde4 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-lft-sharp-end.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-lft-sharp.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xcfc /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe98 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xdd8 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-column-after.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xefc /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf00 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xbe0 /log
  • '<SYSTEM32>\DllHost.exe' /pid=0xec0 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\splitter\grip-bottom.gif"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\splitter\grip-top.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0x598 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xfd4 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xddc /log
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-column-after-hover.gif"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\global\tree\columnpicker.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-add-column-after-active.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xd38 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xd5c /log
  • '%WINDIR%\SysWOW64\attrib.exe' +r +h "%APPDATA%\Roaming\gnupg"
  • '<SYSTEM32>\DllHost.exe' /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  • '<SYSTEM32>\conhost.exe' /pid=0xedc /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf04 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe18 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xeb8 /log
  • '%WINDIR%\SysWOW64\attrib.exe' -s -h -r "%APPDATA%\Roaming\gnupg\*.*"
  • '%WINDIR%\SysWOW64\attrib.exe' -s -h -r "%APPDATA%\Roaming\gnupg"
  • '%WINDIR%\SysWOW64\cmd.exe' /c ""%TEMP%\csrss.bat" "
  • '%WINDIR%\SysWOW64\chcp.com' 1251
  • '%WINDIR%\SysWOW64\attrib.exe' +r +h "%APPDATA%\Roaming\gnupg\random_seed"
  • '%WINDIR%\SysWOW64\attrib.exe' +r +h "%APPDATA%\Roaming\gnupg\trustdb.gpg"
  • '%WINDIR%\SysWOW64\attrib.exe' +r +h "%APPDATA%\Roaming\gnupg\pubring.bak"
  • '%WINDIR%\SysWOW64\attrib.exe' +r +h "%APPDATA%\Roaming\gnupg\pubring.gpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xf48 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xfa0 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xed0 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf2c /log
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-up.gif"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\chrome\toolkit\skin\classic\aero\global\console\console-error-caret.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0x6dc /log
  • '%WINDIR%\SysWOW64\chcp.com' /pid=0xd50 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xfa8 /log
  • '<SYSTEM32>\conhost.exe' /pid=0x434 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe38 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe80 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xecc /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xdf8 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xcbc /log
  • '<SYSTEM32>\conhost.exe' /pid=0xfb4 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf78 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xd7c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xfcc /log
  • '<SYSTEM32>\conhost.exe' /pid=0x644 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xd74 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xdc8 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xd4c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xd60 /log
  • '<SYSTEM32>\conhost.exe' /pid=0x3d0 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xd9c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xdd4 /log
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\user.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xd24 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xd94 /log
  • '<SYSTEM32>\conhost.exe' /pid=0x224 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xda4 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_bw48.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_bw120.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_bw32.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xed8 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe2c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe70 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xe94 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf44 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xcb4 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf18 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\FireFox\res\table-remove-column-active.gif"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_color32.bmp"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_color48.bmp"
  • '<SYSTEM32>\conhost.exe' /pid=0xfa4 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Media Player\Network Sharing\wmpnss_bw48.bmp"
  • '%WINDIR%\SysWOW64\attrib.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xe24 /log
  • '<SYSTEM32>\conhost.exe' /pid=0xd30 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Windows Media Player\Media Renderer\DMR_120.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xf5c /log
  • '<SYSTEM32>\conhost.exe' /pid=0xf70 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg"
  • '<SYSTEM32>\conhost.exe' /pid=0xdc0 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif"
  • '<SYSTEM32>\DllHost.exe' /pid=0xf30 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif"
  • '<SYSTEM32>\conhost.exe' /pid=0xef4 /log
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Common Files\Services\verisign.bmp"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES%\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif"
  • '<SYSTEM32>\conhost.exe' --batch --no-verbose -q --encrypt-files -r uncrypt "%PROGRAM_FILES% (x86)\Common Files\microsoft shared\Stationery\Garden.jpg"
Завершает или пытается завершить
большое количество пользовательских процессов.
Изменения в файловой системе:
Создает следующие файлы:
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-up-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-up-hov.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-up-sharp.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit-hov.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit-sharp-end.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit-sharp.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-up.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\icons\Close.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\icons\Minimize.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\icons\Restore.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\console\console-error-dash.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\checkbox\cbox-check-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\checkbox\cbox-check.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\console\console-error-caret.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-rit-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\toolbar\chevron.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\tree\columnpicker.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-dn-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\splitter\grip-top.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\splitter\grip-bottom.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\splitter\grip-left.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\splitter\grip-right.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-dn-hov.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-lft-sharp-end.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-lft-sharp.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-lft.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-lft-hov.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-dn-sharp.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-dn.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\arrow\arrow-lft-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\radio\radio-check-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-row-before.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-remove-column-active.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-remove-column-hover.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-row-before-hover.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-row-after-hover.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-row-after.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-row-before-active.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-remove-column.gif.gpg
  • C:\ProgramData\Microsoft\User Account Pictures\user.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Windows\SoftwareDistribution\DataStore\DataStore.edb.gpg
  • <LS_APPDATA>\VirtualStore\Windows\SysWOW64\license.rtf.gpg
  • C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-remove-row-active.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-remove-row-hover.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-remove-row.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-row-after-active.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\splitter\grip-right.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\splitter\grip-top.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\toolbar\chevron.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\splitter\grip-left.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\radio\radio-check.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\scrollbar\slider.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\splitter\grip-bottom.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\global\tree\columnpicker.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-column-before-active.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-column-before-hover.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-column-before.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-column-after.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\grabber.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-column-after-active.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\res\table-add-column-after-hover.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.gpg
  • <Служебный элемент>
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.gpg
  • %HOMEPATH%\Documents\КАК РАСШИФРОВАТЬ ФАЙЛЫ.TXT
  • %TEMP%\gnupg\trustdb.gpg
  • %TEMP%\csrss.bat
  • %TEMP%\iconv.dll
  • %TEMP%\gnupg\random_seed
  • %TEMP%\nss20D9.tmp\System.dll
  • %TEMP%\gnupg\pubring.bak
  • %TEMP%\gnupg\pubring.gpg
  • %TEMP%\svchost.exe
  • %APPDATA%\Roaming\gnupg\random_seed
  • %APPDATA%\Roaming\gnupg\trustdb.gpg
  • %HOMEPATH%\Desktop\КАК РАСШИФРОВАТЬ ФАЙЛЫ.TXT
  • %APPDATA%\Roaming\gnupg\pubring.gpg
  • %TEMP%\uncrypt.t
  • %TEMP%\nss20D9.tmp\ExecDos.dll
  • %APPDATA%\Roaming\gnupg\pubring.bak
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-up.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\checkbox\cbox-check-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\checkbox\cbox-check.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-up-sharp.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-up-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-up-hov.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\console\console-error-caret.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\radio\radio-check-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\radio\radio-check.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\scrollbar\slider.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\icons\Restore.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\console\console-error-dash.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\icons\Close.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\icons\Minimize.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit-sharp.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-dn-hov.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-dn-sharp.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-dn.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-dn-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\res\arrow.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\res\arrowd.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit-dis.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit-hov.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-rit-sharp-end.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft-hov.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft-sharp-end.gif.gpg
  • <LS_APPDATA>\VirtualStore\Program Files\FireFox\chrome\toolkit\skin\classic\aero\global\arrow\arrow-lft-sharp.gif.gpg
Присваивает атрибут 'скрытый' для следующих файлов:
  • %APPDATA%\Roaming\gnupg\random_seed
  • %APPDATA%\Roaming\gnupg\trustdb.gpg
  • %APPDATA%\Roaming\gnupg\pubring.bak
  • %APPDATA%\Roaming\gnupg\pubring.gpg
Удаляет следующие файлы:
  • %TEMP%\gnupg\random_seed
  • %TEMP%\gnupg\trustdb.gpg
  • %TEMP%\gnupg\pubring.bak
  • %TEMP%\gnupg\pubring.gpg

Рекомендации по лечению

  1. В случае если операционная система способна загрузиться (в штатном режиме или режиме защиты от сбоев), скачайте лечащую утилиту Dr.Web CureIt! и выполните с ее помощью полную проверку вашего компьютера, а также используемых вами переносных носителей информации.
  2. Если загрузка операционной системы невозможна, измените настройки BIOS вашего компьютера, чтобы обеспечить возможность загрузки ПК с компакт-диска или USB-накопителя. Скачайте образ аварийного диска восстановления системы Dr.Web® LiveDisk или утилиту записи Dr.Web® LiveDisk на USB-накопитель, подготовьте соответствующий носитель. Загрузив компьютер с использованием данного носителя, выполните его полную проверку и лечение обнаруженных угроз.
Скачать Dr.Web

По серийному номеру

Выполните полную проверку системы с использованием Антивируса Dr.Web Light для macOS. Данный продукт можно загрузить с официального сайта Apple App Store.

На загруженной ОС выполните полную проверку всех дисковых разделов с использованием продукта Антивирус Dr.Web для Linux.

Скачать Dr.Web

По серийному номеру

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке