Gen.Variant.Zusy.183921_a02b519a31

by malwarelabrobot on July 24th, 2017 in Malware Descriptions.

Gen:Variant.Zusy.183921 (BitDefender), Trojan-Dropper.Win32.Agent.fqvk (Kaspersky), Trojan.PWS.Vkontakte.259 (DrWeb), Gen:Variant.Zusy.183921 (B) (Emsisoft), Trojan-FKZY!A02B519A31D5 (McAfee), SMG.Heur!gen (Symantec), Trojan.Backdoor.Ircbot (Ikarus), Gen:Variant.Zusy.183921 (FSecure), Win32:Agent-AQRA [Trj] (AVG), Win32:Agent-AQRA [Trj] (Avast), TROJ_DROPPER_FD250377.UVPM (TrendMicro), Gen:Variant.Zusy.183921 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a02b519a31d546823926227c07b06c3c
SHA1: ab3f6372038939ec81b61c412930e92e0d2feb74
SHA256: c2726186fb646cae25ac1cbbeeb4367d0714e9d722956e8db6a45c8fae2627c5
SSDeep: 98304:hxtc4Iz4/9sSmRs0bHNIsVysfv590qq8n8FjNdDM1SF6JILAUkZZHPNLjtTPO:3yU/6SznsVysfvB9n8FjNdWS98ZxO
Size: 5101104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Elements Browser
Created at: 2010-09-24 18:34:15
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3392
install.exe:812
go.exe:3584
Temp75.exe:532
wm_player.exe:2316
setup.exe:1780

The Trojan injects its code into the following process(es):

go.exe:2876

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\47.arc (750 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp75.exe (188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\w.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\setup.exe (39784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\install.exe (9918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\ww.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\go.exe (1016 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\1111ProgStart.name (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\47.arc (0 bytes)

The process install.exe:812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\engine\who.obo (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\go.exe (9474 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\2.arc (1340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\driiver\wm_player.exe (9809 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\engine\cry.obo (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\2.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\1111ProgStart.name (0 bytes)

The process go.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\setup.exe (290 bytes)

The process go.exe:2876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Windows\driiver\wm_player.exe (7775 bytes)

The process Temp75.exe:532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\1111ProgStart.name (8 bytes)
C:\%original file name%.exe (38295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCX4597.tmp (25852 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF34.exe (38691 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX46.arc (295269 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF34.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\1111ProgStart.name (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\install.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX46.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\w.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\ww.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\go.exe (0 bytes)

The process wm_player.exe:2316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\driiver\date.obo (3 bytes)

The process setup.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp\StealthMode.ini (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp\StealthAttention.ini (1122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp\AgeVerify.ini (1284 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscC918.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp (0 bytes)

Registry activity

The process go.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process wm_player.exe:2316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\thriXXX\3DSexVilla2\3DSexVilla2SharedDLL]
"PNG" = "010218PNG"
"JP2" = "017010JP2"

Dropped PE files

MD5 File path
2f6cb6b2cdf9c073de11c43d6cd5d58c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\install.exe
e18b0d94dd1e96b5b7d9485b6e44806f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\setup.exe
36b99a635a0d4f0f9fccbe2dda28ed6a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\driiver\wm_player.exe
41f47d5ba84a9e073ee7276dfaf75648 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\go.exe
7b96d45f1814a0b9989126297bdd1ecf c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp75.exe
36b99a635a0d4f0f9fccbe2dda28ed6a c:\Windows\driiver\wm_player.exe
4bee4e770754bcfe6d492c0fa874e3a6 c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: 33333.exe
Internal Name: 33333.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: German (Germany)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.code 4096 7205 7680 3.83637 d583f61ca3321710ae3e88dbd1172e72
.text 12288 85162 85504 4.62348 32092f473b5ba3180a37e4c44dbb6614
.rdata 98304 25962 26112 5.23878 b6ab1fe668ae5da27a25120ba9c173de
.data 126976 9288 8192 3.97575 eee56163f1cf3a0cf154654949eb6c4e
.rsrc 139264 4972188 4972544 5.53717 0efea162f4aab8e9cc738f7256c4f247

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 24
ad06dc47cad0eaaf7a5a91f8a360a170
b2f5bd3b55635075f88bc8e64ee2df00
afad88b289fc0a71209420aee357c48d
bcbcc0a1a4fd867c96d180271e331918
b27d3a592f15d6a642d74060ebba4fb4
b766378cad5f2d59c2bf32e9a71c26bd
bf4bb1b9980697ae4a4e66b8d558993f
b43b8fcbfc76663c7120689197594d87
a185e5ade231aecf34d8e9c21be26c61
c4d12c50bb6af277198e8eed73360cf6
c174b83ebee5f58611869727edeaa007
b75c7dd602d7b68958a8400ea39487d0
aca086d1a754dde4a6ab17bb963bf145
a37b206cdafe205317fae673a3d93fae
c3ef4a7421a1ba2893cd76457511e13b
b144d7ddc4222839f6de57aa8945d960
a604a341f6cf99ecdce99a00fd78c7d1
a387a1b2c7188820768fa29a2c96902c
be565cc61ebc08160473a5386cb21b51
b08b499f1cfa98b51bc6f1a7683d4a71
bc338cf3f570978c99064c98c6ad42d2
b1d7ec0ff79f7a54dffb852dddc705e6
a19b124100fcb1a609d9f5b7efec54df
a79daffc44b961a9067874f18dfced2b

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

setup.exe_1780:

.text
`.rdata
@.data
.ndata
.rsrc
tDSSh
<iu2.iu
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
%s %s
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
... %d%%
verifying installer: %d%%
ADVAPI32.dll
~nsu.tmp
Au_.exe
shlwapi.dll
install.log
%u.%u%s%s
KERNEL32.dll
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
%Program Files%
Software\Microsoft\Windows\CurrentVersion
%s=%s
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
GetWindowsDirectoryA
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
ole32.dll
VERSION.dll
RichEd20.dll
adm\AppData\Local\Temp\nssC929.tmp\StealthAttention.ini
WARE\Microsoft\Windows NT\CurrentVersion
Your operating system is not supported.
Compatible versions are: Windows 95, NT4, 98, ME, 2000, XP, Vista.
Recommended: Windows XP with latest Service Pack.
.ODAZ
J%Dwv
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp
nssC929.tmp
MessageBox: 12910628,"Your operating system is not supported.
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\install.log
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\\setup.exe C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\\setup.exe
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$
setup.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nscC918.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
@@@`777-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v20-Apr-2007.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

install.exe_812:

.code
`.text
`.rdata
@.data
.rsrc
\$,;\$$}
u&SSh2
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
2147483648
WindowClass_%d
PB_Hotkey
uxtheme.dll
COMCTL32.DLL
msimg32.dll
Kernel32.DLL
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
Microsoft.NET\Framework\v2.0.50727
.NET Framework 2.0
Windows 2000
1111ProgStart.name
diu2.iu
MSVCRT.dll
KERNEL32.dll
CreatePipe
EnumWindows
MsgWaitForMultipleObjects
GetKeyState
EnumChildWindows
USER32.DLL
GDI32.DLL
IMAGEHLP.DLL
OLE32.DLL
ShellExecuteExA
SHELL32.DLL
WINMM.DLL
0;?<:?;00;?0=213
(y=.JA
AKh%u
\%%DY
`_5%U
uuu%ssswttr
F:".ut
D8RY]%fO5]
=.fdi
D&Z~L.Vb
<Le%x
.QM4de
j2kD%f
%f#iK
3.FiNU
.BZ'-J
J.wQ9$@
.Ge'5
<.hH|
g.naSB
%x\%U|
__.hk
p .Xc6
.oy' {
$%Sb.
0.MHA
 4)E.iH
b%d{3]
.mlfU$$
.EJ6$
&DÏ4
ÿ2d&m`
%DO_j
*6.dU
%uF0B
W52.zk!9
>tcPM
%DOi]
TExe*
:J.pQ
)XCMd
&o^x%d
%S=gx
T.pne=/
.voix7h
.BpUG
.nt.]
.zIOR
.PHDk
9,.tf!
htCp
E.SBTX
%u7&3
version="1.0.0.0"
name="CompanyName.ProductName.YourApp"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
0.0.0.0
23.exe
Website

go.exe_2876_rwx_00342000_00002000:

6%sj(

go.exe_2876_rwx_06650000_00010000:

c.ccP
4.ccP
'ÌP

go.exe_2876_rwx_6A5D2000_00002000:

pjVJpj.Jpj>
j*.ij
-djq.djw
-djq.dj


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3392
    install.exe:812
    go.exe:3584
    Temp75.exe:532
    wm_player.exe:2316
    setup.exe:1780

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\47.arc (750 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\1111ProgStart.name (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp75.exe (188 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\w.txt (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\setup.exe (39784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\install.exe (9918 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\ww.txt (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp194176$\go.exe (1016 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\engine\who.obo (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\1111ProgStart.name (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\go.exe (9474 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\2.arc (1340 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\driiver\wm_player.exe (9809 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\engine\cry.obo (152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp54348$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
    C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
    C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
    C:\Windows\driiver\wm_player.exe (7775 bytes)
    C:\%original file name%.exe (38295 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCX4597.tmp (25852 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF34.exe (38691 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX46.arc (295269 bytes)
    C:\Windows\driiver\date.obo (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp\StealthMode.ini (1303 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp\StealthAttention.ini (1122 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssC929.tmp\AgeVerify.ini (1284 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now