Gen.Variant.Zusy.183921_a4a0dacc6e

by malwarelabrobot on April 10th, 2018 in Malware Descriptions.

Gen:Variant.Zusy.183921 (BitDefender), Trojan-Dropper.Win32.Agent.fqvk (Kaspersky), Trojan.PWS.Vkontakte.259 (DrWeb), Gen:Variant.Zusy.183921 (B) (Emsisoft), Trojan-FKZY!A4A0DACC6E5E (McAfee), SMG.Heur!gen (Symantec), Trojan.Backdoor.Ircbot (Ikarus), Gen:Variant.Zusy.183921 (FSecure), Win32:Agent-AQRA [Trj] (AVG), Win32:Agent-AQRA [Trj] (Avast), TROJ_DROPPER_FD250377.UVPM (TrendMicro), Gen:Variant.Zusy.183921 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a4a0dacc6e5eca689ad822846c4cda83
SHA1: aa7be6ace25969251186f8046887013c5ae22849
SHA256: 6ea4acfd9e8da70ad522828b20e8e3b8c6d36e9ce7e18c2b03b998aeced7aa93
SSDeep: 98304:lTtc4gZte8n3S2JXQLGix sTftF1nt3VM8/Z W4uASRrZ1cFuBa3:peZtn3S2OXF1ntFMevASh8F93
Size: 5101104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-09-24 18:34:15
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

install.exe:3132
go.exe:816
Temp51.exe:2688
wm_player.exe:2796
setup.exe:1292
%original file name%.exe:2668

The Trojan injects its code into the following process(es):

go.exe:3104

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process install.exe:3132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\79.arc (1340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\engine\cry.obo (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\engine\who.obo (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\go.exe (9474 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\wm_player.exe (9809 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\79.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\1111ProgStart.name (0 bytes)

The process go.exe:3104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Windows\driiver\wm_player.exe (7775 bytes)

The process go.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\setup.exe (290 bytes)

The process Temp51.exe:2688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCXE1A8.tmp (26426 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF62.exe (38671 bytes)
C:\%original file name%.exe (38295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX51.arc (295269 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\w.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX51.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\ww.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\install.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF62.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\go.exe (0 bytes)

The process wm_player.exe:2796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\driiver\date.obo (3 bytes)

The process setup.exe:1292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\StealthMode.ini (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\AgeVerify.ini (1284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\StealthAttention.ini (1122 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg65A6.tmp (0 bytes)

The process %original file name%.exe:2668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\w.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\ww.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\install.exe (9918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp51.exe (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\setup.exe (39784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\go.exe (1016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\31.arc (750 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\31.arc (0 bytes)

Registry activity

The process go.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process wm_player.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\thriXXX\3DSexVilla2\3DSexVilla2SharedDLL]
"PNG" = "010218PNG"
"JP2" = "017010JP2"

Dropped PE files

MD5 File path
2f6cb6b2cdf9c073de11c43d6cd5d58c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\install.exe
e18b0d94dd1e96b5b7d9485b6e44806f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\setup.exe
36b99a635a0d4f0f9fccbe2dda28ed6a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\wm_player.exe
41f47d5ba84a9e073ee7276dfaf75648 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\go.exe
36b99a635a0d4f0f9fccbe2dda28ed6a c:\Windows\driiver\wm_player.exe
98b6970ef3e12097323e8e29a7b1dbd7 c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: 33333.exe
Internal Name: 33333.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.code 4096 7205 7680 3.83637 d583f61ca3321710ae3e88dbd1172e72
.text 12288 85162 85504 4.62348 32092f473b5ba3180a37e4c44dbb6614
.rdata 98304 25962 26112 5.23878 b6ab1fe668ae5da27a25120ba9c173de
.data 126976 9288 8192 3.97575 eee56163f1cf3a0cf154654949eb6c4e
.rsrc 139264 4972272 4972544 5.53749 0a3993cd73f49882f4881df607b0e945

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 81
ad06dc47cad0eaaf7a5a91f8a360a170
c2de3025ba774e2bd981868b82dbd9f9
2afc7afbdfd82c593e68dc26d7f4f1f9
c187dc99c32e6b7b020bf0b2b2879993
a73f9746f2b5462f52745aee302c5db4
c47e7cd0fd71efea2b8b084d8554f7a9
bae882acd5508ae579c6f1679b529144
b2895f3c0ebc3288901609868ef5bd21
be34bb453a3a533ed76ebaf129bbf29c
b7eeef00a96e8dacb8bc0c49d491ebdb
acc7477ce285288fd98c2bd15bc67d16
c1240437f101b26f39efe3ecd7a0a336
b9adc4b3afad28fe5aa0f0392c428f0a
a2c4063555916ce3daf65b40fa1dce86
c84f35cf303b160101a3366cc6145bda
b1135d96c0fca161d9e240d397083e01
b559f0c1d555bd90cd603610c7c400f1
a950fe6057d7ad05397e45cc2ab8683a
add1702212bfb732f2aeb2e55e57a150
b60911a6334a4815b7bba19e8ddea11b
ae66de753218cc28bfa27aa8149678fd
a8e2f9cbf7961cbdf41a87e0aca466e0
ce06d765ccc6635f7fb29a47ea1ada5e
b6a698197692135c4c5800cb77897080
a65fe433ae55b400b636cbb9c72879bb
c229b3eb8e67a932d35861086069134e

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

setup.exe_1292:

.text
`.rdata
@.data
.ndata
.rsrc
tDSSh
<iu2.iu
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
%s %s
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
... %d%%
verifying installer: %d%%
ADVAPI32.dll
~nsu.tmp
Au_.exe
shlwapi.dll
install.log
%u.%u%s%s
KERNEL32.dll
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
%Program Files%
Software\Microsoft\Windows\CurrentVersion
%s=%s
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
GetWindowsDirectoryA
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
ole32.dll
VERSION.dll
RichEd20.dll
adm\AppData\Local\Temp\nsw65B7.tmp\StealthAttention.ini
WARE\Microsoft\Windows NT\CurrentVersion
Your operating system is not supported.
Compatible versions are: Windows 95, NT4, 98, ME, 2000, XP, Vista.
Recommended: Windows XP with latest Service Pack.
.ODAZ
J%Dwv
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp
nsw65B7.tmp
MessageBox: 12910628,"Your operating system is not supported.
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\install.log
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\\setup.exe C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\\setup.exe
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$
setup.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsg65A6.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
@@@`777-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v20-Apr-2007.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

install.exe_3132:

.code
`.text
`.rdata
@.data
.rsrc
\$,;\$$}
u&SSh2
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
2147483648
WindowClass_%d
PB_Hotkey
uxtheme.dll
COMCTL32.DLL
msimg32.dll
Kernel32.DLL
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
Microsoft.NET\Framework\v2.0.50727
.NET Framework 2.0
Windows 2000
1111ProgStart.name
diu2.iu
MSVCRT.dll
KERNEL32.dll
CreatePipe
EnumWindows
MsgWaitForMultipleObjects
GetKeyState
EnumChildWindows
USER32.DLL
GDI32.DLL
IMAGEHLP.DLL
OLE32.DLL
ShellExecuteExA
SHELL32.DLL
WINMM.DLL
0;?<:?;00;?0=213
(y=.JA
AKh%u
\%%DY
`_5%U
uuu%ssswttr
F:".ut
D8RY]%fO5]
=.fdi
D&Z~L.Vb
<Le%x
.QM4de
j2kD%f
%f#iK
3.FiNU
.BZ'-J
J.wQ9$@
.Ge'5
<.hH|
g.naSB
%x\%U|
__.hk
p .Xc6
.oy' {
$%Sb.
0.MHA
 4)E.iH
b%d{3]
.mlfU$$
.EJ6$
&DÏ4
ÿ2d&m`
%DO_j
*6.dU
%uF0B
W52.zk!9
>tcPM
%DOi]
TExe*
:J.pQ
)XCMd
&o^x%d
%S=gx
T.pne=/
.voix7h
.BpUG
.nt.]
.zIOR
.PHDk
9,.tf!
htCp
E.SBTX
%u7&3
version="1.0.0.0"
name="CompanyName.ProductName.YourApp"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
0.0.0.0
23.exe
Website

go.exe_3104_rwx_0037C000_00004000:

].Gj^
-.Gj^

go.exe_3104_rwx_079F0000_0000F000:

KEyb


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    install.exe:3132
    go.exe:816
    Temp51.exe:2688
    wm_player.exe:2796
    setup.exe:1292
    %original file name%.exe:2668

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\79.arc (1340 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\1111ProgStart.name (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\engine\cry.obo (152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\engine\who.obo (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\go.exe (9474 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\wm_player.exe (9809 bytes)
    C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
    C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
    C:\Windows\driiver\wm_player.exe (7775 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\setup.exe (290 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCXE1A8.tmp (26426 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF62.exe (38671 bytes)
    C:\%original file name%.exe (38295 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX51.arc (295269 bytes)
    C:\Windows\driiver\date.obo (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\StealthMode.ini (1303 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\AgeVerify.ini (1284 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\StealthAttention.ini (1122 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\w.txt (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\ww.txt (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\install.exe (9918 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp51.exe (102 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\go.exe (1016 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\31.arc (750 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now