Gen.Variant.Zusy.183921_ad93e73b19

by malwarelabrobot on July 25th, 2017 in Malware Descriptions.

Gen:Variant.Zusy.183921 (BitDefender), Trojan-Dropper.Win32.Agent.fqvk (Kaspersky), Trojan.PWS.Vkontakte.259 (DrWeb), Gen:Variant.Zusy.183921 (B) (Emsisoft), Trojan-FKZY!AD93E73B19D2 (McAfee), SMG.Heur!gen (Symantec), Trojan.Backdoor.Ircbot (Ikarus), Gen:Variant.Zusy.183921 (FSecure), Win32:Agent-AQRA [Trj] (AVG), Win32:Agent-AQRA [Trj] (Avast), TROJ_DROPPER_FD250377.UVPM (TrendMicro), Gen:Variant.Zusy.183921 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ad93e73b19d28d058b81eb7f569a7ab8
SHA1: 280c2c2cff4c5f1b93b933291be675153040698a
SHA256: 93e20420c25191e39f4d4cbf0a28a520efb12f1e3be6a18862e42edf687d6841
SSDeep: 98304:fdtc4NMotBsdK3JwW5Mm1yOoJu/BXBVrL8c2wifYe1MNkhJo9LhcrXlVGU:Vv/BVqW536utbiQfkhy9arXbH
Size: 5096496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-09-24 18:34:15
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

install.exe:3520
go.exe:3360
%original file name%.exe:3408
Temp1.exe:3696
wm_player.exe:1472
setup.exe:3516

The Trojan injects its code into the following process(es):

go.exe:3400

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process install.exe:3520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\engine\cry.obo (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\75.arc (1340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\go.exe (9474 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\driiver\wm_player.exe (9809 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\engine\who.obo (88 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\75.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\1111ProgStart.name (0 bytes)

The process go.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Windows\driiver\wm_player.exe (7775 bytes)

The process go.exe:3360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\setup.exe (290 bytes)

The process %original file name%.exe:3408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\ww.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\go.exe (1016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\w.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp1.exe (188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\49.arc (750 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\setup.exe (39784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\install.exe (9918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\1111ProgStart.name (8 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\1111ProgStart.name (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\49.arc (0 bytes)

The process Temp1.exe:3696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCXB3E3.tmp (26442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX55.arc (295269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF58.exe (38663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\1111ProgStart.name (8 bytes)
C:\%original file name%.exe (38295 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\ww.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF58.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX55.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\go.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\w.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\install.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\1111ProgStart.name (0 bytes)

The process wm_player.exe:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\driiver\date.obo (3 bytes)

The process setup.exe:3516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp\AgeVerify.ini (1284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp\StealthMode.ini (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp\StealthAttention.ini (1122 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw37A2.tmp (0 bytes)

Registry activity

The process go.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process wm_player.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\thriXXX\3DSexVilla2\3DSexVilla2SharedDLL]
"PNG" = "010218PNG"
"JP2" = "017010JP2"

Dropped PE files

MD5 File path
36b99a635a0d4f0f9fccbe2dda28ed6a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\driiver\wm_player.exe
41f47d5ba84a9e073ee7276dfaf75648 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\go.exe
2f6cb6b2cdf9c073de11c43d6cd5d58c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\install.exe
e18b0d94dd1e96b5b7d9485b6e44806f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\setup.exe
36b99a635a0d4f0f9fccbe2dda28ed6a c:\Windows\driiver\wm_player.exe
5ade6b7578c9b1f9a25f8ff10a7a9efb c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: 33333.exe
Internal Name: 33333.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.code 4096 7205 7680 3.83637 d583f61ca3321710ae3e88dbd1172e72
.text 12288 85162 85504 4.62348 32092f473b5ba3180a37e4c44dbb6614
.rdata 98304 25962 26112 5.23878 b6ab1fe668ae5da27a25120ba9c173de
.data 126976 9288 8192 3.97575 eee56163f1cf3a0cf154654949eb6c4e
.rsrc 139264 4967788 4967936 5.53928 3c240790ad5583f53d6887ad3be5146a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
f27b97a0664642e6eab2e367490eefca

URLs

URL IP
jst4fun.ru


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

setup.exe_3516:

.text
`.rdata
@.data
.ndata
.rsrc
tDSSh
<iu2.iu
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
%s %s
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
... %d%%
verifying installer: %d%%
ADVAPI32.dll
~nsu.tmp
Au_.exe
shlwapi.dll
install.log
%u.%u%s%s
KERNEL32.dll
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
%Program Files%
Software\Microsoft\Windows\CurrentVersion
%s=%s
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
GetWindowsDirectoryA
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
ole32.dll
VERSION.dll
RichEd20.dll
adm\AppData\Local\Temp\nsm37B3.tmp\StealthAttention.ini
WARE\Microsoft\Windows NT\CurrentVersion
Your operating system is not supported.
Compatible versions are: Windows 95, NT4, 98, ME, 2000, XP, Vista.
Recommended: Windows XP with latest Service Pack.
.ODAZ
J%Dwv
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp
nsm37B3.tmp
MessageBox: 12910628,"Your operating system is not supported.
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\install.log
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\\setup.exe C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\\setup.exe
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$
setup.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsw37A2.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
@@@`777-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v20-Apr-2007.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

install.exe_3520:

.code
`.text
`.rdata
@.data
.rsrc
\$,;\$$}
u&SSh2
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
2147483648
WindowClass_%d
PB_Hotkey
uxtheme.dll
COMCTL32.DLL
msimg32.dll
Kernel32.DLL
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
Microsoft.NET\Framework\v2.0.50727
.NET Framework 2.0
Windows 2000
1111ProgStart.name
diu2.iu
MSVCRT.dll
KERNEL32.dll
CreatePipe
EnumWindows
MsgWaitForMultipleObjects
GetKeyState
EnumChildWindows
USER32.DLL
GDI32.DLL
IMAGEHLP.DLL
OLE32.DLL
ShellExecuteExA
SHELL32.DLL
WINMM.DLL
0;?<:?;00;?0=213
(y=.JA
AKh%u
\%%DY
`_5%U
uuu%ssswttr
F:".ut
D8RY]%fO5]
=.fdi
D&Z~L.Vb
<Le%x
.QM4de
j2kD%f
%f#iK
3.FiNU
.BZ'-J
J.wQ9$@
.Ge'5
<.hH|
g.naSB
%x\%U|
__.hk
p .Xc6
.oy' {
$%Sb.
0.MHA
 4)E.iH
b%d{3]
.mlfU$$
.EJ6$
&DÏ4
ÿ2d&m`
%DO_j
*6.dU
%uF0B
W52.zk!9
>tcPM
%DOi]
TExe*
:J.pQ
)XCMd
&o^x%d
%S=gx
T.pne=/
.voix7h
.BpUG
.nt.]
.zIOR
.PHDk
9,.tf!
htCp
E.SBTX
%u7&3
version="1.0.0.0"
name="CompanyName.ProductName.YourApp"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
0.0.0.0
23.exe
Website


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    install.exe:3520
    go.exe:3360
    %original file name%.exe:3408
    Temp1.exe:3696
    wm_player.exe:1472
    setup.exe:3516

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\engine\cry.obo (152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\75.arc (1340 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\go.exe (9474 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\1111ProgStart.name (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\driiver\wm_player.exe (9809 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp585518$\engine\who.obo (88 bytes)
    C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
    C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
    C:\Windows\driiver\wm_player.exe (7775 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\setup.exe (290 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\ww.txt (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\go.exe (1016 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\w.txt (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp1.exe (188 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\49.arc (750 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\install.exe (9918 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp588601$\1111ProgStart.name (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCXB3E3.tmp (26442 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX55.arc (295269 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF58.exe (38663 bytes)
    C:\%original file name%.exe (38295 bytes)
    C:\Windows\driiver\date.obo (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp\AgeVerify.ini (1284 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp\StealthMode.ini (1303 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm37B3.tmp\StealthAttention.ini (1122 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now