Gen.Heur.VIZ.6_6c33558f07

by malwarelabrobot on November 1st, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Rogue.Win32.FakeAV (A) (Emsisoft), Gen:Heur.VIZ.6 (AdAware), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)
Behaviour: Trojan, Fake-AV


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6c33558f0762d92a81f0fec0ddf19f24
SHA1: bc32c545ee9502fb11ca7c321455e79ea1a332d7
SHA256: cde4c2c922eca9e5ce90522257ea89b7d7454018ad72200698614ef3356cb770
SSDeep: 3072:EOJn6/HBq3qAdGhS4k5p5pU4T4B jca8Wz/9DMFIW925pOLA/hmqVvTVLC4HTkwH:EOJ Bq3qnop535 Wzmw5pSqpheLwe2
Size: 204486 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Premium Installer
Created at: 2012-07-25 15:12:41
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:888

The Trojan injects its code into the following process(es):

aln.exe:1596

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\aln.exe (204 bytes)

The process aln.exe:1596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAX6WLO9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKK63MHM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1079 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A24AB8Q7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BPX15JCH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1079 bytes)
%Documents and Settings%\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1079 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1079 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

Registry activity

The process %original file name%.exe:888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 06 23 14 95 C2 FF E3 BE C2 C9 79 59 9F 63 64"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"

"DoNotAllowExceptions" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The process aln.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\aln.exe -a %1 %*"

[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\exefile]
"(Default)" = "Application"

[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"

[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\aln.exe -a %Program Files%\Internet Explorer\iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows]
"Identity" = "3044072876"

[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\aln.exe -a %1 %*"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 F0 7D CE 5C DC 0B 6A CB 06 B5 60 AF 27 19 40"

[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 5084 5120 5.37041 6e68dd9318fa0d18c68b971a5ffaaa03
.rdata 12288 1156 1536 2.70992 d0739c50e39a0eefd2830993291e124a
.data 16384 1904640 512 0 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 1921024 196076 196096 5.54409 29443714b265548d5d72cd82e8b3c41b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
1266b4b942dcb8586e8aaec58925f6d3

URLs

URL IP
hxxp://84.22.104.243/1ff6b5iikbtcefdd8hnbfa99es4e10be5g328491922a
hxxp://84.22.104.243/c1f8d4j4mdqlecfk4mm64pgaekdcab937ma68f46ed20
hxxp://84.22.104.243/669494bcib35399c8ee67dkdig7gd5cgeg869ea0e1d7
hxxp://84.22.104.243/d6a16bibhgbfameieiic6bg85sdnbff37kg0f91e99cf
hxxp://84.22.104.243/a77495i7ab6nildm4ll46klegofk13idi93a3211472e
hxxp://84.22.104.243/3f57c783fqg8797jjfjj3kd3cqeaf7798mf21fb2ebcf
hxxp://84.22.104.243/cc7chf79im5o9dciinn84jk3eeikd7f9c9fe447e60fc
hxxp://84.22.104.243/ea5af6heaq6fgi6m7nef7nbfdo4oef6bfl50a04e508a
hxxp://84.22.104.243/6e6bg777odfh491qbih99ogcei7dee4dhlace45fad57


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

aln.exe_1596_rwx_00380000_00001000:

Kernel32.dll
hrt.dhmsvcT

aln.exe_1596_rwx_00390000_00001000:

Kernel32.dll
hrt.dhmsvcT

aln.exe_1596_rwx_003D0000_00006000:

.text
`.rdata
@.data
.reloc
SSSh=
u.PPh
%sx.tmp
microsoft.com
xx%s%s
SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
.exe\shell
cmd.exe /C del /Q /F "%s"
%s%u%u.tmp
gdiplus.dll
oleaut32.dll
user32.dll
ws2_32.dll
xx
msvcrt.dll
URLDownloadToFileA
urlmon.dll
WS2_32.dll
SHDeleteKeyA
SHLWAPI.dll
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
ADVAPI32.dll
84.22.104.243
109.206.174.44
pcsecsupport.com
1089-903874-1875
003338200000
hXXp://moneysnetingiss.com/data.exe
hXXp://%S/%S

aln.exe_1596_rwx_00401000_001EF000:

p.S
2010:06:04 04:17:53
hXXp://ns.adobe.com/xap/1.0/
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:17:53.229</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
,!.fy
3d%D-
/X.Rp
_U$%x
(7),01444
'9=82<.342
2010:06:04 04:07:41
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:07:41.468</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
.IDATx
2010:06:04 04:18:38
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:18:38.428</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
HTTP/1.0 200 OK
Date: %s
Expires: %s
Content-Type: %s
2010:06:04 04:19:08
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:19:08.340</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
]sM-H%x
P%Sp<
{]m%X-de
2010:06:04 04:19:40
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:19:40.162</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
$%.wH
B.fAk
00000000
2010:06:04 04:20:15
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:20:15.844</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
9%D,3
gdiplus.dll
user32.dll
wsock32.dll
ws2_32.dll
oleaut32.dll
gdi32.dll
advapi32.dll
uxtheme.dll
ole32.dll
shell32.dll
comctl32.dll
shlwapi.dll
version.dll
msimg32.dll
ntdll.dll
kernel32.dll
microsoft.com
Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
IEXPLORE.EXE
FIREFOX.EXE
%System%\ctfmon.exe
ctfmon.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s\shell\%s\command
%s, %.2i %s %.4i %.2i:%.2i:%.2i GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP/1.0
HTTP/1.
PSSh@
PSShY.]
PSShK
PSShE
SSSSSSh
SSSSh
%Program Files%\Java\jre6\lib\cmm\
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="no-cache" /><base href='ºse!'></base></head><style type='text/css'>body { font-family: Segoe UI, verdana, arial; background-image: url(res://ieframe.dll/background_gradient.jpg); background-repeat: repeat-x; background-color: #õ; margin-top: 20px; margin-left: 20px; color: #575757; }body.a { font-family: Segoe UI, verdana , Arial; background-image: url(ñ); background-repeat: repeat-x; background-color: #õ; margin-top: 20px; margin-left: 20px; } a { color: rgb(19,112,171);
h1 { color: #4465A2; font-size: 1.1em; font-weight: normal; vertical-align:bottom; margin-top: 7px; margin-bottom: 4px; }h2 { font-size: 0.9em; font-weight: normal; margin-top: 20px; margin-bottom: 1px; }h3 { font-size: 0.9em; font-weight: normal; margin-top: 10px; margin-bottom: 1px; }h4 { font-size: 0.9em; font-weight: normal; margin-top: 12px; margin-bottom: 1px; }.b { vertical-align: middle; margin-top: %MF%px; margin-right: 6px; }ul, ol { font-size: 0.9em; list-style-position: outside; margin-top: 1px; margin-bottom: 1px; padding-top: 1px; padding-bottom: 1px; line-height: 1.3em; }</style><script language="JavaScript">document.onselectstart = returnfalse;document.ondragstart = returnfalse;document.oncontextmenu = returnfalse;function returnfalse() {return false;}</script><body ondragstart="return false;" onselectstart="return false;" class="a"><table width="800" cellpadding="0" cellspacing="0" border="0"><tr><td width="60" align="left" valign="top" rowspan="3"><img src="ò"></td><td valign="middle" align="left" width="*"><h1></h1></td></tr><tr><td><h3><div></div></h3></td></tr><tr><td style="font-size: 0.7em; font-weight: normal; color: #787878;" align="right"> <div style="border-bottom: #B6BCC6 1px solid;"></div></td></tr><tr><td> </td><td><H2 ></H2></td></tr><tr><td></td><td><h3><ul style='list-style:circle; margin-left:%MG%px'><li></li><li></li><li></li><li></li><li></li></ul></h3></td></tr><tr><td> </td><td><h2><b></b></h2></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ó" border="0" class="b"><a href="javascript:" onClick="javascript:document.location='1';">	</a></h4></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ó" border="0" class="b"><a href="javascript:" onClick="javascript:document.location='2';"></a></h4></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ô" border="0" class="b"><a href="‚3"></a></h4></td></tr></table></body></html>
Windows recommend Activate %1
Trojan-BNK.Win32.Keylogger.gen
passwords.
Please write it for future using and support requests.
Your LICENSE KEY:
This Trojan steals user passwords. It is designed to steal a range of confidential information. It is a Windows PE EXE file. It is 11,269 bytes in size. It is written in Visual C  .
Trojan-PSW.Win32.Coced.219
This worm is written in Visual C   and is made up of two files, an executable file (EXE) and a dynamic link library (DLL), which is found within the EXE file.
Email-Worm.Win32.Eyeveg.f
This Trojan utility scans the system data files to Internet access passwords, decrypts them and sends to a specified e-mail address. It also scans the system for more private information: telephone numbers, computer name etc.
Trojan-PSW.Win32.Antigen.a
Net-Worm.Linux.Adm
Virus.BAT.Batalia1.840
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access
Backdoor.Rbot.gen
This Trojan program is designed to run on smartphones running Symbian. The Trojan is a SIS installation archive. The Trojan has no self replication routine. Trojan-SMS.SymbOS.Viver.a actually covers two variants of this malicious program. The first is an archive called RulesViver.sis.
Trojan-SMS.SymbOS.Viver.a
This script for a Windows FTP client can download other executable files without the knowledge or consent of the user. It may be used to download Trojan programs to the victim machine.
Trojan-Downloader.BAT.Ftp.ab
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 28,796 bytes in size. It is not packed in any way. Installation When launched, the Trojan will copy its executable file as: %Program...
Trojan-Proxy.Win32.Agent.q
This Trojan will periodically load a designated web page into the browser. The Trojan itself is written in Microsoft Visual Basic and is 32768 bytes in size. Installation This Trojan uses a standard icon to mask itself as an installation program: Once launched, the Trojan copies itself to the...
Trojan-Clicker.Win32.Stixo.d
Trojan-SMS.J2ME.RedBrowser.a
This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 12KB in size.
Backdoor.Perl.AEI.16
This is the second known macro virus infecting MS PowerPoint presentations. It contains five macros in one module "ShapeShift": actionhook, SlideIn, WackShape, RandomWackSlide, WackPresentation. To activate its code on a event the virus hooks MouseClick that pass control to the virus..
Macro.PPoint.ShapeShift
It is a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, as well as while loading from infected floppy disk. While loading from infected disk (MBR, boot) the virus hooks INT 13h, waits for DOS loading, and hooks INT 21h..
Virus.Boot-DOS.V.1536
Email-Worm.VBS.Peach
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is approximately 17KB in size. It is packed using PECompact. The unpacked file is approximately 30KB in size. Installation When launched, the Trojan...
Trojan-Proxy.Win32.Agent.x
This Trojan uses spoofing technology. It is a fake HTML page. It is designed to steal confidential information from Caja Madrid clients. The Trojan arrives in the guise of an important email from Caja Madrid. The email contains a link which exploits the Frame Spoof vulnerability in Internet...
Trojan-Spy.HTML.Bankfraud.pa
The suspicious message "Exploit.CodeBaseExec" means that HTML page being scanned contains code exploiting the Microsoft Internet Explorer Arbitrary Program Execution Vulnerability, aka the Local Executable Invocation via Object tag vulnerability.
Exploit.CodeBaseExec
This program is a realized DoS attack on one of the more popular ftp-servers for Windows 95/98/NT - War-FTPD v1.70. It makes many connections to an ftp-server resulting in a denial of service. This program also can disturb the operation of other ftp's in a Unix system - wu-ftpd, proftpd,...
DoS.Win32.DieWar
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is designed to steal information from Postbank clients. It arrives as a important message alledgedly sent by PostBank: This message contains a link to the fake page; this link exploits the Frame Spoof...
Trojan-Spy.HTML.Bankfraud.jk
This Trojan program is designed to artificially boost the number of visits to designated web sites. The Trojan itself is a Windows PE EXE file, packed using FSG. The file may be between 5KB and 36KB. Installation Once launched, the Trojan copies itself to the Windows root directory as svchost.exe
Trojan-Clicker.Win32.Small.kj
This is a dangerous non-memory resident parasitic BAT virus. It searches for .BAT files, then writes itself to the end of the file. On Mondays, the virus drops the "Whale" DOS virus.
Virus.BAT.8Fish
This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams - see hXXp://VVV.visio.com). To automate data processing, Visio uses macro-programs written in VBA language
Macro.Visio.Radiant
It is a harmless memory resident multipartite virus. When an infected file is executed, it hooks INT 21h, infects the MBR of the hard drive and stays memory resident. When the system is loading from infected MBR, the virus hooks INT 1Ch, waits for DOS loading procedure and then hooks INT 21h.
Virus.Boot-DOS.V.1526
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to..
This worm spreads via file-sharing networks. The worm itself is a Windows PE EXE file approximately 1274KB in size. Installation Once launched, the worm causes the following error message to be displayed: On repeated launched, the worm will cause the error message below to be displayed: When...
P2P-Worm.Win32.Franvir
This is not a dangerous nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM) of current directory and writes itself to the end of the file. Sometimes it display: At last ...... ALIVE !!!!! I guess your computer is infected by the Big Joke Virus.
It is a harmless nonmemory resident parasitic virus. It searches for COM files (except COMMAND.COM), then writes itself to the end of the file. The virus does not manifests itself in any way, it contains the text strings: *.com COMMAND. HAPPY v1.03 (C) PROFESSOR,KPI
Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines. The worm itself is a Windows application (PE EXE file) written in Visual Basic, 18432 bytes in size. Installation The worm copies itself to the Windows..
P2P-Worm.Win32.Duload.a
This is an IRC worm that spreads via mIRC channels. The worm code itself is a randomly named DOS EXE file. When it is executed, the worm copies itself with the LOA.EXE name to the Windows directory and registers this file in the system registry in the auto-run section:..
IRC-Worm.DOS.Loa
IRC-Worm.DOS.Septic
It is a harmless memory resident parasitic polymorphic virus. It writes itself to beginning of SYS and to the end of EXE files. While executing an infected EXE file the virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers, infects them and returns to the host program.
It is a harmless nonmemory resident parasitic virus. It searches for COM and EXE files and infects them. It was created with Biological Warfare Mutation Engine - it is a polymorphic engine, like the MtE and TPE engines. This virus writes itself to the end of the files. It contains the text strings:...
BWME.Twelve.1378
This worm spreads via Windows Messenger. It is written in Visual Basic, and packed using UPX. The packed file is 8704 bytes in size, and the unpacked file is 24064 bytes in size. Once launched, the worm sends a messenger to all MSN Messenger contacts: "its you" The message is accompanied by the...
IM-Worm.Win32.Kelvir.k
Email-Worm.JS.Gigger
Get a copy of '' to safeguard your PC while surfing the web (RECOMMENDED)
Port and system scans performed by the site being visited.
Attacked port:
port:
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working in the background right now. Perform an in-depth scan and removal now, click here.
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.
Click here to contact %1 support team.
Click here to visit %1 website
Contact Customer Support
Visit %1 website
Upgrade to full version of %1 security software package now! Clean your system and ward off new attacks against your system integrity and sensitive data. FREE daily updates and online protection from web-based intrusions are already in the bundle.
Your system was scanned for security breaches. Attention: %s serious issues were detected. Safeguard your system against exploits, malware and viruses right now by activating Proactive Defense.
Reg key:
Scanning links and web pages to make your web experience safe
A registered copy of %1 offers a full range of features to keep your system clean and protected. Check the list of benefits and opportunities here below:
Your personal files, photos, documents and passwords get stolen
Browser crashes frequently and web access speed decreases
No web traffic, activity and content is monitored. Spyware and malware can use your web browser as a gateway to sensitive areas of your system. No malicious code in web pages is detected and blocked.
Web traffic is analyzed for possible spyware and malware components. Intrusion attempts from the web are blocked and attacking sites and addresses are blocked. Pages visited are analyzed for spyware and malware presence and cleaned on the fly.
Sensitive areas of your system containing your private data are protected. Documents, passwords, browsing history, credit card and bank details are secured against identity theft. Unauthorized attempts to take control over your PC are intercepted and blocked.
When Internet Security is enabled, unauthorized access to critical zones of your system from the web is prevented. Private information is safeguarded against online hacking attacks. Intrusion attempts are intercepted and malware existing in the system is prevented from contacting its originating servers.
Support
Total: %s
( %s entries )
Infections found: %s
Scan Process: %s%%
disabled. Dangerous web attacks possible.
is enabled and your web surfing is safe
eexefile
.exe"
1.dat
firefox
chrome
opera
Invalid registration key
Operating system restart is required to complete configuration.
imageres.dll
firewall.cpl
wscui.cpl
MSASCui.exe
{C9A34C77-4D69-45EC-A07D-83242376045D}D68DDC3A-831F-4FAE-9E44-DA132C1ACF46
ActionCenterCPL.dll.mui
OPERA
Firefox
Chrome
Opera
MpCmdRun.exe
MsMpEng.exe
NisSrv.exe
msseces.exe
"c:\windows\syswow64\dfrgui.exe" -a
"c:\windows\explorer.exe" -a
Update.exe
iexplore.exe
%.4i.tmp
"%s" -del %s
wscntfy.exe
E"%s" -a "%%1" %%*
"%s" %s
dred_shield.png
green_shield.png
red_shield_48.png
background_gradient_red.jpg
res://ieframe.dll/
/%ib%.3it.jpg
%%f%i
Google Chrome
hXXp://
explorer.exe
%s%s/%.4i%.4i%.1i%.1i
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\CompanyName
\StringFileInfo\xx\FileDescription
%u.%u.%u.%u
edfrgui.exe
c:\windows\syswow64\sysprep
c:\windows\system32\sysprep
\sysprep.exe
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
\Update.exe
CRYPTSP.DLL
CRYPTBASE.DLL
xpsp2res.dll
inetcpl.cpl
ActionCenterCPL.dll
wuapi.dll
wuauclt.exe
%System%
%Documents and Settings%\%current user%\Application Data\Microsoft\kql.8er
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\18XmrTOy3m0.3
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\djDq.rt
%Documents and Settings%\NetworkService\Local Settings\Temp\CN8.dl
C:\Perl\html\lib\ActiveState\Config\nAeb14m404.rt
C:\Perl\html\lib\File\c4nl53.sys
C:\Perl\html\lib\IPC\k1L8b.w7
C:\Perl\html\lib\Moose\Meta\Class\3A0GL.sys
C:\Perl\html\lib\PPI\Statement\Include\w18M3B8bX2.dl
C:\Perl\lib\ActivePerl\DocTools\TOC\IQUkA.rt
C:\Perl\lib\auto\Devel\GlobalDestruction\Yk4g0WRaEqj.a
C:\Perl\lib\auto\Filter\Util\J778RAi4FV.44
C:\Perl\lib\auto\Opcode\koXQQv2.rt
C:\Perl\lib\auto\Term\ANSIColor\P57n84DeQ.fy
C:\Perl\lib\auto\Tkx\5C2wI.cab
C:\Perl\lib\auto\Win32\Event\1nu.027
C:\Perl\lib\auto\Win32API\Net\6867JEhP.sys
C:\Perl\lib\DBI\SQL\rb7r74L.j2
C:\Perl\lib\Exception\Q5.tf
C:\Perl\lib\IO\Compress\Base\43a4.rt
C:\Perl\lib\Moose\Meta\TypeConstraint\85S3m8MI72.rt
C:\Perl\lib\threads\48yci37bOjw.l
C:\Perl\site\Kdp6juL4Kv.rt
%Program Files%\Common Files\VMware\Drivers\vmci\sockets\bin\28N3NO01vL.dl

aln.exe_1596_rwx_005F1000_00004000:

URLDa
.text
`.rdata
@.data
.reloc
SSSh=
u.PPh
%sx.tmp
microsoft.com
xx%s%s
SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
.exe\shell
cmd.exe /C del /Q /F "%s"
%s%u%u.tmp
gdiplus.dll
oleaut32.dll
user32.dll
ws2_32.dll
xx
msvcrt.dll
URLDownloadToFileA
urlmon.dll
WS2_32.dll
SHDeleteKeyA
SHLWAPI.dll
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyA
ADVAPI32.dll
hXXp://%S/%S

aln.exe_1596_rwx_00C80000_002B7000:

8–9D9o9w9~9
p.S
2010:06:04 04:17:53
hXXp://ns.adobe.com/xap/1.0/
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:17:53.229</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
,!.fy
3d%D-
/X.Rp
_U$%x
(7),01444
'9=82<.342
2010:06:04 04:07:41
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:07:41.468</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
.IDATx
2010:06:04 04:18:38
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:18:38.428</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
HTTP/1.0 200 OK
Date: %s
Expires: %s
Content-Type: %s
2010:06:04 04:19:08
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:19:08.340</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
]sM-H%x
P%Sp<
{]m%X-de
2010:06:04 04:19:40
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:19:40.162</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
$%.wH
B.fAk
00000000
2010:06:04 04:20:15
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:20:15.844</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
9%D,3
gdiplus.dll
user32.dll
wsock32.dll
ws2_32.dll
oleaut32.dll
gdi32.dll
advapi32.dll
uxtheme.dll
ole32.dll
shell32.dll
comctl32.dll
shlwapi.dll
version.dll
msimg32.dll
ntdll.dll
kernel32.dll
microsoft.com
Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
IEXPLORE.EXE
FIREFOX.EXE
%System%\ctfmon.exe
ctfmon.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s\shell\%s\command
%s, %.2i %s %.4i %.2i:%.2i:%.2i GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP/1.0
HTTP/1.
PSSh@
PSShY.]
PSShK
PSShE
SSSSSSh
SSSSh
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="no-cache" /><base href='ºse!'></base></head><style type='text/css'>body { font-family: Segoe UI, verdana, arial; background-image: url(res://ieframe.dll/background_gradient.jpg); background-repeat: repeat-x; background-color: #õ; margin-top: 20px; margin-left: 20px; color: #575757; }body.a { font-family: Segoe UI, verdana , Arial; background-image: url(ñ); background-repeat: repeat-x; background-color: #õ; margin-top: 20px; margin-left: 20px; } a { color: rgb(19,112,171);
h1 { color: #4465A2; font-size: 1.1em; font-weight: normal; vertical-align:bottom; margin-top: 7px; margin-bottom: 4px; }h2 { font-size: 0.9em; font-weight: normal; margin-top: 20px; margin-bottom: 1px; }h3 { font-size: 0.9em; font-weight: normal; margin-top: 10px; margin-bottom: 1px; }h4 { font-size: 0.9em; font-weight: normal; margin-top: 12px; margin-bottom: 1px; }.b { vertical-align: middle; margin-top: %MF%px; margin-right: 6px; }ul, ol { font-size: 0.9em; list-style-position: outside; margin-top: 1px; margin-bottom: 1px; padding-top: 1px; padding-bottom: 1px; line-height: 1.3em; }</style><script language="JavaScript">document.onselectstart = returnfalse;document.ondragstart = returnfalse;document.oncontextmenu = returnfalse;function returnfalse() {return false;}</script><body ondragstart="return false;" onselectstart="return false;" class="a"><table width="800" cellpadding="0" cellspacing="0" border="0"><tr><td width="60" align="left" valign="top" rowspan="3"><img src="ò"></td><td valign="middle" align="left" width="*"><h1></h1></td></tr><tr><td><h3><div></div></h3></td></tr><tr><td style="font-size: 0.7em; font-weight: normal; color: #787878;" align="right"> <div style="border-bottom: #B6BCC6 1px solid;"></div></td></tr><tr><td> </td><td><H2 ></H2></td></tr><tr><td></td><td><h3><ul style='list-style:circle; margin-left:%MG%px'><li></li><li></li><li></li><li></li><li></li></ul></h3></td></tr><tr><td> </td><td><h2><b></b></h2></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ó" border="0" class="b"><a href="javascript:" onClick="javascript:document.location='1';">	</a></h4></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ó" border="0" class="b"><a href="javascript:" onClick="javascript:document.location='2';"></a></h4></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ô" border="0" class="b"><a href="‚3"></a></h4></td></tr></table></body></html>
Windows recommend Activate %1
Trojan-BNK.Win32.Keylogger.gen
passwords.
Please write it for future using and support requests.
Your LICENSE KEY:
This Trojan steals user passwords. It is designed to steal a range of confidential information. It is a Windows PE EXE file. It is 11,269 bytes in size. It is written in Visual C  .
Trojan-PSW.Win32.Coced.219
This worm is written in Visual C   and is made up of two files, an executable file (EXE) and a dynamic link library (DLL), which is found within the EXE file.
Email-Worm.Win32.Eyeveg.f
This Trojan utility scans the system data files to Internet access passwords, decrypts them and sends to a specified e-mail address. It also scans the system for more private information: telephone numbers, computer name etc.
Trojan-PSW.Win32.Antigen.a
Net-Worm.Linux.Adm
Virus.BAT.Batalia1.840
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access
Backdoor.Rbot.gen
This Trojan program is designed to run on smartphones running Symbian. The Trojan is a SIS installation archive. The Trojan has no self replication routine. Trojan-SMS.SymbOS.Viver.a actually covers two variants of this malicious program. The first is an archive called RulesViver.sis.
Trojan-SMS.SymbOS.Viver.a
This script for a Windows FTP client can download other executable files without the knowledge or consent of the user. It may be used to download Trojan programs to the victim machine.
Trojan-Downloader.BAT.Ftp.ab
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 28,796 bytes in size. It is not packed in any way. Installation When launched, the Trojan will copy its executable file as: %Program...
Trojan-Proxy.Win32.Agent.q
This Trojan will periodically load a designated web page into the browser. The Trojan itself is written in Microsoft Visual Basic and is 32768 bytes in size. Installation This Trojan uses a standard icon to mask itself as an installation program: Once launched, the Trojan copies itself to the...
Trojan-Clicker.Win32.Stixo.d
Trojan-SMS.J2ME.RedBrowser.a
This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 12KB in size.
Backdoor.Perl.AEI.16
This is the second known macro virus infecting MS PowerPoint presentations. It contains five macros in one module "ShapeShift": actionhook, SlideIn, WackShape, RandomWackSlide, WackPresentation. To activate its code on a event the virus hooks MouseClick that pass control to the virus..
Macro.PPoint.ShapeShift
It is a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, as well as while loading from infected floppy disk. While loading from infected disk (MBR, boot) the virus hooks INT 13h, waits for DOS loading, and hooks INT 21h..
Virus.Boot-DOS.V.1536
Email-Worm.VBS.Peach
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is approximately 17KB in size. It is packed using PECompact. The unpacked file is approximately 30KB in size. Installation When launched, the Trojan...
Trojan-Proxy.Win32.Agent.x
This Trojan uses spoofing technology. It is a fake HTML page. It is designed to steal confidential information from Caja Madrid clients. The Trojan arrives in the guise of an important email from Caja Madrid. The email contains a link which exploits the Frame Spoof vulnerability in Internet...
Trojan-Spy.HTML.Bankfraud.pa
The suspicious message "Exploit.CodeBaseExec" means that HTML page being scanned contains code exploiting the Microsoft Internet Explorer Arbitrary Program Execution Vulnerability, aka the Local Executable Invocation via Object tag vulnerability.
Exploit.CodeBaseExec
This program is a realized DoS attack on one of the more popular ftp-servers for Windows 95/98/NT - War-FTPD v1.70. It makes many connections to an ftp-server resulting in a denial of service. This program also can disturb the operation of other ftp's in a Unix system - wu-ftpd, proftpd,...
DoS.Win32.DieWar
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is designed to steal information from Postbank clients. It arrives as a important message alledgedly sent by PostBank: This message contains a link to the fake page; this link exploits the Frame Spoof...
Trojan-Spy.HTML.Bankfraud.jk
This Trojan program is designed to artificially boost the number of visits to designated web sites. The Trojan itself is a Windows PE EXE file, packed using FSG. The file may be between 5KB and 36KB. Installation Once launched, the Trojan copies itself to the Windows root directory as svchost.exe
Trojan-Clicker.Win32.Small.kj
This is a dangerous non-memory resident parasitic BAT virus. It searches for .BAT files, then writes itself to the end of the file. On Mondays, the virus drops the "Whale" DOS virus.
Virus.BAT.8Fish
This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams - see hXXp://VVV.visio.com). To automate data processing, Visio uses macro-programs written in VBA language
Macro.Visio.Radiant
It is a harmless memory resident multipartite virus. When an infected file is executed, it hooks INT 21h, infects the MBR of the hard drive and stays memory resident. When the system is loading from infected MBR, the virus hooks INT 1Ch, waits for DOS loading procedure and then hooks INT 21h.
Virus.Boot-DOS.V.1526
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to..
This worm spreads via file-sharing networks. The worm itself is a Windows PE EXE file approximately 1274KB in size. Installation Once launched, the worm causes the following error message to be displayed: On repeated launched, the worm will cause the error message below to be displayed: When...
P2P-Worm.Win32.Franvir
This is not a dangerous nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM) of current directory and writes itself to the end of the file. Sometimes it display: At last ...... ALIVE !!!!! I guess your computer is infected by the Big Joke Virus.
It is a harmless nonmemory resident parasitic virus. It searches for COM files (except COMMAND.COM), then writes itself to the end of the file. The virus does not manifests itself in any way, it contains the text strings: *.com COMMAND. HAPPY v1.03 (C) PROFESSOR,KPI
Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines. The worm itself is a Windows application (PE EXE file) written in Visual Basic, 18432 bytes in size. Installation The worm copies itself to the Windows..
P2P-Worm.Win32.Duload.a
This is an IRC worm that spreads via mIRC channels. The worm code itself is a randomly named DOS EXE file. When it is executed, the worm copies itself with the LOA.EXE name to the Windows directory and registers this file in the system registry in the auto-run section:..
IRC-Worm.DOS.Loa
IRC-Worm.DOS.Septic
It is a harmless memory resident parasitic polymorphic virus. It writes itself to beginning of SYS and to the end of EXE files. While executing an infected EXE file the virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers, infects them and returns to the host program.
It is a harmless nonmemory resident parasitic virus. It searches for COM and EXE files and infects them. It was created with Biological Warfare Mutation Engine - it is a polymorphic engine, like the MtE and TPE engines. This virus writes itself to the end of the files. It contains the text strings:...
BWME.Twelve.1378
This worm spreads via Windows Messenger. It is written in Visual Basic, and packed using UPX. The packed file is 8704 bytes in size, and the unpacked file is 24064 bytes in size. Once launched, the worm sends a messenger to all MSN Messenger contacts: "its you" The message is accompanied by the...
IM-Worm.Win32.Kelvir.k
Email-Worm.JS.Gigger
Get a copy of '' to safeguard your PC while surfing the web (RECOMMENDED)
Port and system scans performed by the site being visited.
Attacked port:
port:
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working in the background right now. Perform an in-depth scan and removal now, click here.
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.
Click here to contact %1 support team.
Click here to visit %1 website
Contact Customer Support
Visit %1 website
Upgrade to full version of %1 security software package now! Clean your system and ward off new attacks against your system integrity and sensitive data. FREE daily updates and online protection from web-based intrusions are already in the bundle.
Your system was scanned for security breaches. Attention: %s serious issues were detected. Safeguard your system against exploits, malware and viruses right now by activating Proactive Defense.
Reg key:
Scanning links and web pages to make your web experience safe
A registered copy of %1 offers a full range of features to keep your system clean and protected. Check the list of benefits and opportunities here below:
Your personal files, photos, documents and passwords get stolen
Browser crashes frequently and web access speed decreases
No web traffic, activity and content is monitored. Spyware and malware can use your web browser as a gateway to sensitive areas of your system. No malicious code in web pages is detected and blocked.
Web traffic is analyzed for possible spyware and malware components. Intrusion attempts from the web are blocked and attacking sites and addresses are blocked. Pages visited are analyzed for spyware and malware presence and cleaned on the fly.
Sensitive areas of your system containing your private data are protected. Documents, passwords, browsing history, credit card and bank details are secured against identity theft. Unauthorized attempts to take control over your PC are intercepted and blocked.
When Internet Security is enabled, unauthorized access to critical zones of your system from the web is prevented. Private information is safeguarded against online hacking attacks. Intrusion attempts are intercepted and malware existing in the system is prevented from contacting its originating servers.
Support
Total: %s
( %s entries )
Infections found: %s
Scan Process: %s%%
disabled. Dangerous web attacks possible.
is enabled and your web surfing is safe
eexefile
.exe"
1.dat
firefox
chrome
opera
Invalid registration key
Operating system restart is required to complete configuration.
imageres.dll
firewall.cpl
wscui.cpl
MSASCui.exe
{C9A34C77-4D69-45EC-A07D-83242376045D}D68DDC3A-831F-4FAE-9E44-DA132C1ACF46
ActionCenterCPL.dll.mui
OPERA
Firefox
Chrome
Opera
MpCmdRun.exe
MsMpEng.exe
NisSrv.exe
msseces.exe
"c:\windows\syswow64\dfrgui.exe" -a
"c:\windows\explorer.exe" -a
Update.exe
iexplore.exe
%.4i.tmp
"%s" -del %s
wscntfy.exe
E"%s" -a "%%1" %%*
"%s" %s
dred_shield.png
green_shield.png
red_shield_48.png
background_gradient_red.jpg
res://ieframe.dll/
/%ib%.3it.jpg
%%f%i
Google Chrome
hXXp://
explorer.exe
%s%s/%.4i%.4i%.1i%.1i
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\CompanyName
\StringFileInfo\xx\FileDescription
%u.%u.%u.%u
edfrgui.exe
c:\windows\syswow64\sysprep
c:\windows\system32\sysprep
\sysprep.exe
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
\Update.exe
CRYPTSP.DLL
CRYPTBASE.DLL
xpsp2res.dll
inetcpl.cpl
ActionCenterCPL.dll
wuapi.dll
wuauclt.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:888

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Application Data\aln.exe (204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAX6WLO9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKK63MHM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1079 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A24AB8Q7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BPX15JCH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Templates\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1079 bytes)
    %Documents and Settings%\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1079 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl (1079 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe" = "%System%\ctfmon.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now