Gen.Trojan.Heur.KS.2_02ab7e3941

by malwarelabrobot on September 1st, 2014 in Malware Descriptions.

HEUR:Hoax.Win32.ExpProc.gen (Kaspersky), Gen:Trojan.Heur.KS.2 (B) (Emsisoft), Gen:Trojan.Heur.KS.2 (AdAware), Fake-AV.Win32.FakeRean.2.FD, FakeAVWin32FakeRean.YR (Lavasoft MAS)
Behaviour: Trojan, Fake-AV


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 02ab7e3941fe204394c64cb93233c680
SHA1: ecf29e0bb7cac31fe38463f32cb8493d4e500779
SHA256: b7b75d29177f6371d408b62d9c4a99bedf192e649c8dc636a5c5e9d5886bc72f
SSDeep: 6144:YwIMcs0wA0q QhUOHu9dXJ83fWNBGsgHpAe3m6VZ5D:Ywn7nuuzZ83aCJA nD
Size: 335872 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualCv71EXE, UPolyXv05_v6
Company: AirInstaller
Created at: 2008-04-14 19:09:34
Analyzed on: WindowsXP ESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1696

The Trojan injects its code into the following process(es):

wun.exe:1100

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\wun.exe (1616 bytes)

The process wun.exe:1100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\w7wk868rbh6 (197 bytes)
%Documents and Settings%\%current user%\Templates\w7wk868rbh6 (197 bytes)
%Documents and Settings%\All Users\Application Data\w7wk868rbh6 (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w7wk868rbh6 (197 bytes)

The Trojan deletes the following file(s):

C:\02ab7e3941fe204394c64cb93233c680.dll (0 bytes)

Registry activity

The process regsvr32.exe:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F BE 0A C3 98 E4 C8 9C 0B 91 2E CC D9 E2 9B 5C"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = "0"

"DoNotAllowExceptions" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The process wun.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\exefile\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\wun.exe -a %1 %*"

[HKCU\Software\Classes\exefile\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\exefile]
"(Default)" = "Application"

[HKCU\Software\Classes\.exe\shell\runas\command]
"IsolatedCommand" = "%1 %*"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "IEXPLORE.EXE"

[HKCU\Software\Classes\exefile\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKCU\Software\Classes\exefile\shell\runas\command]
"(Default)" = "%1 %*"

[HKCU\Software\Classes\exefile]
"Content Type" = "application/x-msdownload"

[HKCU\Software\Classes\.exe\shell\open\command]
"IsolatedCommand" = "%1 %*"

[HKCU\Software\Classes\.exe]
"(Default)" = "exefile"

[HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\wun.exe -a %Program Files%\Internet Explorer\iexplore.exe"

[HKCU\Software\Classes\exefile\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Microsoft\Windows]
"Identity" = "1878903825"

[HKCU\Software\Classes\.exe\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\wun.exe -a %1 %*"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 F7 86 B1 BC DE DF 70 67 F6 68 8C ED BF 6C 17"

[HKCU\Software\Classes\.exe\DefaultIcon]
"(Default)" = "%1"

[HKCU\Software\Classes\.exe]
"Content Type" = "application/x-msdownload"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe"

Dropped PE files

MD5 File path
58df36e3f8c6a8eb8046c1259f1e543c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\wun.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 241664 241664 5.3951 07ed87c145b7052e20bd9e84ea70533c
.rdata 245760 49152 49152 4.53869 39c822a940abbb3ea4bfe7f6601fbc91
.data 294912 1736704 20480 4.01107 6bb8a19cc0457bbddc9ee63565a698f0
.idata 2031616 8192 8192 2.75531 b8ab8d1305469ac2e06848ee16698db9
.rsrc 2039808 12288 12288 3.74062 da16a27d056b00f7aeb9b614cc896607

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
microsoft.com 134.170.185.46


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS Zeus GameOver Possible DGA NXDOMAIN Responses

Traffic

The Trojan connects to the servers at the folowing location(s):

wun.exe_1100_rwx_00401000_001EF000:

2010:06:04 04:17:53
hXXp://ns.adobe.com/xap/1.0/
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:17:53.229</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
,!.fy
3d%D-
/X.Rp
_U$%x
(7),01444
'9=82<.342
2010:06:04 04:07:41
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:07:41.468</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
.IDATx
2010:06:04 04:18:38
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:18:38.428</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
HTTP/1.0 200 OK
Date: %s
Expires: %s
Content-Type: %s
2010:06:04 04:19:08
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:19:08.340</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
]sM-H%x
P%Sp<
{]m%X-de
2010:06:04 04:19:40
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:19:40.162</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
$%.wH
B.fAk
00000000
2010:06:04 04:20:15
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:20:15.844</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
9%D,3
gdiplus.dll
user32.dll
wsock32.dll
ws2_32.dll
oleaut32.dll
gdi32.dll
advapi32.dll
uxtheme.dll
ole32.dll
shell32.dll
comctl32.dll
shlwapi.dll
version.dll
msimg32.dll
ntdll.dll
kernel32.dll
microsoft.com
Software\Microsoft\Windows
hXXp://
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
IEXPLORE.EXE
FIREFOX.EXE
%System%\ctfmon.exe
ctfmon.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s\shell\%s\command
%s, %.2i %s %.4i %.2i:%.2i:%.2i GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP/1.0
HTTP/1.
PSSh;
PSSh_
SSSSSSh
SSSSh
%WinDir%\$hf_mig$\KB975713\
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="no-cache" /><base href='ºse!'></base></head><style type='text/css'>body { font-family: Segoe UI, verdana, arial; background-image: url(res://ieframe.dll/background_gradient.jpg); background-repeat: repeat-x; background-color: #õ; margin-top: 20px; margin-left: 20px; color: #575757; }body.a { font-family: Segoe UI, verdana , Arial; background-image: url(ñ); background-repeat: repeat-x; background-color: #õ; margin-top: 20px; margin-left: 20px; } a { color: rgb(19,112,171);
h1 { color: #4465A2; font-size: 1.1em; font-weight: normal; vertical-align:bottom; margin-top: 7px; margin-bottom: 4px; }h2 { font-size: 0.9em; font-weight: normal; margin-top: 20px; margin-bottom: 1px; }h3 { font-size: 0.9em; font-weight: normal; margin-top: 10px; margin-bottom: 1px; }h4 { font-size: 0.9em; font-weight: normal; margin-top: 12px; margin-bottom: 1px; }.b { vertical-align: middle; margin-top: %MF%px; margin-right: 6px; }ul, ol { font-size: 0.9em; list-style-position: outside; margin-top: 1px; margin-bottom: 1px; padding-top: 1px; padding-bottom: 1px; line-height: 1.3em; }</style><script language="JavaScript">document.onselectstart = returnfalse;document.ondragstart = returnfalse;document.oncontextmenu = returnfalse;function returnfalse() {return false;}</script><body ondragstart="return false;" onselectstart="return false;" class="a"><table width="800" cellpadding="0" cellspacing="0" border="0"><tr><td width="60" align="left" valign="top" rowspan="3"><img src="ò"></td><td valign="middle" align="left" width="*"><h1></h1></td></tr><tr><td><h3><div></div></h3></td></tr><tr><td style="font-size: 0.7em; font-weight: normal; color: #787878;" align="right"> <div style="border-bottom: #B6BCC6 1px solid;"></div></td></tr><tr><td> </td><td><H2 ></H2></td></tr><tr><td></td><td><h3><ul style='list-style:circle; margin-left:%MG%px'><li></li><li></li><li></li><li></li><li></li></ul></h3></td></tr><tr><td> </td><td><h2><b></b></h2></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ó" border="0" class="b"><a href="javascript:" onClick="javascript:document.location='1';">	</a></h4></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ó" border="0" class="b"><a href="javascript:" onClick="javascript:document.location='2';"></a></h4></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ô" border="0" class="b"><a href="‚3"></a></h4></td></tr></table></body></html>
Windows recommend Activate %1
Trojan-BNK.Win32.Keylogger.gen
passwords.
Please write it for future using and support requests.
Your LICENSE KEY:
This Trojan steals user passwords. It is designed to steal a range of confidential information. It is a Windows PE EXE file. It is 11,269 bytes in size. It is written in Visual C  .
Trojan-PSW.Win32.Coced.219
This worm is written in Visual C   and is made up of two files, an executable file (EXE) and a dynamic link library (DLL), which is found within the EXE file.
Email-Worm.Win32.Eyeveg.f
This Trojan utility scans the system data files to Internet access passwords, decrypts them and sends to a specified e-mail address. It also scans the system for more private information: telephone numbers, computer name etc.
Trojan-PSW.Win32.Antigen.a
Net-Worm.Linux.Adm
Virus.BAT.Batalia1.840
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access
Backdoor.Rbot.gen
This Trojan program is designed to run on smartphones running Symbian. The Trojan is a SIS installation archive. The Trojan has no self replication routine. Trojan-SMS.SymbOS.Viver.a actually covers two variants of this malicious program. The first is an archive called RulesViver.sis.
Trojan-SMS.SymbOS.Viver.a
This script for a Windows FTP client can download other executable files without the knowledge or consent of the user. It may be used to download Trojan programs to the victim machine.
Trojan-Downloader.BAT.Ftp.ab
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 28,796 bytes in size. It is not packed in any way. Installation When launched, the Trojan will copy its executable file as: %Program...
Trojan-Proxy.Win32.Agent.q
This Trojan will periodically load a designated web page into the browser. The Trojan itself is written in Microsoft Visual Basic and is 32768 bytes in size. Installation This Trojan uses a standard icon to mask itself as an installation program: Once launched, the Trojan copies itself to the...
Trojan-Clicker.Win32.Stixo.d
Trojan-SMS.J2ME.RedBrowser.a
This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 12KB in size.
Backdoor.Perl.AEI.16
This is the second known macro virus infecting MS PowerPoint presentations. It contains five macros in one module "ShapeShift": actionhook, SlideIn, WackShape, RandomWackSlide, WackPresentation. To activate its code on a event the virus hooks MouseClick that pass control to the virus..
Macro.PPoint.ShapeShift
It is a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, as well as while loading from infected floppy disk. While loading from infected disk (MBR, boot) the virus hooks INT 13h, waits for DOS loading, and hooks INT 21h..
Virus.Boot-DOS.V.1536
Email-Worm.VBS.Peach
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is approximately 17KB in size. It is packed using PECompact. The unpacked file is approximately 30KB in size. Installation When launched, the Trojan...
Trojan-Proxy.Win32.Agent.x
This Trojan uses spoofing technology. It is a fake HTML page. It is designed to steal confidential information from Caja Madrid clients. The Trojan arrives in the guise of an important email from Caja Madrid. The email contains a link which exploits the Frame Spoof vulnerability in Internet...
Trojan-Spy.HTML.Bankfraud.pa
The suspicious message "Exploit.CodeBaseExec" means that HTML page being scanned contains code exploiting the Microsoft Internet Explorer Arbitrary Program Execution Vulnerability, aka the Local Executable Invocation via Object tag vulnerability.
Exploit.CodeBaseExec
This program is a realized DoS attack on one of the more popular ftp-servers for Windows 95/98/NT - War-FTPD v1.70. It makes many connections to an ftp-server resulting in a denial of service. This program also can disturb the operation of other ftp's in a Unix system - wu-ftpd, proftpd,...
DoS.Win32.DieWar
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is designed to steal information from Postbank clients. It arrives as a important message alledgedly sent by PostBank: This message contains a link to the fake page; this link exploits the Frame Spoof...
Trojan-Spy.HTML.Bankfraud.jk
This Trojan program is designed to artificially boost the number of visits to designated web sites. The Trojan itself is a Windows PE EXE file, packed using FSG. The file may be between 5KB and 36KB. Installation Once launched, the Trojan copies itself to the Windows root directory as svchost.exe
Trojan-Clicker.Win32.Small.kj
This is a dangerous non-memory resident parasitic BAT virus. It searches for .BAT files, then writes itself to the end of the file. On Mondays, the virus drops the "Whale" DOS virus.
Virus.BAT.8Fish
This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams - see hXXp://VVV.visio.com). To automate data processing, Visio uses macro-programs written in VBA language
Macro.Visio.Radiant
It is a harmless memory resident multipartite virus. When an infected file is executed, it hooks INT 21h, infects the MBR of the hard drive and stays memory resident. When the system is loading from infected MBR, the virus hooks INT 1Ch, waits for DOS loading procedure and then hooks INT 21h.
Virus.Boot-DOS.V.1526
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to..
This worm spreads via file-sharing networks. The worm itself is a Windows PE EXE file approximately 1274KB in size. Installation Once launched, the worm causes the following error message to be displayed: On repeated launched, the worm will cause the error message below to be displayed: When...
P2P-Worm.Win32.Franvir
This is not a dangerous nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM) of current directory and writes itself to the end of the file. Sometimes it display: At last ...... ALIVE !!!!! I guess your computer is infected by the Big Joke Virus.
It is a harmless nonmemory resident parasitic virus. It searches for COM files (except COMMAND.COM), then writes itself to the end of the file. The virus does not manifests itself in any way, it contains the text strings: *.com COMMAND. HAPPY v1.03 (C) PROFESSOR,KPI
Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines. The worm itself is a Windows application (PE EXE file) written in Visual Basic, 18432 bytes in size. Installation The worm copies itself to the Windows..
P2P-Worm.Win32.Duload.a
This is an IRC worm that spreads via mIRC channels. The worm code itself is a randomly named DOS EXE file. When it is executed, the worm copies itself with the LOA.EXE name to the Windows directory and registers this file in the system registry in the auto-run section:..
IRC-Worm.DOS.Loa
IRC-Worm.DOS.Septic
It is a harmless memory resident parasitic polymorphic virus. It writes itself to beginning of SYS and to the end of EXE files. While executing an infected EXE file the virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers, infects them and returns to the host program.
It is a harmless nonmemory resident parasitic virus. It searches for COM and EXE files and infects them. It was created with Biological Warfare Mutation Engine - it is a polymorphic engine, like the MtE and TPE engines. This virus writes itself to the end of the files. It contains the text strings:...
BWME.Twelve.1378
This worm spreads via Windows Messenger. It is written in Visual Basic, and packed using UPX. The packed file is 8704 bytes in size, and the unpacked file is 24064 bytes in size. Once launched, the worm sends a messenger to all MSN Messenger contacts: "its you" The message is accompanied by the...
IM-Worm.Win32.Kelvir.k
Email-Worm.JS.Gigger
Get a copy of '' to safeguard your PC while surfing the web (RECOMMENDED)
Port and system scans performed by the site being visited.
Attacked port:
port:
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working in the background right now. Perform an in-depth scan and removal now, click here.
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.
Click here to contact %1 support team.
Click here to visit %1 website
Contact Customer Support
Visit %1 website
Upgrade to full version of %1 security software package now! Clean your system and ward off new attacks against your system integrity and sensitive data. FREE daily updates and online protection from web-based intrusions are already in the bundle.
Your system was scanned for security breaches. Attention: %s serious issues were detected. Safeguard your system against exploits, malware and viruses right now by activating Proactive Defense.
Reg key:
Scanning links and web pages to make your web experience safe
A registered copy of %1 offers a full range of features to keep your system clean and protected. Check the list of benefits and opportunities here below:
Your personal files, photos, documents and passwords get stolen
Browser crashes frequently and web access speed decreases
No web traffic, activity and content is monitored. Spyware and malware can use your web browser as a gateway to sensitive areas of your system. No malicious code in web pages is detected and blocked.
Web traffic is analyzed for possible spyware and malware components. Intrusion attempts from the web are blocked and attacking sites and addresses are blocked. Pages visited are analyzed for spyware and malware presence and cleaned on the fly.
Sensitive areas of your system containing your private data are protected. Documents, passwords, browsing history, credit card and bank details are secured against identity theft. Unauthorized attempts to take control over your PC are intercepted and blocked.
When Internet Security is enabled, unauthorized access to critical zones of your system from the web is prevented. Private information is safeguarded against online hacking attacks. Intrusion attempts are intercepted and malware existing in the system is prevented from contacting its originating servers.
Support
Total: %s
( %s entries )
Infections found: %s
Scan Process: %s%%
disabled. Dangerous web attacks possible.
is enabled and your web surfing is safe
eexefile
.exe"
1.dat
firefox
chrome
opera
Invalid registration key
Operating system restart is required to complete configuration.
imageres.dll
firewall.cpl
wscui.cpl
MSASCui.exe
{C9A34C77-4D69-45EC-A07D-83242376045D}D68DDC3A-831F-4FAE-9E44-DA132C1ACF46
ActionCenterCPL.dll.mui
OPERA
Firefox
Chrome
Opera
MpCmdRun.exe
MsMpEng.exe
NisSrv.exe
msseces.exe
/.exe
"c:\windows\syswow64\dfrgui.exe" -a
"c:\windows\explorer.exe" -a
Update.exe
iexplore.exe
%.4i.tmp
"%s" -del %s
wscntfy.exe
E"%s" -a "%%1" %%*
"%s" %s
dred_shield.png
green_shield.png
red_shield_48.png
background_gradient_red.jpg
res://ieframe.dll/
/%ib%.3it.jpg
%%f%i
Google Chrome
explorer.exe
%s%s/%.4i%.4i%.1i%.1i
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\CompanyName
\StringFileInfo\xx\FileDescription
%u.%u.%u.%u
edfrgui.exe
c:\windows\syswow64\sysprep
c:\windows\system32\sysprep
\sysprep.exe
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
\Update.exe
CRYPTSP.DLL
CRYPTBASE.DLL
xpsp2res.dll
inetcpl.cpl
ActionCenterCPL.dll
wuapi.dll
wuauclt.exe
%System%
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\jXu0kla.835
%Documents and Settings%\All Users\Documents\My Music\My Playlists\S17o55i.cab
%Documents and Settings%\Default User\Start Menu\Programs\V2.sys
%Documents and Settings%\NetworkService\Local Settings\Application Data\hdHYdf05P1.rt
C:\Perl\etc\13B2F1l0I1.kc5
C:\Perl\html\lib\DBI\SQL\gtw6211001.dl
C:\Perl\html\lib\Moose\Meta\Role\Fr.3d5
C:\Perl\html\lib\Perl\Critic\Policy\ValuesAndExpressions\H5xGrt.rt
C:\Perl\html\lib\TAP\Harness\ppmD0qRs1.sys
C:\Perl\lib\auto\Class\Load\D7QiB.sys
C:\Perl\lib\auto\File\Fetch\1wEY1.cab
C:\Perl\lib\auto\Params\Classify\TI0EJm57wvh.rt
C:\Perl\lib\auto\Win32\AuthenticateUser\gffXSt86vP.rt
C:\Perl\lib\CORE\sys\26t.rt
C:\Perl\lib\File\Spec\J1kWp.41b
C:\Perl\lib\Moose\Cookbook\Legacy\055G1WLUaH.dl
C:\Perl\lib\PPI\Document\4nA605RG1y.dl
C:\Perl\lib\Test\Perl\Critic\h7lT5n.k
C:\Perl\lib\unicore\lib\SB\51387EUU.ylq
%Program Files%\Adobe\Reader 9.0\Reader\Optional\4002iBMSk2.dl
%Program Files%\Common Files\System\788g3H08I4.nc0
%Program Files%\Java\jre6\lib\images\cursors\747fAt.cab
%WinDir%\$hf_mig$\KB2620712\4t130I2vo0LN.rt

wun.exe_1100_rwx_00AE0000_002B7000:

>(>0>9>`>
8"8(8:8@8
2010:06:04 04:17:53
hXXp://ns.adobe.com/xap/1.0/
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:17:53.229</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
,!.fy
3d%D-
/X.Rp
_U$%x
(7),01444
'9=82<.342
2010:06:04 04:07:41
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:07:41.468</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
.IDATx
2010:06:04 04:18:38
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:18:38.428</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
HTTP/1.0 200 OK
Date: %s
Expires: %s
Content-Type: %s
2010:06:04 04:19:08
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:19:08.340</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
]sM-H%x
P%Sp<
{]m%X-de
2010:06:04 04:19:40
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:19:40.162</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
$%.wH
B.fAk
00000000
2010:06:04 04:20:15
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"/><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"><xmp:CreateDate>2010-06-04T04:20:15.844</xmp:CreateDate></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="hXXp://purl.org/dc/elements/1.1/"><dc:creator><rdf:Seq xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>John</rdf:li></rdf:Seq>
9%D,3
gdiplus.dll
user32.dll
wsock32.dll
ws2_32.dll
oleaut32.dll
gdi32.dll
advapi32.dll
uxtheme.dll
ole32.dll
shell32.dll
comctl32.dll
shlwapi.dll
version.dll
msimg32.dll
ntdll.dll
kernel32.dll
microsoft.com
Software\Microsoft\Windows
hXXp://
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
IEXPLORE.EXE
FIREFOX.EXE
%System%\ctfmon.exe
ctfmon.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s\shell\%s\command
%s, %.2i %s %.4i %.2i:%.2i:%.2i GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP/1.0
HTTP/1.
PSSh;
PSSh_
SSSSSSh
SSSSh
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="no-cache" /><base href='ºse!'></base></head><style type='text/css'>body { font-family: Segoe UI, verdana, arial; background-image: url(res://ieframe.dll/background_gradient.jpg); background-repeat: repeat-x; background-color: #õ; margin-top: 20px; margin-left: 20px; color: #575757; }body.a { font-family: Segoe UI, verdana , Arial; background-image: url(ñ); background-repeat: repeat-x; background-color: #õ; margin-top: 20px; margin-left: 20px; } a { color: rgb(19,112,171);
h1 { color: #4465A2; font-size: 1.1em; font-weight: normal; vertical-align:bottom; margin-top: 7px; margin-bottom: 4px; }h2 { font-size: 0.9em; font-weight: normal; margin-top: 20px; margin-bottom: 1px; }h3 { font-size: 0.9em; font-weight: normal; margin-top: 10px; margin-bottom: 1px; }h4 { font-size: 0.9em; font-weight: normal; margin-top: 12px; margin-bottom: 1px; }.b { vertical-align: middle; margin-top: %MF%px; margin-right: 6px; }ul, ol { font-size: 0.9em; list-style-position: outside; margin-top: 1px; margin-bottom: 1px; padding-top: 1px; padding-bottom: 1px; line-height: 1.3em; }</style><script language="JavaScript">document.onselectstart = returnfalse;document.ondragstart = returnfalse;document.oncontextmenu = returnfalse;function returnfalse() {return false;}</script><body ondragstart="return false;" onselectstart="return false;" class="a"><table width="800" cellpadding="0" cellspacing="0" border="0"><tr><td width="60" align="left" valign="top" rowspan="3"><img src="ò"></td><td valign="middle" align="left" width="*"><h1></h1></td></tr><tr><td><h3><div></div></h3></td></tr><tr><td style="font-size: 0.7em; font-weight: normal; color: #787878;" align="right"> <div style="border-bottom: #B6BCC6 1px solid;"></div></td></tr><tr><td> </td><td><H2 ></H2></td></tr><tr><td></td><td><h3><ul style='list-style:circle; margin-left:%MG%px'><li></li><li></li><li></li><li></li><li></li></ul></h3></td></tr><tr><td> </td><td><h2><b></b></h2></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ó" border="0" class="b"><a href="javascript:" onClick="javascript:document.location='1';">	</a></h4></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ó" border="0" class="b"><a href="javascript:" onClick="javascript:document.location='2';"></a></h4></td></tr><tr><td > </td><td align="left" valign="middle"><h4 ><img src="ô" border="0" class="b"><a href="‚3"></a></h4></td></tr></table></body></html>
Windows recommend Activate %1
Trojan-BNK.Win32.Keylogger.gen
passwords.
Please write it for future using and support requests.
Your LICENSE KEY:
This Trojan steals user passwords. It is designed to steal a range of confidential information. It is a Windows PE EXE file. It is 11,269 bytes in size. It is written in Visual C  .
Trojan-PSW.Win32.Coced.219
This worm is written in Visual C   and is made up of two files, an executable file (EXE) and a dynamic link library (DLL), which is found within the EXE file.
Email-Worm.Win32.Eyeveg.f
This Trojan utility scans the system data files to Internet access passwords, decrypts them and sends to a specified e-mail address. It also scans the system for more private information: telephone numbers, computer name etc.
Trojan-PSW.Win32.Antigen.a
Net-Worm.Linux.Adm
Virus.BAT.Batalia1.840
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access
Backdoor.Rbot.gen
This Trojan program is designed to run on smartphones running Symbian. The Trojan is a SIS installation archive. The Trojan has no self replication routine. Trojan-SMS.SymbOS.Viver.a actually covers two variants of this malicious program. The first is an archive called RulesViver.sis.
Trojan-SMS.SymbOS.Viver.a
This script for a Windows FTP client can download other executable files without the knowledge or consent of the user. It may be used to download Trojan programs to the victim machine.
Trojan-Downloader.BAT.Ftp.ab
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is 28,796 bytes in size. It is not packed in any way. Installation When launched, the Trojan will copy its executable file as: %Program...
Trojan-Proxy.Win32.Agent.q
This Trojan will periodically load a designated web page into the browser. The Trojan itself is written in Microsoft Visual Basic and is 32768 bytes in size. Installation This Trojan uses a standard icon to mask itself as an installation program: Once launched, the Trojan copies itself to the...
Trojan-Clicker.Win32.Stixo.d
Trojan-SMS.J2ME.RedBrowser.a
This Trojan program is designed to provide remote management of systems running UNIX-type operating systems. It is a Perl scenario. It is approximately 12KB in size.
Backdoor.Perl.AEI.16
This is the second known macro virus infecting MS PowerPoint presentations. It contains five macros in one module "ShapeShift": actionhook, SlideIn, WackShape, RandomWackSlide, WackPresentation. To activate its code on a event the virus hooks MouseClick that pass control to the virus..
Macro.PPoint.ShapeShift
It is a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, as well as while loading from infected floppy disk. While loading from infected disk (MBR, boot) the virus hooks INT 13h, waits for DOS loading, and hooks INT 21h..
Virus.Boot-DOS.V.1536
Email-Worm.VBS.Peach
This Trojan launches a proxy server on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. The file is approximately 17KB in size. It is packed using PECompact. The unpacked file is approximately 30KB in size. Installation When launched, the Trojan...
Trojan-Proxy.Win32.Agent.x
This Trojan uses spoofing technology. It is a fake HTML page. It is designed to steal confidential information from Caja Madrid clients. The Trojan arrives in the guise of an important email from Caja Madrid. The email contains a link which exploits the Frame Spoof vulnerability in Internet...
Trojan-Spy.HTML.Bankfraud.pa
The suspicious message "Exploit.CodeBaseExec" means that HTML page being scanned contains code exploiting the Microsoft Internet Explorer Arbitrary Program Execution Vulnerability, aka the Local Executable Invocation via Object tag vulnerability.
Exploit.CodeBaseExec
This program is a realized DoS attack on one of the more popular ftp-servers for Windows 95/98/NT - War-FTPD v1.70. It makes many connections to an ftp-server resulting in a denial of service. This program also can disturb the operation of other ftp's in a Unix system - wu-ftpd, proftpd,...
DoS.Win32.DieWar
This Trojan program utilizes spoofing technology. It is made as a fake HTML page. It is designed to steal information from Postbank clients. It arrives as a important message alledgedly sent by PostBank: This message contains a link to the fake page; this link exploits the Frame Spoof...
Trojan-Spy.HTML.Bankfraud.jk
This Trojan program is designed to artificially boost the number of visits to designated web sites. The Trojan itself is a Windows PE EXE file, packed using FSG. The file may be between 5KB and 36KB. Installation Once launched, the Trojan copies itself to the Windows root directory as svchost.exe
Trojan-Clicker.Win32.Small.kj
This is a dangerous non-memory resident parasitic BAT virus. It searches for .BAT files, then writes itself to the end of the file. On Mondays, the virus drops the "Whale" DOS virus.
Virus.BAT.8Fish
This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams - see hXXp://VVV.visio.com). To automate data processing, Visio uses macro-programs written in VBA language
Macro.Visio.Radiant
It is a harmless memory resident multipartite virus. When an infected file is executed, it hooks INT 21h, infects the MBR of the hard drive and stays memory resident. When the system is loading from infected MBR, the virus hooks INT 1Ch, waits for DOS loading procedure and then hooks INT 21h.
Virus.Boot-DOS.V.1526
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program. Why is this harmless file detected as a virus? The file was created in order to demonstrate to..
This worm spreads via file-sharing networks. The worm itself is a Windows PE EXE file approximately 1274KB in size. Installation Once launched, the worm causes the following error message to be displayed: On repeated launched, the worm will cause the error message below to be displayed: When...
P2P-Worm.Win32.Franvir
This is not a dangerous nonmemory resident parasitic virus. It searches for .COM files (except COMMAND.COM) of current directory and writes itself to the end of the file. Sometimes it display: At last ...... ALIVE !!!!! I guess your computer is infected by the Big Joke Virus.
It is a harmless nonmemory resident parasitic virus. It searches for COM files (except COMMAND.COM), then writes itself to the end of the file. The virus does not manifests itself in any way, it contains the text strings: *.com COMMAND. HAPPY v1.03 (C) PROFESSOR,KPI
Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines. The worm itself is a Windows application (PE EXE file) written in Visual Basic, 18432 bytes in size. Installation The worm copies itself to the Windows..
P2P-Worm.Win32.Duload.a
This is an IRC worm that spreads via mIRC channels. The worm code itself is a randomly named DOS EXE file. When it is executed, the worm copies itself with the LOA.EXE name to the Windows directory and registers this file in the system registry in the auto-run section:..
IRC-Worm.DOS.Loa
IRC-Worm.DOS.Septic
It is a harmless memory resident parasitic polymorphic virus. It writes itself to beginning of SYS and to the end of EXE files. While executing an infected EXE file the virus opens the C:\CONFIG.SYS file, scans it for the names of device drivers, infects them and returns to the host program.
It is a harmless nonmemory resident parasitic virus. It searches for COM and EXE files and infects them. It was created with Biological Warfare Mutation Engine - it is a polymorphic engine, like the MtE and TPE engines. This virus writes itself to the end of the files. It contains the text strings:...
BWME.Twelve.1378
This worm spreads via Windows Messenger. It is written in Visual Basic, and packed using UPX. The packed file is 8704 bytes in size, and the unpacked file is 24064 bytes in size. Once launched, the worm sends a messenger to all MSN Messenger contacts: "its you" The message is accompanied by the...
IM-Worm.Win32.Kelvir.k
Email-Worm.JS.Gigger
Get a copy of '' to safeguard your PC while surfing the web (RECOMMENDED)
Port and system scans performed by the site being visited.
Attacked port:
port:
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working in the background right now. Perform an in-depth scan and removal now, click here.
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.
Click here to contact %1 support team.
Click here to visit %1 website
Contact Customer Support
Visit %1 website
Upgrade to full version of %1 security software package now! Clean your system and ward off new attacks against your system integrity and sensitive data. FREE daily updates and online protection from web-based intrusions are already in the bundle.
Your system was scanned for security breaches. Attention: %s serious issues were detected. Safeguard your system against exploits, malware and viruses right now by activating Proactive Defense.
Reg key:
Scanning links and web pages to make your web experience safe
A registered copy of %1 offers a full range of features to keep your system clean and protected. Check the list of benefits and opportunities here below:
Your personal files, photos, documents and passwords get stolen
Browser crashes frequently and web access speed decreases
No web traffic, activity and content is monitored. Spyware and malware can use your web browser as a gateway to sensitive areas of your system. No malicious code in web pages is detected and blocked.
Web traffic is analyzed for possible spyware and malware components. Intrusion attempts from the web are blocked and attacking sites and addresses are blocked. Pages visited are analyzed for spyware and malware presence and cleaned on the fly.
Sensitive areas of your system containing your private data are protected. Documents, passwords, browsing history, credit card and bank details are secured against identity theft. Unauthorized attempts to take control over your PC are intercepted and blocked.
When Internet Security is enabled, unauthorized access to critical zones of your system from the web is prevented. Private information is safeguarded against online hacking attacks. Intrusion attempts are intercepted and malware existing in the system is prevented from contacting its originating servers.
Support
Total: %s
( %s entries )
Infections found: %s
Scan Process: %s%%
disabled. Dangerous web attacks possible.
is enabled and your web surfing is safe
eexefile
.exe"
1.dat
firefox
chrome
opera
Invalid registration key
Operating system restart is required to complete configuration.
imageres.dll
firewall.cpl
wscui.cpl
MSASCui.exe
{C9A34C77-4D69-45EC-A07D-83242376045D}D68DDC3A-831F-4FAE-9E44-DA132C1ACF46
ActionCenterCPL.dll.mui
OPERA
Firefox
Chrome
Opera
MpCmdRun.exe
MsMpEng.exe
NisSrv.exe
msseces.exe
/.exe
"c:\windows\syswow64\dfrgui.exe" -a
"c:\windows\explorer.exe" -a
Update.exe
iexplore.exe
%.4i.tmp
"%s" -del %s
wscntfy.exe
E"%s" -a "%%1" %%*
"%s" %s
dred_shield.png
green_shield.png
red_shield_48.png
background_gradient_red.jpg
res://ieframe.dll/
/%ib%.3it.jpg
%%f%i
Google Chrome
explorer.exe
%s%s/%.4i%.4i%.1i%.1i
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\CompanyName
\StringFileInfo\xx\FileDescription
%u.%u.%u.%u
edfrgui.exe
c:\windows\syswow64\sysprep
c:\windows\system32\sysprep
\sysprep.exe
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
\Update.exe
CRYPTSP.DLL
CRYPTBASE.DLL
xpsp2res.dll
inetcpl.cpl
ActionCenterCPL.dll
wuapi.dll
wuauclt.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:1696

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Application Data\wun.exe (1616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\w7wk868rbh6 (197 bytes)
    %Documents and Settings%\%current user%\Templates\w7wk868rbh6 (197 bytes)
    %Documents and Settings%\All Users\Application Data\w7wk868rbh6 (197 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\w7wk868rbh6 (197 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe" = "%System%\ctfmon.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now