Gen.Variant.Zusy.183921_bd4dabb72d

by malwarelabrobot on April 17th, 2018 in Malware Descriptions.

Gen:Variant.Zusy.183921 (BitDefender), Trojan-Dropper.Win32.Agent.fqvk (Kaspersky), Trojan.PWS.Vkontakte.259 (DrWeb), Gen:Variant.Zusy.183921 (B) (Emsisoft), Trojan-FKZY!BD4DABB72DBA (McAfee), SMG.Heur!gen (Symantec), Trojan.Backdoor.Ircbot (Ikarus), Win32:Agent-AQRA [Trj] (AVG), Win32:Agent-AQRA [Trj] (Avast), TROJ_DROPPER_FD250377.UVPM (TrendMicro), Gen:Variant.Zusy.183921 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bd4dabb72dbae8fad5dd38e26aa21cc3
SHA1: 98f4f91c423d8d233e3d74e536558fe7d02eaadb
SHA256: 6e692ef4d63c3d07c610845e19cd10229401f5bbf3c90b19660c4b26189b5b51
SSDeep: 98304:Zatc4EGqZJ9df Gs ImEiC8Yjniv6uPhbeJEqPaLcsKChl:AijjxBImEiC8bvTPjMkcgH
Size: 5100592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Microsoft
Created at: 2010-09-24 18:34:15
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

install.exe:3460
go.exe:816
%original file name%.exe:2668
Temp21.exe:3088
wm_player.exe:2796
setup.exe:2856

The Trojan injects its code into the following process(es):

go.exe:3828

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process install.exe:3460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\engine\who.obo (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\driiver\wm_player.exe (9809 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\go.exe (9474 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\engine\cry.obo (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\65.arc (1340 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\65.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\1111ProgStart.name (0 bytes)

The process go.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\setup.exe (290 bytes)

The process go.exe:3828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Windows\driiver\wm_player.exe (7775 bytes)

The process %original file name%.exe:2668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\w.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\78.arc (750 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\ww.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\setup.exe (39784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\install.exe (9918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\go.exe (1016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp21.exe (188 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\78.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\1111ProgStart.name (0 bytes)

The process Temp21.exe:3088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX30.arc (295269 bytes)
C:\%original file name%.exe (38295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCXE927.tmp (26423 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF16.exe (38671 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\w.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF16.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\ww.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\1111ProgStart.name (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\install.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\go.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX30.arc (0 bytes)

The process wm_player.exe:2796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\driiver\date.obo (3 bytes)

The process setup.exe:2856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp\StealthMode.ini (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp\StealthAttention.ini (1122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp\AgeVerify.ini (1284 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb6CD7.tmp (0 bytes)

Registry activity

The process go.exe:3828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process wm_player.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.exe:2856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\thriXXX\3DSexVilla2\3DSexVilla2SharedDLL]
"PNG" = "010218PNG"
"JP2" = "017010JP2"

Dropped PE files

MD5 File path
2f6cb6b2cdf9c073de11c43d6cd5d58c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\install.exe
e18b0d94dd1e96b5b7d9485b6e44806f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\setup.exe
36b99a635a0d4f0f9fccbe2dda28ed6a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\driiver\wm_player.exe
41f47d5ba84a9e073ee7276dfaf75648 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\go.exe
7b96d45f1814a0b9989126297bdd1ecf c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp21.exe
36b99a635a0d4f0f9fccbe2dda28ed6a c:\Windows\driiver\wm_player.exe
f32c969bfb0527d3d332b46fa647a55f c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: 33333.exe
Internal Name: 33333.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.code 4096 7205 7680 3.83637 d583f61ca3321710ae3e88dbd1172e72
.text 12288 85162 85504 4.62348 32092f473b5ba3180a37e4c44dbb6614
.rdata 98304 25962 26112 5.23878 b6ab1fe668ae5da27a25120ba9c173de
.data 126976 9288 8192 3.97575 eee56163f1cf3a0cf154654949eb6c4e
.rsrc 139264 4972020 4972032 5.53864 96fc0ba24dedcbd515a740359bebdc24

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 7
c72ab6c8e4979119e4cb91b8fcf30127
cce76ea22acfafd62db194c6b8ac7bc5
ac6fe648a3a7a28616ec3e2471cf1eec
ccb1852396582357fae0c95ea3af3f8b
caf495826bb5c61c758a337c9dc73363
bb1e77a6cb0dbdab2f61251880fc4d1c
c8abb41ce49a392b3625ba3537013e0e

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

setup.exe_2856:

.text
`.rdata
@.data
.ndata
.rsrc
tDSSh
<iu2.iu
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
%s %s
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
... %d%%
verifying installer: %d%%
ADVAPI32.dll
~nsu.tmp
Au_.exe
shlwapi.dll
install.log
%u.%u%s%s
KERNEL32.dll
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
%Program Files%
Software\Microsoft\Windows\CurrentVersion
%s=%s
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
GetWindowsDirectoryA
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
ole32.dll
VERSION.dll
RichEd20.dll
adm\AppData\Local\Temp\nsq6CE7.tmp\StealthAttention.ini
WARE\Microsoft\Windows NT\CurrentVersion
Your operating system is not supported.
Compatible versions are: Windows 95, NT4, 98, ME, 2000, XP, Vista.
Recommended: Windows XP with latest Service Pack.
.ODAZ
J%Dwv
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp
nsq6CE7.tmp
MessageBox: 12910628,"Your operating system is not supported.
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\install.log
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\\setup.exe C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\\setup.exe
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$
setup.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsb6CD7.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
@@@`777-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v20-Apr-2007.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

install.exe_3460:

.code
`.text
`.rdata
@.data
.rsrc
\$,;\$$}
u&SSh2
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
2147483648
WindowClass_%d
PB_Hotkey
uxtheme.dll
COMCTL32.DLL
msimg32.dll
Kernel32.DLL
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
Microsoft.NET\Framework\v2.0.50727
.NET Framework 2.0
Windows 2000
1111ProgStart.name
diu2.iu
MSVCRT.dll
KERNEL32.dll
CreatePipe
EnumWindows
MsgWaitForMultipleObjects
GetKeyState
EnumChildWindows
USER32.DLL
GDI32.DLL
IMAGEHLP.DLL
OLE32.DLL
ShellExecuteExA
SHELL32.DLL
WINMM.DLL
0;?<:?;00;?0=213
(y=.JA
AKh%u
\%%DY
`_5%U
uuu%ssswttr
F:".ut
D8RY]%fO5]
=.fdi
D&Z~L.Vb
<Le%x
.QM4de
j2kD%f
%f#iK
3.FiNU
.BZ'-J
J.wQ9$@
.Ge'5
<.hH|
g.naSB
%x\%U|
__.hk
p .Xc6
.oy' {
$%Sb.
0.MHA
 4)E.iH
b%d{3]
.mlfU$$
.EJ6$
&DÏ4
ÿ2d&m`
%DO_j
*6.dU
%uF0B
W52.zk!9
>tcPM
%DOi]
TExe*
:J.pQ
)XCMd
&o^x%d
%S=gx
T.pne=/
.voix7h
.BpUG
.nt.]
.zIOR
.PHDk
9,.tf!
htCp
E.SBTX
%u7&3
version="1.0.0.0"
name="CompanyName.ProductName.YourApp"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
0.0.0.0
23.exe
Website

go.exe_3828_rwx_0017C000_00004000:

].gj^
-.gj^


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    install.exe:3460
    go.exe:816
    %original file name%.exe:2668
    Temp21.exe:3088
    wm_player.exe:2796
    setup.exe:2856

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\engine\who.obo (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\driiver\wm_player.exe (9809 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\go.exe (9474 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\engine\cry.obo (152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp67344$\1111ProgStart.name (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\65.arc (1340 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\setup.exe (290 bytes)
    C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
    C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
    C:\Windows\driiver\wm_player.exe (7775 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\w.txt (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\78.arc (750 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\ww.txt (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\1111ProgStart.name (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\install.exe (9918 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp64301$\go.exe (1016 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp21.exe (188 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX30.arc (295269 bytes)
    C:\%original file name%.exe (38295 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCXE927.tmp (26423 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF16.exe (38671 bytes)
    C:\Windows\driiver\date.obo (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp\StealthMode.ini (1303 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp\StealthAttention.ini (1122 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6CE7.tmp\AgeVerify.ini (1284 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now