Virus.Win32.Sality_1cb1c464e0

by malwarelabrobot on September 26th, 2013 in Malware Descriptions.

Trojan.Win32.Jorik.Nrgbot.puq (Kaspersky), Virus.Win32.Sality.ah (v) (VIPRE), Worm.Win32.Dorkbot!IK (Emsisoft), Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, Worm.Win32.Dorkbot.FD, GenericUSBInfector.YR, GenericProxy.YR, GenericSYNFlooder.YR, GenericUDPFlooder.YR, GenericDNSBlocker.YR, GenericMSNWorm.YR, GenericIRCBot.YR, GenericAutorunWorm.YR, VirusSality.YR, WormDorkbot.YR, GenericPhysicalDrive0.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Flooder, Worm, Virus, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 1cb1c464e0860e41443d45822193781c
SHA1: 082a821e207116e90caa420711e390fcf04ea4c1
SHA256: 7a6ed28da9d6a1cedb088ef35ef43f74006f605df99e9d28376658cf0b1c39e4
SSDeep: 3072:4J4qhTTVY1zQvXBGzHAl3HO6xkHFeKG9vkBPVNO39pnrcEAjUBBjaMW75LWooYiU:4JPl3HvqtBmpQjInbAWooYiB7 IHC5qw
Size: 245760 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-01 19:26:07


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
DNSBlocker A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.


Process activity

The Virus creates the following process(es):

1cb1c464e0860e41443d45822193781c.exe:2600
1cb1c464e0860e41443d45822193781c.exe:2952
WINMINE.EXE:2636
WINMINE.EXE:3868
WINMINE.EXE:2692
WINMINE.EXE:3208
NOTEPAD.EXE:2604
NOTEPAD.EXE:744
NOTEPAD.EXE:2472
NOTEPAD.EXE:2884
NOTEPAD.EXE:444
NOTEPAD.EXE:3156
NOTEPAD.EXE:2508
NOTEPAD.EXE:3192
netsh.exe:3168
netsh.exe:2812

The Virus injects its code into the following process(es):

ctfmon.exe:252

File activity

The process 1cb1c464e0860e41443d45822193781c.exe:2600 makes changes in a file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (72 bytes)

The Virus deletes the following file(s):

C:\6f252 (0 bytes)
D:\6f659 (0 bytes)

Registry activity

The process ctfmon.exe:252 makes changes in a system registry.
The Virus deletes the following value(s) in system registry:
The Virus disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process 1cb1c464e0860e41443d45822193781c.exe:2600 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\adm914]
"a4_0" = "0"

[HKCU\Software\adm914]
"a1_0" = "3432392762"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools" = "1"

[HKCU\Software\adm914\695404737]
"43014726" = "0600687474703A2F2F72656D61646F6E2E64652F6C6F676F732E67696600687474703A2F2F636F6E6E656374696E6764657374696E6174696F6E732E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6D616365646F6E69612E6D79312E72752F6D61696E682E67696600687474703A2F2F656C617377616E792E636F6D2F6C6F676F732E67696600687474703A2F2F65646D61747269782E75732F696D616765732F6D61696E662E67696600687474703A2F2F616472656E616C696E2E636F6D2E74722F696D616765732F6C6F676F732E676966"

[HKCU\Software\adm914\695404737]
"14338242" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\adm914\695404737]
"7169121" = "55"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\adm914\695404737]
"35845605" = "222"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\adm914\695404737]
"28676484" = "35"

[HKCU\Software\adm914]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\adm914\695404737]
"50183847" = "7C67AF69FA1918A6CCB3A9D14C81D0B4E9330D0A41EEDA93432049E79EDFEE6AF904E6A1FF6AB716DCFA6EE6DBD3E4904B880341202D0399543E2C1830BFA4FC9B1B3A65BF98DF47A2E0D4E7C25542872DD801CE2CC737BCFFE9B2FC4AF20945AF09EF6CB77B3A2364548FFDB10E3993BBBD65D22686D6369049EA7E011E6B7F"

[HKCU\Software\adm914]
"a2_0" = "5517"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 6B 2E F2 1F 67 FA BA BD 8E 8A F4 A7 D2 3E D2"

[HKCU\Software\adm914\695404737]
"21507363" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableTaskMgr" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"1cb1c464e0860e41443d45822193781c.exe" = "c:\1cb1c464e0860e41443d45822193781c.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

The process 1cb1c464e0860e41443d45822193781c.exe:2952 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B EB 66 D8 EA 87 E5 BA 58 56 1D 56 7A D0 0D 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process WINMINE.EXE:2636 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 8A 7C CC CD BC 0A 92 64 CE FD 38 25 E9 55 68"

The process WINMINE.EXE:3868 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C D8 03 CA 50 96 28 EB C0 F0 ED F4 AC 31 9F C3"

The process WINMINE.EXE:2692 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 91 31 8C 38 71 64 BC D2 FC 79 AD B3 2F 35 EC"

The process WINMINE.EXE:3208 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 A0 FE AC 6D 5C B9 2D BE F2 BA F9 66 7E 0E AB"

The process NOTEPAD.EXE:2604 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 69 86 39 0C 45 6D 8D 93 D1 B9 B2 3B DB E5 31"

The process NOTEPAD.EXE:744 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 FB F4 05 87 9F 18 DD 50 7D D6 08 F6 0E A8 CB"

The process NOTEPAD.EXE:2472 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 18 32 0A CA AE 28 D7 18 CE C9 76 28 3A A3 10"

The process NOTEPAD.EXE:2884 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 10 FA DA 16 96 15 4B C6 85 79 CF 71 69 E9 45"

The process NOTEPAD.EXE:444 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 0F 62 61 4E B5 6F B4 04 0D 45 34 1A 32 E5 E9"

The process NOTEPAD.EXE:3156 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 70 B9 59 D7 97 63 88 B6 75 68 13 95 17 90 15"

The process NOTEPAD.EXE:2508 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 B1 2D FE A4 38 2B 3C 7F 95 9D E7 56 06 4F EA"

The process NOTEPAD.EXE:3192 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 10 45 80 05 FC 2A B6 FE C9 53 1B 2D 9E 95 09"

The process netsh.exe:3168 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 39 E1 18 1D 2D 33 73 68 EB 05 1F A0 EC 6A 8E"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process netsh.exe:2812 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 23 DD 29 2B 08 B8 97 84 6C 49 19 19 C0 85 DC"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Network activity (URLs)

No activity has been detected.

Rootkit activity

The Virus installs the following user-mode hooks in urlmon.dll:

URLDownloadToFileA
URLDownloadToFileW

The Virus installs the following user-mode hooks in WININET.dll:

InternetWriteFile
HttpSendRequestA
HttpSendRequestW

The Virus installs the following user-mode hooks in dnsapi.dll:

DnsQuery_A
DnsQuery_W

The Virus installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Virus installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Virus installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
ZwQueryDirectoryFile
ZwEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    1cb1c464e0860e41443d45822193781c.exe:2600
    1cb1c464e0860e41443d45822193781c.exe:2952
    WINMINE.EXE:2636
    WINMINE.EXE:3868
    WINMINE.EXE:2692
    WINMINE.EXE:3208
    NOTEPAD.EXE:2604
    NOTEPAD.EXE:744
    NOTEPAD.EXE:2472
    NOTEPAD.EXE:2884
    NOTEPAD.EXE:444
    NOTEPAD.EXE:3156
    NOTEPAD.EXE:2508
    NOTEPAD.EXE:3192
    netsh.exe:3168
    netsh.exe:2812

  3. Delete the original Virus file.
  4. Delete or disinfect the following files created/modified by the Virus:

    %WinDir%\system.ini (72 bytes)

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now