File Investigation Report
595561983.EXE
Malicious SoftwareYour PC is infected. The file called 595561983.EXE is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including 595561983.EXE as soon as possible. The free version of Prevx will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx.
File Behavior
595561983.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Adds products to the system registry
- Modifies the Windows Built in Screen Saver
- Executes a Process
- This process creates other processes on disk
- This Process Deletes Other Processes From Disk
- Can communicate with other computer systems using HTTP protocols
- Writes to another Process's Virtual Memory (Process Hijacking)
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
595561983.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Added as a Registry auto start to load Program on Boot up
Country Of Origin
The filename 595561983.EXE was first seen on Jul 25 2008 in the following geographical regions of the Prevx community:
- The United States on Jul 25 2008
- Spain on Jul 25 2008
File Name Aliases
595561983.EXE can also use the following file names:
- LPHC9Q8J0EACE.EXE
- SCAN25[1].EXE
- OZERPTB.TMP
Filesizes
This file has been seen with the following file size:
- 110,080 bytes
Vendor, Product and Version Information
This file has no vendor, product or version information specified in the file header.
File Type
The filename 595561983.EXE refers to an executable program.
File Activity
One or more files with the name 595561983.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\phc9q8j0eace.bmp
- Deletes c:\windows\system32\lphc9q8j0eace.exe
- Creates c:\documents and settings\user\local settings\temp\.tt7
- Deletes c:\documents and settings\user\local settings\temp\.tt7
- Creates c:\windows\system32\blphc9q8j0eace.scr
- Opens/modifes c:\autoexec.bat
- Deletes c:\documents and settings\user\local settings\temp\.ttB
Registry Activity
One or more files with the name 595561983.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Control Panel\Colors Background 0 0 255
- HKEY_CURRENT_USER\Control Panel\Desktop WallpaperStyle 0
- HKEY_CURRENT_USER\Control Panel\Desktop TileWallpaper 0
- HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\WINDOWS\system32\phc9q8j0eace.bmp
- HKEY_CURRENT_USER\Control Panel\Desktop OriginalWallpaper C:\WINDOWS\system32\phc9q8j0eace.bmp
- HKEY_CURRENT_USER\Control Panel\Desktop ConvertedWallpaper C:\WINDOWS\system32\phc9q8j0eace.bmp
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System NoDispBackgroundPage value:
- HKEY_CURRENT_USER\Control Panel\Desktop SCRNSAVE.EXE C:\WINDOWS\system32\blphc9q8j0eace.scr
- HKEY_CURRENT_USER\Control Panel\Desktop ScreenSaveActive 1
- HKEY_CURRENT_USER\Control Panel\Desktop ScreenSaveTimeOut 600
- HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver EulaAccepted value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System NoDispScrSavPage value:
Website Activity
One or more files with the name 595561983.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- windowsupdate .microsoft .com
- avxp-08 .c
- Port 80 IP:207.46.225.221