Disagree with this determination?
YOD4PWE4.EXE
Malicious SoftwareYour PC is infected. The file called YOD4PWE4.EXE is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including YOD4PWE4.EXE as soon as possible. The free version of Prevx 3.0 will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx 3.0.
Associated Malware Groups
The filename is associated with the malware group:
- Malicious Software
File Behavior
YOD4PWE4.EXE has been seen to perform the following behavior:
- Executes a Process
- The Process is packed and/or encrypted using a software packing process
- Can communicate with other computer systems using HTTP protocols
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
YOD4PWE4.EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Executed from Temporary Folders
- Has code inserted into its Virtual Memory space by other programs
Country Of Origin
The filename YOD4PWE4.EXE was first seen on Feb 27 2008 in the following geographical region of the Prevx community:
- CANADA on Feb 27 2008
File Name Aliases
YOD4PWE4.EXE can also use the following file names:
- ACRG637V.EXE
- 89283636.EXE
- WWXO6CCR.EXE
- T2K25N4D.EXE
- BC78MNHE.EXE
- 7G6C4RQG.EXE
- 6T2LJ15W.EXE
- NGDR2HL7.EXE
- SS16UWJ2.EXE
- PP8N2OHX.EXE
- CHU7G84T.EXE
- O5D73VYT.EXE
- MDS4V0FL.EXE
- 0BBSS2R2.EXE
- M71O7INU.EXE
- EA80KJUY.EXE
- DC227-BE9E7B70.EXE
- 08Q8YU80.EXE
- A8L38DE0.EXE
- TMVT6V8N.EXE
- EKMM74PV.EXE
- 23093164.SVD
Filesizes
This file has been seen with the following file size:
- 69,632 bytes
Vendor, Product and Version Information
This file has no vendor, product or version information specified in the file header.
File Type
The filename YOD4PWE4.EXE refers to an executable program.
File Activity
One or more files with the name YOD4PWE4.EXE creates, deletes, copies or moves the following files and folders:
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\61ab_appcompat.txt
- Creates c:\docume~1\user\locals~1\temp\ie6EE1.tmp
- Creates c:\docume~1\user\locals~1\temp\174AE.dmp
Registry Activity
One or more files with the name YOD4PWE4.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main DisableScriptDebuggerIE yes
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Error Dlg Displayed On Every Error no
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main CompatibilityFlags value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d} Enable value:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main FullScreen no
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window_Placement [REG_BINARY, size: 44 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar Locked value:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard ShellNext http://194.126.193.161/t/nnn.php
- HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard Completed [REG_BINARY, size: 4 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom ZoomFactor [REG_DWORD, value: 000186A0]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F\Smart Screen DAT file Smart Screen DAT hash [REG_BINARY, size: 236 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F UserFile [REG_BINARY, size: 79044 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
- HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr ProfileInitialized value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr ProfileInitialized value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB} Enable value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000809\{09EA4E4B-46CE-4469-B450-0DE76A435BBB} Enable value:
Website Activity
One or more files with the name YOD4PWE4.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- 194 .126 .193 .120 / ping .php / 21 / 405
- 194 .126 .193 .120 / ping .php / 21 / 100
- Port 80 IP:194.126.193.120
- TCP:127.0.0.1:1046 Port:27
- Port 80 IP:194.126.193.161