EXCLUSIVEMOVIE.1116[n].EXE

Cloaked Malware

Your PC is infected. The file called EXCLUSIVEMOVIE.1116[n].EXE is considered unsafe and there may be other infections on your PC.

You should urgently check your PC and remove any malicious software including EXCLUSIVEMOVIE.1116[n].EXE as soon as possible. The free version of Prevx 3.0 will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx 3.0.

Download Prevx 3.0 now »

Associated Malware Groups

The filename is associated with the malware group:

Cloaked Malware

File Behavior

EXCLUSIVEMOVIE.1116[n].EXE has been seen to perform the following behavior:

Executes a Process
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Visits web sites on your PC without you knowing

EXCLUSIVEMOVIE.1116[n].EXE has been the subject of the following behavior:

Created as a process on disk
Executed as a Process
Deleted as a process from disk
Executed by Internet Explorer

Country Of Origin

The filename EXCLUSIVEMOVIE.1116[n].EXE was first seen on Dec 21 2008 in the following geographical region of the Prevx community:

Europe on Dec 21 2008

File Name Aliases

EXCLUSIVEMOVIE.1116[n].EXE can also use the following file names:

EXCLUSIVEMOVIE.1565.EXE
EXCLUSIVEMOVIE.103[n].EXE
EXCLUSIVEMOVIE.103.EXE
DC6.EXE
EXCLUSIVEMOVIE.1518[n].EXE
EXCLUSIVEMOVIE.1458[n].EXE
EXCLUSIVEMOVIE.1531[n].EXE
EXCLUSIVEMOVIE.1019[n].EXE
EXCLUSIVEMOVIE.1401[n].EXE
EXCLUSIVEMOVIE.1458.EXE
EXCLUSIVEMOVIE.1036[n].EXE
EXCLUSIVEMOVIE.316.EXE
EXCLUSIVEMOVIE.316(n).EXE
EXCLUSIVEMOVIE.98[n].EXE
EXCLUSIVEMOVIE.1555[n].EXE
TUBEVIEWER.95.EXE
EXCLUSIVEMOVIE.321[n].EXE
EXCLUSIVEMOVIE.1140[n].EXE
EXCLUSIVEMOVIE.1140.EXE
EXCLUSIVEMOVIE.11410.EXE
EXCLUSIVEMOVIE.11401.EXE
EXCLUSIVEMOVIE.11402.EXE
EXCLUSIVEMOVIE.135.EXE
MOVIECODEC.1167[n].EXE
EXCLUSIVEMOVIE.321.EXE
EXCLUSIVEMOVIE.145[n].EXE
EXCLUSIVEMOVIE.1555.EXE

Filesizes

This file has been seen with the following file size:

65,024 bytes

Vendor, Product and Version Information

This file has no vendor, product or version information specified in the file header.

File Type

The filename EXCLUSIVEMOVIE.1116[n].EXE refers to an executable program.

File Activity

One or more files with the name EXCLUSIVEMOVIE.1116[n].EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:\autoexec.bat
Creates c:\docume~1\user\locals~1\temp\yyy15794.exe
Creates c:\docume~1\user\locals~1\temp\yyy15801.ex
Creates c:\docume~1\user\locals~1\temp\yyy15817.exe
Creates c:\docume~1\user\locals~1\temp\~tmpa.exe
Creates c:\docume~1\user\locals~1\temp\~tmpb.exe
Creates c:\docume~1\user\locals~1\temp\~tmpc.exe
Creates c:\docume~1\user\locals~1\temp\~tmpd.exe
Creates c:\docume~1\user\locals~1\temp\~tmpe.exe
Deletes c:\docume~1\user\locals~1\temp\nsy11.tmp
Deletes c:\docume~1\user\locals~1\temp\nsy13.tmp
Creates c:\docume~1\user\locals~1\temp\nsy13.tmp\f1
Creates c:\docume~1\user\locals~1\temp\nsy13.tmp\f2
Deletes c:\windows\system32
Creates c:\windows\system32\msxml71.dll
Deletes c:\docume~1\user\locals~1\temp\nsw1B.tmp
Creates c:\docume~1\user\locals~1\temp\nsw1D.tmp
Deletes c:\docume~1\user\locals~1\temp\nsm1F.tmp
Creates c:\docume~1\user\locals~1\temp\nsm1f.tmp\System.dll
Creates c:\windows\system32\fekcbvtzyrinzioeq.dll
Creates c:\windows\system32\vkvqwiscxwofbzlh.exe
Deletes c:\docume~1\user\locals~1\temp\act_key
Deletes c:\docume~1\user\locals~1\temp\nsm1f.tmp\System.dll
Creates c:\docume~1\user\locals~1\temp\~tmpb.exe
Deletes c:\windows\system32\6L4ijI7y.exe
Moves c:\windows\system32\6L4ijI7y.exe to c:\windows\system32\6L4ijI7y.exe
Creates c:\windows\system32\6L4ijI7y.exe
Copies filec:\docume~1\user\locals~1\temp\~tmpc.exe to c:\windows\system32\6L4ijI7y.exe
Deletes c:\docume~1\user\locals~1\temp\nsd33.tmp
Creates c:\docume~1\user\locals~1\temp\nsi35.tmp
Deletes c:\docume~1\user\locals~1\temp\nst37.tmp
Creates c:\docume~1\user\locals~1\temp\nst37.tmp\System.dll
Creates c:\windows\system32\ofknnknywneejn.dll
Deletes c:\docume~1\user\locals~1\temp\u0dJK7lA.dat
Creates c:\docume~1\user\locals~1\temp\u0dJK7lA.dat

Registry Activity

One or more files with the name EXCLUSIVEMOVIE.1116[n].EXE creates or modifies the following registry keys and values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MSFox C:\DOCUME~1\user\LOCALS~1\Temp\yyy15794.exe
HKEY_CURRENT_USER\Software\AppDataLow\Software\{F297CC27-B148-D361-9726-64D7A987D7F6} aff_id offersfortoday
HKEY_CURRENT_USER\Software\CrucialSoft Ltd\Installer InstallDate [REG_BINARY, size: 8 bytes]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Drivers\Video\Options 4E8D9EBF-122C-42BD-A8CB-7E59C9CC08BA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run InstallProgram C:\DOCUME~1\user\LOCALS~1\Temp\yyy15817.exe
HKEY_CURRENT_USER\Software\CrucialSoft Ltd\MS AntiSpyware 2009 lid -1
HKEY_CURRENT_USER\Software\CrucialSoft Ltd\MS AntiSpyware 2009 pid 200002
HKEY_CURRENT_USER\Software\CrucialSoft Ltd\MS AntiSpyware 2009 psid 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Cognac C:\DOCUME~1\user\LOCALS~1\Temp\~tmpb.exe
HKEY_CURRENT_USER\Software\Cognac s00000000
HKEY_CURRENT_USER\Software\Cognac s00000001
HKEY_CURRENT_USER\Software\Cognac d00000004 [REG_DWORD, value: 00015180]
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac d00000002 [REG_DWORD, value: 01C96450]
HKEY_CURRENT_USER\Software\Cognac d00000003 [REG_DWORD, value: E74A5760]
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac s00000002 xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Ek/n4gL8s8xs9LeD5KQVh3/j/c=
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac d00000000 [REG_DWORD, value: 01C96387]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: CEBFC960]
HKEY_CURRENT_USER\Software\Cognac d00000000 [REG_DWORD, value: 01C96388]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: 076213E0]
HKEY_CURRENT_USER\Software\Cognac d00000000 [REG_DWORD, value: 01C96389]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: D3026A30]
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: CFBEE9E0]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: FF7062E0]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: 6D885390]
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: D08260F0]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: 0F6466B0]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: 7AAEB870]
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: D3016AB0]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: 0B0B1EB0]
HKEY_CURRENT_USER\Software\Cognac d00000001 [REG_DWORD, value: 76129B10]
HKEY_CURRENT_USER\Software\Cognac d00000006 value:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main DisableScriptDebuggerIE yes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Error Dlg Displayed On Every Error no

Website Activity

One or more files with the name EXCLUSIVEMOVIE.1116[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

dasgdasg .com / script432543543 .php?id=94333695&adv=0&uid=5cc50f95d41d8cd98f00b204e9800998ecf8427e
dasgdasg .com / file432543543 .php?id=94333695&adv=0&uid=5cc50f95d41d8cd98f00b204e9800998ecf8427e
humorbestimages .com / addon / video0 .cfg
lyox-lib .com / addon / video0 .cfg
85 .92 .157 .141 / plus / offersfortoday / get_file .php
files .msas2009dl .com / test / setup_200002 .exe
Port 80 IP:91.205.96.12
Port 80 IP:94.247.2.117
Port 80 IP:193.142.244.39
Port 80 IP:85.92.157.141
Port 80 IP:94.247.2.84