File Investigation Report
D226[1].EXEMalicious Software
Your PC may be infected. The presence of a file called D226[1].EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including D226[1].EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
File Behavior
D226[1].EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Adds Products to the system registry
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Can communicate with other computer systems using HTTP protocols
- Writes to another Process's Virtual Memory (Process Hijacking)
- This Process Creates Other Processes On Disk
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
- This Process is a file infector which modifies program files to include a host a copy of the infection
- Executes a Process
- This Process Deletes Other Processes From Disk
D226[1].EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Executed as a Process
- Created as a process on disk
- Executed from Temporary Folders
- Deleted as a process from disk
Country Of Origin
The filename D226[1].EXE was first seen on Jul 17 2008 in the following geographical regions of the Prevx community:
- NETHERLANDS on Jul 17 2008
- SPAIN on Jul 17 2008
File Name Aliases
D226[1].EXE can also use the following file names:
- SMCHK.EXE
- 73155597.SVD
- EDTBFWB.TMP
- 73726283.EXE
- 61538636.DAT
- 70132938.EXE
- 25109872.DAT
- 33195777.DAT
- 54689067.EXE
- SMCHK.EXE__DELETE_ON_REBOOT
- TEMP/TEMP/D226[1].EXE3
- TEMP/TEMP/SMCHK.EXE3
- 92167275.EXE
Filesizes
The following file size has been seen:
- 119,190 bytes
- 52,736 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename D226[1].EXE refers to many versions of an executable program.
File Activity
One or more files with the name D226[1].EXE creates, deletes, copies or moves the following files and folders:
- Opens/modifes c:\autoexec.bat
Registry Activity
One or more files with the name D226[1].EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\SecuriSoft SARL\Installer InstallDate [REG_BINARY, size: 8 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Drivers\Video\Options 4E8D9EBF-122C-42BD-A8CB-7E59C9CC08BA
- HKEY_CURRENT_USER\Software\SecuriSoft SARL\WinSpywareProtect lid -1
- HKEY_CURRENT_USER\Software\SecuriSoft SARL\WinSpywareProtect pid 226
Website Activity
One or more files with the name D226[1].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- int .wspreprt .com / stat .php?func=installrun&id=226&landing=-1&lang=EN
- dl .wspdl .com / inst / Install_226_1_ .exe
- Port 80 IP:85.255.119.154
- Port 80 IP:85.255.119.133