File Investigation Report

NTASVR[n].EXE

Malware Downloader

PC Cleanup in 3 Easy Steps

Use Prevx 3.0 to remove NTASVR[n].EXE, along with any other viruses, spyware, adware, trojans, rootkits, worms, information stealers, keyloggers, bots, and other form of malicious threat that may reside on your PC.

Remove this Infection »

PC Magazine, Editors' Choice, May 2009

Think your PC might be Infected? Scan Now Prevx 3.0 will scan your PC in seconds to inform you whether your PC is clean or infected.
Malware Removal Prevx 3.0 removes adware infections for free. More complicated infections require purchase of a malware removal license.
Expert Assistance In the rare occurence that Prevx 3.0 malware removal fails - a Prevx Engineer will connect to your PC and manually disinfect.
Money Back Guarantee for Individual Users If within the first 14 days, the Prevx Engineer finds it impossible to clean an infection from your PC, we give you your money back.

Associated Malware Groups

The unsafe files using this name are associated with the malware group:

Malware Downloader

File Behavior

NTASVR[n].EXE has been seen to perform the following behavior:

Downloads hidden code from covert web sites
Downloads program file(s) and other content from the web
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Visits web sites on your PC without you knowing
Adds a Registry Key (RUN) to auto start Programs on system start up
Executes a Process
The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Can communicate with other computer systems using HTTP protocols
Registers a Dynamic Link Library File
Adds products to the system registry
Writes to another Process's Virtual Memory (Process Hijacking)
This Process Deletes Other Processes From Disk
This process creates other processes on disk

NTASVR[n].EXE has been the subject of the following behavior:

Added as a Registry auto start to load Program on Boot up
Created as a new Background Service on the machine
Executed as a Process
This program is often downloaded from the web
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Downloaded from covert web sites without the user knowing

Country Of Origin

The filename NTASVR[n].EXE was first seen on Jun 24 2008 in the following geographical regions of the Prevx community:

Korea, Republic of on Jun 24 2008
Spain on Jun 24 2008

File Name Aliases

NTASVR[n].EXE can also use the following file name:

NTASVR.EXE
NTASVR[1].EXE
56291951.EXE

Filesizes

The following file size has been seen:

140,664 bytes
320,992 bytes

File Type

The filename NTASVR[n].EXE refers to many versions of an executable program.

File Activity

One or more files with the name NTASVR[n].EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:\autoexec.bat

Website Activity

One or more files with the name NTASVR[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

211 .234 .239 .48 / upload / autosearch_n / klv .ini
211 .234 .239 .48 / upload / autosearch_n / efver .ini
TCP:127.0.0.1:1097 Port:19
Port 80 IP:211.234.239.48
Port 80 IP:203.226.255.215

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.