AV[n].EXE

Cloaked Malware

Free PC Cleanup from Webroot

Use Webroot SecureAnywhere to remove AV[n].EXE.

"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User

Get Free PC Cleanup

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Cloaked Malware
Worm

File Behavior

AV[n].EXE has been seen to perform the following behavior:

Executes a Process
This process creates other processes on disk
Opens browser pop ups
Found on infected systems and resists interrogation by security products
Registers a Dynamic Link Library File
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Visits web sites on your PC without you knowing
The Process is packed and/or encrypted using a software packing process
The Process is polymorphic and can change its structure

AV[n].EXE has been the subject of the following behavior:

Executed as a Process
Copied to multiple locations on the system
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Registered as a Dynamic Link Library File

Country Of Origin

The filename AV[n].EXE was first seen on Jul 15 2007 in the following geographical regions of the Webroot community:

Singapore on Jul 15 2007
Spain on Jul 15 2007
Canada on Jan 26 2009
Germany on May 15 2009
Europe on Sep 21 2009

File Name Aliases

AV[n].EXE can also use the following file names:

AVALL[n].EXE
SRFNSFGBSVDSAFGGRTYMUJTGB43.EXE
LISER.EXE
MGYJ6HESJE4SGHSRGSNDSDHUJJA43.EXE
FYJHE4RHTSERJRTJAEGWVV43.EXE
DTHSERKY4Y5HAEEBGJNEW43.EXE
NGMMNBHFSSEREJKTYISTE4DEH43.EXE
JKIO965HGWT43QAWHGEFHAEWQQF43.EXE
VRT9.TMP
VRT2.TMP
VRT1.TMP
VRT131.TMP
PASSCMD[1].EXE
RDL50.TMP
RDL1D6.TMP
RDL3C.TMP
LDR.EXE
AV[1].EXE
22[n].EXE
AV.EXE
730970.EXE
35550.EXE
1180177356.EXE

Filesizes

The following file size has been seen:

4,664,073 bytes
61,440 bytes
77,323 bytes
101,700 bytes
269,824 bytes
57,344 bytes
69,632 bytes
49,102 bytes

File Type

The filename AV[n].EXE is used by multiple object types including executable programs,objects.

File Activity

One or more files with the name AV[n].EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:\autoexec.bat
Creates c:\documents and settings\all users\application data\crucialsoft ltd\ms antispyware 2009\msas2009.exe
Creates c:\documents and settings\user\start menu\programs\ms antispyware 2009\MS AntiSpyware 2009.lnk

Website Activity

One or more files with the name AV[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

int .proreportms1 .com / stat .php?func=installrun&id=200091&landing=-1&lang=EN&sub=0
dl .ms-scan-antiviral .com / get / ?pin=200091&lnd=-1&type=main
Remote server connection to dl .ms-scan-antiviral .co
Port 80 IP:94.247.2.133
Port 80 IP:78.26.179.239

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

Virus, Spyware & Malware Center »