Prevx Research Division
ARJ.EXE
Malicious SoftwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove ARJ.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Malicious Software
- Worm
File Behavior
ARJ.EXE has been seen to perform the following behavior:
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
- This Process is a file infector which modifies program files to include a copy of the infection
- Drops known malicious software during execution
- Includes file creation code which could be used to test for interception by security products
- Found on infected systems and resists interrogation by security products
- Uses low level functions to hide itself from the user and from system/security processes
ARJ.EXE has been the subject of the following behavior:
- Executed as a Process
- Deleted as a process from disk
- Created by processes which appear to be checking for interception by security products
Country Of Origin
The filename ARJ.EXE was first seen on Jun 7 2007 in the following geographical regions of the Webroot community:
- Korea, Republic of on Jun 7 2007
- Russian Federation on Jun 7 2007
- Hungary on Feb 29 2008
- Croatia on Feb 29 2008
- Sweden on Mar 9 2008
- Spain on Mar 9 2008
- Portugal on Oct 21 2008
- Uruguay on Oct 21 2008
- Italy on Apr 30 2009
- Romania on Sep 8 2009
- Turkey on May 22 2012
File Name Aliases
ARJ.EXE can also use the following file names:
- ARJ32.EXE
- Администратор
Filesizes
The following file size has been seen:
- 284,421 bytes
- 32,768 bytes
- 218,098 bytes
- 100,881 bytes
- 301,544 bytes
- 273,838 bytes
- 158,803 bytes
File Type
The filename ARJ.EXE is used by multiple object types including objects,objects,executable programs,objects.
File Activity
One or more files with the name ARJ.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\WINDOWS\uninstall\
- Creates c:\windows\uninstall\rundl132.exe
- Creates c:\windows\Logo1_.exe
- Deletes c:\docume~1\user\locals~1\temp\$$aB.bat
- Creates c:\docume~1\user\locals~1\temp\$$aB.bat
- Creates c:\windows\RichDll.dll
- Creates c:\_desktop.ini
- Deletes c:\PREVXEDGEFREE.EXE
- Creates c:\PREVXEDGEFREE.EXE
- Moves c:\PREVXEDGEFREE.EXE to c:\PREVXEDGEFREE.EXE
- Deletes c:\mbr\scan.exe
- Creates c:\mbr\scan.exe
- Moves c:\mbr\scan.exe to c:\mbr\scan.exe
- Deletes c:\program files\ati technologies\uninstallall\AtiCimUn.exe
- Creates c:\program files\ati technologies\uninstallall\AtiCimUn.exe
- Moves c:\program files\ati technologies\uninstallall\AtiCimUn.exe to c:\program files\ati technologies\uninstallall\AtiCimUn.exe
- Deletes c:\program files\intel\ncs2\wmiprov\ncs2prov.exe
- Creates c:\program files\intel\ncs2\wmiprov\ncs2prov.exe
- Moves c:\program files\intel\ncs2\wmiprov\ncs2prov.exe to c:\program files\intel\ncs2\wmiprov\ncs2prov.exe
- Deletes c:\program files\intel\ncs2\wmiprov\NCSDiag.exe
- Creates c:\program files\intel\ncs2\wmiprov\NCSDiag.exe
- Moves c:\program files\intel\ncs2\wmiprov\NCSDiag.exe to c:\program files\intel\ncs2\wmiprov\NCSDiag.exe
- Deletes c:\program files\msn\msncorefiles\install\msnsusii.exe
- Creates c:\program files\msn\msncorefiles\install\msnsusii.exe
- Moves c:\program files\msn\msncorefiles\install\msnsusii.exe to c:\program files\msn\msncorefiles\install\msnsusii.exe
- Deletes c:\program files\msn\msncorefiles\install\msn9components\Digcore.exe
- Creates c:\program files\msn\msncorefiles\install\msn9components\Digcore.exe
- Moves c:\program files\msn\msncorefiles\install\msn9components\Digcore.exe to c:\program files\msn\msncorefiles\install\msn9components\Digcore.exe
- Deletes c:\program files\msn\msncorefiles\install\msn9components\Msncli.exe
- Creates c:\program files\msn\msncorefiles\install\msn9components\Msncli.exe
- Moves c:\program files\msn\msncorefiles\install\msn9components\Msncli.exe to c:\program files\msn\msncorefiles\install\msn9components\Msncli.exe
- Deletes c:\program files\realtek\installshield\ChCfg.exe
- Creates c:\program files\realtek\installshield\ChCfg.exe
- Moves c:\program files\realtek\installshield\ChCfg.exe to c:\program files\realtek\installshield\ChCfg.exe
- Deletes c:\program files\realtek\installshield\RtlUpd.exe
- Creates c:\program files\realtek\installshield\RtlUpd.exe
- Moves c:\program files\realtek\installshield\RtlUpd.exe to c:\program files\realtek\installshield\RtlUpd.exe
- Deletes c:\program files\realtek\installshield\RtlUpd64.exe
- Creates c:\program files\realtek\installshield\RtlUpd64.exe
- Moves c:\program files\realtek\installshield\RtlUpd64.exe to c:\program files\realtek\installshield\RtlUpd64.exe
- Deletes c:\program files\winpcap\rpcapd.exe
- Creates c:\program files\winpcap\rpcapd.exe
- Moves c:\program files\winpcap\rpcapd.exe to c:\program files\winpcap\rpcapd.exe
- Deletes c:\program files\winpcap\Uninstall.exe
- Creates c:\program files\winpcap\Uninstall.exe
- Moves c:\program files\winpcap\Uninstall.exe to c:\program files\winpcap\Uninstall.exe
- Deletes c:\windows\temp\scs12.tmp
- Deletes c:\windows\temp\scs25.tmp
- Creates c:\docume~1\user\locals~1\temp\44a7_appcompat.txt
- Creates c:\docume~1\user\locals~1\temp\24B09.dmp
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.