File Investigation Report
19[1].EXEMalicious Software
Your PC may be infected. The presence of a file called 19[1].EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including 19[1].EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The unsafe files using this name are associated with the malware group:
- Malicious Software
File Behavior
19[1].EXE has been seen to perform the following behavior:
- This Process Deletes Other Processes From Disk
- This Process Creates Other Processes On Disk
- Registers a Dynamic Link Library File
- The Process is packed and/or encrypted using a software packing process
- Writes to another Process's Virtual Memory (Process Hijacking)
- Executes a Process
- Modifies Windows Initialization And System Settings Used On Start up
- Adds a Registry Key (RUN) to auto start Programs on system start up
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
19[1].EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
Country Of Origin
The filename 19[1].EXE was first seen on Sep 23 2007 in the following geographical regions of the Prevx community:
- CHINA on Sep 23 2007
- SPAIN on Oct 19 2007
- HONG KONG on Feb 3 2008
- The UNITED KINGDOM on Mar 30 2008
File Name Aliases
19[1].EXE can also use the following file names:
- 24[1].EXE
- 19.EXE
- 04863843.DAT
- 21210529.DAT
- 79561808.SVD
- 93117027.EXE
Filesizes
The following file size has been seen:
- 17,660 bytes
- 357,888 bytes
- 14,116 bytes
- 3,247,083 bytes
- 39,729 bytes
Vendor, Product and Version Information
Files with the name 19[1].EXE have been seen to have the following Vendor, Product and Version Information in the file header:
- Microsoft; system event loader; 3.0.3
File Type
The filename 19[1].EXE refers to many versions of an executable program.
File Activity
One or more files with the name 19[1].EXE creates, deletes, copies or moves the following files and folders:
- Deletes c:\windows\system32\duygnef.dll
- Deletes c:\docume~1\user\locals~1\temp\tmp8.tmp
- Moves c:\windows\system32\duygnef.dll to c:\docume~1\user\locals~1\temp\tmp8.tmp
- Creates c:\windows\system32\duygnef.dll
- Deletes c:\windows\system32\msepion.sys
- Deletes c:\windows\system32\drivers\msaclue.sys
- Creates c:\name.lo
- Deletes c:\docume~1\user\locals~1\temp\tmpD.tmp
- Creates c:\docume~1\user\locals~1\temp\tmpD.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp10.tmp
- Moves c:\docume~1\user\locals~1\temp\tmpD.tmp to c:\docume~1\user\locals~1\temp\tmp10.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp13.tmp
- Creates c:\docume~1\user\locals~1\temp\tmp13.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp16.tmp
- Moves c:\docume~1\user\locals~1\temp\tmp13.tmp to c:\docume~1\user\locals~1\temp\tmp16.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp19.tmp
- Creates c:\docume~1\user\locals~1\temp\tmp19.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp1C.tmp
- Moves c:\docume~1\user\locals~1\temp\tmp19.tmp to c:\docume~1\user\locals~1\temp\tmp1C.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp1F.tmp
- Creates c:\docume~1\user\locals~1\temp\tmp1F.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp22.tmp
- Moves c:\docume~1\user\locals~1\temp\tmp1F.tmp to c:\docume~1\user\locals~1\temp\tmp22.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp25.tmp
- Creates c:\docume~1\user\locals~1\temp\tmp25.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp28.tmp
- Moves c:\docume~1\user\locals~1\temp\tmp25.tmp to c:\docume~1\user\locals~1\temp\tmp28.tmp