LOTUSHLP.EXE - Dangerous
What you should do about LOTUSHLP.EXE:
Check Your PC Now
Your PC is infected. The file called LOTUSHLP.EXE is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including LOTUSHLP.EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't take the risk, check your PC now by clicking the green button.
Who Uses Prevx CSI?
Prevx has been detecting the threats that others miss since 2004.
More than 2,050,586 people have scanned with Prevx CSI and between them have checked 29.1 billion files. 65% of the PCs scanned had malware present.
What we know about LOTUSHLP.EXE:
The filename LOTUSHLP.EXE was first seen on Nov 9 2007 in CANADA. It has also been seen in the following geographical regions of the Prevx community:
- SPAIN on Nov 16 2007
- The EUROPEAN UNION on Dec 8 2007
- CHINA on Nov 16 2007
- The UNITED KINGDOM on Jan 10 2008
- TAIWAN on Jan 9 2008
- JAPAN on Mar 17 2008
- HONG KONG on Mar 17 2008
The most common file size is 12,900 bytes. But the following file sizes have also been seen:
- 16,163 bytes
- 13,448 bytes
- 16,118 bytes
- 101,652 bytes
- 16,244 bytes
- 16,195 bytes
- 19,279 bytes
The filename is associated with the malware group ToTour:Trojan-a.Some files using the name LOTUSHLP.EXE are also associated with the malware groups:
- Worm.Looked
- PSW.OnlineGames.AAIA
LOTUSHLP.EXE has been seen to perform the following behavior(s):
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This Process Deletes Other Processes From Disk
- Writes to another Process's Virtual Memory (Process Hijacking)
- This Process Creates Other Processes On Disk
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- The Process is packed and/or encrypted using a software packing process
- This Process uses Anti Dissasembly Tricks
- Modifies Windows Initialization And System Settings Used On Start up
- Executes a Process
- Terminates Processes
LOTUSHLP.EXE has been the subject of the following behavior(s):
- Executed as a Process
- Created as a process on disk
- Deleted as a process from disk
- Added as a Registry auto start to load Program on Boot up
- Terminated as a Process
- Has code inserted into its Virtual Memory space by other programs
- Copied to multiple locations on the system
LOTUSHLP.EXE can also use the following file names:
- K119459447015.EXE
- K119459447215.EXE
- 37056861.DAT
- QQHX[1].EXE
- K119463063115.EXE
- K119463491515.EXE
- K119466301215.EXE
- QQHX[2].EXE
- K119466541615.EXE
- K119466570815.EXE
- K119467017515.EXE
- K113162701515.EXE
- 17403385.EXE
- K119473845414.EXE
- K119474306014.EXE
- 71828372.DAT
- 05351953.EXE
- K119721360413.EXE
- 25776746.SVD
- 17348389.EXE
- 57066324.DAT
- 00005.EXE
- 00005[1].EXE
- 52447118.EXE
- 76863694.EXE
- 67560246.SVD
- 57898896.DAT
- 23809008.EXE
- K119643573413.EXE
- 46144751.SVD
- K119645790713.EXE
- K119645791013.EXE
- K119647751113.EXE
- K119916132113.EXE
- K119916131813.EXE
- K113345928313.EXE
- QQHX.EXE
- 17[1].EXE
- CTFMON5.EXE
- DPTRREPEHT-170.PMS.EXE
- 676CBB80B0578CB052C4B3F1697D8676.EXE
- A0031977.EXE
- DPTRRE~1.EXE
- 72959608.DAT
- A24[1].EXE
- 82758333.SVD
- DPTRRIPDXM-27.PMS.EXE
- DPTRRI~1.EXE
- TMP7D.TMP