Prevx Research Division
START.EXE
Cloaked MalwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove START.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Cloaked Malware
- Malicious Software
- Worm
File Behavior
START.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- This Process Deletes Other Processes From Disk
- Executes a Process
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This process creates other processes on disk
- Writes to another Process's Virtual Memory (Process Hijacking)
- Can communicate with other computer systems using HTTP protocols
- Creates system tray popups, messages, errors and security warnings
- Uses DNS to retrieve the IP address for web sites
- Uses reverse DNS to retrieve the host names on IP addresses
- Uses your PC to connect to Chat rooms
- Disables the Notification Balloon for the Windows Security Center
- Disables Access to the Windows Registry Editior
- Disables Access to the Task Manager built into Windows
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- Adds products to the system registry
- Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
- Terminates Processes
- Changes the Windows Security Center to stop Antivirus status alerts from being displayed
- Changes the Windows Security Center to stop Firewall status alerts from being displayed
- Changes the Windows Security Center to stop Firewall override alerts from being displayed
- Changes the Windows Security Center to stop warnings from being displayed if automatic Windows Updates are not enabled
- Disables safe mode on your PC
- Injects code into other processes
- Registers a Dynamic Link Library File
- Copies files
- Performs DNS look ups to resolve URL IP addresses
- Uses rootkit techniques to conceal its presence, interrogation or removal
- Uses low level functions to hide itself from the user and from system/security processes
- Found on infected systems and resists interrogation by security products
START.EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Copied to multiple locations on the system
- Registered as a Dynamic Link Library File
- Deleted as a process from disk
Country Of Origin
The filename START.EXE was first seen on May 21 2007 in the following geographical regions of the Webroot community:
- The United States on May 21 2007
- Kazakhstan on May 21 2007
- Hong Kong on Jun 5 2007
- Thailand on Jun 5 2007
- Poland on Jun 14 2007
- Luxembourg on Jun 14 2007
- on Oct 14 2007
- Netherlands on Mar 23 2008
- France on Mar 23 2008
- Philippines on Jun 6 2010
- The United Kingdom on Jun 6 2010
- New Zealand on Oct 24 2010
- Romania on Jan 22 2011
- Turkey on May 24 2012
File Name Aliases
START.EXE can also use the following file names:
- COLIN-MCRAE-DIRT CRACK + KEYGEN BY RAZOR1911.EXE
- TOM CLANCY'S GHOST RECON 2 CRACK + KEYGEN BY RAZOR1911.EXE
- TOM CLANCY'S RAINBOW SIX 3 - RAVEN SHIELD CRACK + KEYGEN BY RAZOR1911.EXE
- UEFA CHAMPIONS LEAGUE 2006-2007 CRACK + KEYGEN BY RAZOR1911.EXE
- UEFA CHAMPIONS LEAGUE 2004-2005 CRACK + KEYGEN BY RAZOR1911.EXE
- TOM CLANCY'S GHOST RECON - ISLAND THUNDER CRACK + KEYGEN BY RAZOR1911.EXE
- TOM CLANCY'S ENDWAR CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - HOLIDAY EDITION CRACK + KEYGEN BY RAZOR1911.EXE
- TOM CLANCY'S GHOST RECON 2 - SUMMIT STRIKE CRACK + KEYGEN BY RAZOR1911.EXE
- ALEXANDER 2004 CRACK + KEYGEN BY RAZOR1911.EXE
- ALFRED HITCHCOCK PRESENTS THE FINAL CUT CRACK + KEYGEN BY RAZOR1911.EXE
- KASPERSKY 2011 CRACK + KEYGEN BY RAZOR1911.EXE
- KASPERSKY PURE CRACK + KEYGEN BY RAZOR1911.EXE
- NEED FOR SPEED - CARBON CRACK + KEYGEN BY RAZOR1911.EXE
- NEED FOR SPEED CARBON - OWN THE CITY CRACK + KEYGEN BY RAZOR1911.EXE
- NUCLEAR STRIKE CRACK + KEYGEN BY RAZOR1911.EXE
- SILENT HUNTER 4 - WOLVES OF THE PACIFIC CRACK + KEYGEN BY RAZOR1911.EXE
- SILENT HUNTER IV - U-BOAT MISSION CRACK + KEYGEN BY RAZOR1911.EXE
- SIMCITY SOCIETIES - DESTINATIONS CRACK + KEYGEN BY RAZOR1911.EXE
- SIMCITY SOCIETIES CRACK + KEYGEN BY RAZOR1911.EXE
- SPORE - CREEPY & CUTE PARTS PACK CRACK + KEYGEN BY RAZOR1911.EXE
- SPORE CRACK + KEYGEN BY RAZOR1911.EXE
- SUB COMMAND CRACK + KEYGEN BY RAZOR1911.EXE
- SUB CULTURE BY CRACK RAZOR1911.EXE CRACK + KEYGEN BY RAZOR1911.EXE
- THE ADVENTURES OF VALDO & MARIE CRACK + KEYGEN BY RAZOR1911.EXE
- THE ELDER SCROLLS III - MORROWIND CRACK + KEYGEN BY RAZOR1911.EXE
- THE ORANGE BOX CRACK + KEYGEN BY RAZOR1911.EXE
- THE POLITICAL MACHINE CRACK + KEYGEN BY RAZOR1911.EXE
- THE SETTLERS - HERITAGE OF KINGS CRACK + KEYGEN BY RAZOR1911.EXE
- THE SETTLERS - RISE OF AN EMPIRE CRACK + KEYGEN BY RAZOR1911.EXE
- THE SETTLERS II 10TH ANNIVERSARY CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - APARTMENT LIFE CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - FAMILY FUN STUFF CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - FREETIME CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - HOLIDAY PARTY PACK CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - NIGHTLIFE CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - OPEN FOR BUSINESS CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - PETS CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - SEASONS CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 - UNIVERSITY CRACK + KEYGEN BY RAZOR1911.EXE
- THE SIMS 2 STUFF PACKS CRACK + KEYGEN BY RAZOR1911.EXE
- CTFMON.EXE
- LSASS.EXE
- LSASS .EXE
- START[n].EXE
- SETUP.EXE
- SPLASH.EXE
- SPLASH1.EXE
- START À¸£À¸±À¸™À¸•À¸±À¸§À¸™À¸µÀ¹‰À¹€À¸›À¹‡À¸™À¸•À¸±À¸§À¸—À¸µÀ¹ˆ2À¸„À¸£À¸±À¸Š.EXE
- DC6.EXE
- ÈÄ.
- 01623936.DAT
- 55503938.EXE
- 03678293.DAT
- 43728286.DAT
Filesizes
The following file size has been seen:
- 936,960 bytes
- 15,173,450 bytes
- 29,696 bytes
- 102,400 bytes
- 53,248 bytes
- 3,523,873 bytes
- 16,384 bytes
- 249,344 bytes
- 4,374,450 bytes
File Type
The filename START.EXE refers to many versions of an executable program.
File Activity
One or more files with the name START.EXE creates, deletes, copies or moves the following files and folders:
- Opens/modifes c:\autoexec.bat
- Creates c:\svchost.exe
- Creates c:\344.bat
- Creates c:\cscript.exe
- Creates c:\windows\system32\opnlihe.dll
- Creates c:\docume~1\user\locals~1\temp\removalfile.bat
- Creates c:\windows\17PHolmes1188.exe
- Creates c:\docume~1\user\locals~1\temp\un.bat
- Deletes c:\services.exe
- create folder C:\WINDOWS\system32\aqVreo18
- Deletes c:\docume~1\user\locals~1\temp\nsh13.tmp
- Creates c:\windows\system32\MSINET.DEP
- Creates c:\windows\system32\MSINET.oca
- Creates c:\windows\system32\MSINET.OCX
- Creates c:\windows\system32\pac.txt
- Creates c:\windows\system32\aqvreo18\aqVreo182328.exe
Network Activity
One or more files with the name START.EXE performs the following network events:
- DNS Lookup66.235.218.119 ns1.mysearchhere.net
- DNS get hostSHANNON-F492ADA6 192.168.0.12
Website Activity
One or more files with the name START.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:66.235.218.119:8000 Port:14
- Port 80 IP:80.109.240.75
- members .chello .hu / molnar .oliver / b .dat
- members .chello .hu / molnar .oliver / a .dat
- members .chello .hu / molnar .oliver / c .dat
- members .chello .hu / molnar .oliver / d .dat
- ymq .a1188 .wrs .mcboo .com / 17PHolmes .cmt
- Port 80 IP:194.90.224.86
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.