File Investigation Report
ZQ[1].EXE
Fraudulent Security ProgramPC Cleanup in 3 Easy Steps
Use Prevx 3.0 to remove ZQ[1].EXE, along with any other viruses, spyware, adware, trojans, rootkits, worms, information stealers, keyloggers, bots, and other form of malicious threat that may reside on your PC.
- Think your PC might be Infected? Scan Now Prevx 3.0 will scan your PC in seconds to inform you whether your PC is clean or infected.
- Malware Removal Prevx 3.0 removes adware infections for free. More complicated infections require purchase of a malware removal license.
- Expert Assistance In the rare occurence that Prevx 3.0 malware removal fails - a Prevx Engineer will connect to your PC and manually disinfect.
- Money Back Guarantee for Individual Users If within the first 14 days, the Prevx Engineer finds it impossible to clean an infection from your PC, we give you your money back.
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Fraudulent Security Program
- Cloaked Malware
File Behavior
ZQ[1].EXE has been seen to perform the following behavior:
- Executes a Process
- This process creates other processes on disk
- Downloads hidden code from covert web sites
- Downloads program file(s) and other content from the web
- This Process is a file infector which modifies program files to include a copy of the infection
- This Process Deletes Other Processes From Disk
- Creates new folders in the file system
- Enables an In Process Object/Server - Common with DLL Injections
- Visits web sites on your PC without you knowing
- The Process is packed and/or encrypted using a software packing process
ZQ[1].EXE has been the subject of the following behavior:
- Created as a process on disk
- Deleted as a process from disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Added as a Registry auto start to load Program on Boot up
Country Of Origin
The filename ZQ[1].EXE was first seen on Jun 3 2007 in the following geographical regions of the Prevx community:
- The UNITED STATES on Jun 3 2007
- The UNITED KINGDOM on Jun 3 2007
- The EUROPEAN UNION on Jul 12 2007
File Name Aliases
ZQ[1].EXE can also use the following file names:
- NEW.EXE
- WEZ[3].EXE
- WEZ[1].EXE
- IZV[1].EXE
- 1[1].EXE
- 12[1].EXE
- RE[1].EXE
- II[1].EXE
- PV[1].EXE
- 5.TMP
- 4.TMP
- D.TMP
- 2.TMP
- 6.TMP
- 7.TMP
- 8.TMP
- 3.TMP
- B.TMP
- 9.TMP
- A.TMP
- 1.TMP
- E.TMP
- F.TMP
- C.TMP
- C3.TMP
- EA.TMP
- A5.TMP
- 3F.TMP
- 49.TMP
- A4.TMP
- C6.TMP
- E7.TMP
- 30.TMP
- AA.TMP
- B7.TMP
- E5.TMP
- 76.TMP
- 66.TMP
- AB.TMP
- B3.TMP
- B2.TMP
- 56.TMP
- 65.TMP
- BA.TMP
- 5A.TMP
- 83.TMP
- 39.TMP
- 9F.TMP
- 2A.TMP
- 51.TMP
- 90.TMP
- C2.TMP
- 6D.TMP
- 14.TMP
- 54.TMP
- 58.TMP
- 24.TMP
- 29.TMP
- 9A.TMP
- 57.TMP
- 75.TMP
- 3C.TMP
- 37.TMP
- PO.EXE
- 93.TMP
- 84.TMP
- 36.TMP
- 6A.TMP
- 19.TMP
- 27.TMP
- 8C.TMP
- 1B.TMP
- 1C.TMP
- 4F.TMP
- 2E.TMP
- 2C.TMP
- 6B.TMP
- 91.TMP
- 98.TMP
- 3E.TMP
- 7A.TMP
- 79.TMP
- E6.TMP
- 2B.TMP
- 23.TMP
- 16.TMP
- 3D.TMP
- A8.TMP
- 3A.TMP
- 4C.TMP
- 1A.TMP
- 5F.TMP
- 18.TMP
- 44.TMP
- 88.TMP
- E8.TMP
- EB.TMP
- 8F.TMP
- C0.TMP
- 7B.TMP
- 31.TMP
- 2D.TMP
- 5C.TMP
- 8D.TMP
- 9C.TMP
- 4E.TMP
- 63.TMP
- CE.TMP
- 2F.TMP
- 99.TMP
- BC.TMP
- 42.TMP
- A2.TMP
- 34.TMP
- 13.TMP
- B0.TMP
- 48.TMP
- 38.TMP
- 11.TMP
- 1F.TMP
- A7.TMP
- 52.TMP
- 8A.TMP
- 22.TMP
- 60.TMP
- DC.TMP
- 53.TMP
- 80.TMP
- D0.TMP
- 21.TMP
- 89.TMP
- 97.TMP
- 6C.TMP
- 6F.TMP
- 1E.TMP
- 10.TMP
- 15.TMP
- 5D.TMP
- 71.TMP
- 74.TMP
- C7.TMP
- 26.TMP
- 47.TMP
- 5E.TMP
- 12.TMP
- 28.TMP
- 40.TMP
- 25.TMP
- 4D.TMP
- A0.TMP
- D3.TMP
- 20.TMP
- 01.EXE
- CD.TMP
- E0.TMP
- 41.TMP
- B6.TMP
- CA.TMP
- 67.TMP
- AC.TMP
- 77.TMP
- DA.TMP
- 35.TMP
- 82.TMP
- 305.TMP
- 36A.TMP
- 26A.TMP
- 5C3.TMP
- D7E.TMP
- 430.TMP
- 431.TMP
- 433.TMP
- 435.TMP
- 437.TMP
- 444.TMP
- 24D.TMP
- 733.TMP
- 4616.TMP
- 143.TMP
- 15B.TMP
- 174.TMP
- 2B0.TMP
- 261.TMP
- 16D.TMP
- 177.TMP
- 332.TMP
- 1FE.TMP
- 200.TMP
- 14C.TMP
- 1A3.TMP
- 202.TMP
- 440.TMP
- 128.TMP
- 57C.TMP
- 1A5.TMP
- 1D5.TMP
- 367.TMP
- 125.TMP
- DC188.EXE
- DD539.EXE
- DC2.EXE
- DC17.EXE
- DC1.EXE
- 121.TMP
- 363.TMP
- 370.TMP
- 10E.TMP
- 1B6.TMP
- DC10.TMP
- DC4.EXE
- 233.TMP
- 390.TMP
- 204.TMP
- 56F.TMP
- 572.TMP
- 12A.TMP
- 87D.TMP
- 21AD.TMP
- 2CAF.TMP
- 2FCF.TMP
- 7BD.TMP
- 488.TMP
- 2B08.TMP
- 2E78.TMP
- 3A8.TMP
- 554B.TMP
- 6B71.TMP
- 7969.TMP
- 166.TMP
- 15C.TMP
- 126.TMP
- 186.TMP
- 196.TMP
- 220.TMP
- 138.TMP
- 137.TMP
- 1C8.TMP
- 28A.TMP
- 1DB.TMP
- 5E9.TMP
- 42B.TMP
- 60E.TMP
- 191.TMP
- 17F.TMP
- 146.TMP
- 1FA.TMP
- 297.TMP
- 152.TMP
- 30C.TMP
- 194.TMP
- 1CA.TMP
- 131.TMP
- 2D6.TMP
- 40F.TMP
- 466.TMP
- 4AB.TMP
- DC32.TMP
- DC35.TMP
- DC40.TMP
- 528.TMP
- 546.TMP
- 6FC.TMP
- 765.TMP
- 2DF.TMP
- 51B.TMP
- 6D4.TMP
- 3B4.TMP
- 145.TMP
- 176.TMP
- DC0.TMP
- D29.TMP
- 252.TMP
- 227.TMP
- 149.TMP
- 2D5.TMP
- 39E.TMP
- 38A.TMP
- 12C.TMP
- 2C7.TMP
- 16E.TMP
- 197.TMP
- 119.TMP
- DC308.TMP
- 595.TMP
- 6B1.TMP
- 894.TMP
- 8E1.TMP
- 675.TMP
- 1343.TMP
- 1991.TMP
- 25B.TMP
- 25C.TMP
- 439.TMP
- 101.TMP
- 104.TMP
- 255.TMP
- 161.TMP
- 1A2.TMP
- DE625.EXE
- 14E.TMP
- 29D.TMP
- 466A.TMP
- 42C.TMP
- DC1.TMP
- 1FD.TMP
- 178.TMP
- 22A.TMP
- 826.TMP
- 1A9.TMP
- 27D.TMP
- 1A32.TMP
- 1A67.TMP
- 173.TMP
- 24E.TMP
- 2245.TMP
- 38C.TMP
- 1295.TMP
- 129C.TMP
- 65C.TMP
- 310.TMP
- 1AF.TMP
- 1C0.TMP
- 1C9.TMP
- 1AD.TMP
- 1B5.TMP
- 189.TMP
- DC6137.TMP
- DC6138.TMP
- 25A.TMP
- 26C.TMP
- 67E.TMP
- DC24.TMP
- 1A0.TMP
- 1BC.TMP
- 295.TMP
- 8A3.TMP
- 1CE.TMP
- 3C7.TMP
- 73A.TMP
- 169.TMP
- 4D5.TMP
- 4A9.TMP
- 1945.TMP
- 296.TMP
- 5BA.TMP
- 34D.TMP
- 258.TMP
- 1107.TMP
- 346.TMP
- DC30.TMP
- DC31.TMP
- DC37.TMP
- 141.TMP
- 11D.TMP
- 373.TMP
- 2E9.TMP
- 619.TMP
- 626.TMP
Filesizes
The following file size has been seen:
- 299,008 bytes
- 186,668 bytes
- 186,608 bytes
- 49,664 bytes
- 41,984 bytes
File Type
The filename ZQ[1].EXE is used by multiple object types including executable programs,Dynamic Link LIbraries.
File Activity
One or more files with the name ZQ[1].EXE creates, deletes, copies or moves the following files and folders:
- Deletes c:\docume~1\user\locals~1\temp\nsp7.tmp
- Creates c:\program files\common files\Yazzle1552OinAdmin.exe
- Creates c:\program files\common files\Yazzle1552OinUninstaller.exe
- Creates c:\docume~1\user\locals~1\temp\mshtml2.exe
- Deletes c:\docume~1\user\locals~1\temp\mshtml2.exe
- Creates c:\docume~1\user\locals~1\temp\mshtml3.exe
- Deletes c:\docume~1\user\locals~1\temp\mshtml3.exe
- Opens/modifes c:\autoexec.bat
- create folder C:\WINDOWS\RACLE~1\?racle
- create folder C:\WINDOWS\RACLE~1\RACLE~1
- Creates c:\windows\racle~1\winspool.exe
- Creates c:\windows\racle~1\racle~1\ctxad-576.000
- Creates c:\documents and settings\user\application data\Microsof
- Creates c:\documents and settings\user\application data\microsoft\Crypt
- Creates c:\documents and settings\user\application data\microsoft\crypto\RS
- Creates c:\documents and settings\user\application data\microsoft\crypto\rsa\S-1-5-21-1858025970-2322712386-1997616605-100
- Creates c:\docume~1\user\locals~1\temp\ctxad.exe
- Deletes c:\windows\racle~1\racle~1\ctxad-576.000
- Deletes c:\docume~1\user\locals~1\temp\ctxad.exe
- create folder C:\Program Files\Outerinf
- create folder C:\Program Files\Outerinfo\F
- create folder C:\Program Files\Outerinfo\FF\component
- Deletes c:\docume~1\user\locals~1\temp\nso22.tmp
- Creates c:\docume~1\user\locals~1\temp\NDrv.dll
- Creates c:\documents and settings\user\application data\Microsoft
- Creates c:\documents and settings\user\application data\microsoft\Crypto
- Creates c:\documents and settings\user\application data\microsoft\crypto\RSA
- Creates c:\documents and settings\user\application data\microsoft\crypto\rsa\S-1-5-21-1858025970-2322712386-1997616605-1003
- Copies filec:\docume~1\user\locals~1\temp\NDrv.dll to c:\windows\system32\fqier.dll
- Deletes c:\docume~1\user\locals~1\temp\NDrv.dll
- Creates c:\docume~1\user\locals~1\temp\NDrv.exe
- Deletes c:\docume~1\user\locals~1\temp\NDrv.exe
- Creates c:\docume~1\user\locals~1\temp\outerinfo.ico
- Creates c:\program files\outerinfo\Terms.rtf
- Creates c:\documents and settings\user\start menu\programs\outerinfo\Terms.lnk
- Creates c:\documents and settings\user\start menu\programs\outerinfo\Uninstall.lnk
- Creates c:\program files\outerinfo\ff\install.rdf
- Creates c:\program files\outerinfo\ff\chrome.man
- Creates c:\program files\outerinfo\ff\components\FF.dll
- Creates c:\program files\outerinfo\ff\components\OuterinfoAds.xpt
- Copies filec:\docume~1\user\locals~1\temp\NDrv.exe to c:\documents and settings\user\application data\f?nts\j?vaw.exe
- Deletes c:\docume~1\user\locals~1\temp\eiet\index.da
- Creates c:\docume~1\user\locals~1\temp\eiet\index.da
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\n30oyv4w\client_settings_3[1].bin to c:\docume~1\user\locals~1\temp\eiet\T3A.tmp
- Deletes c:\docume~1\user\locals~1\temp\tmp41.tmp
- Creates c:\docume~1\user\locals~1\temp\tmp41.tmp
- Deletes c:\documents and settings\user\application data\microsoft\crypto\rsa\s-1-5-21-1858025970-2322712386-1997616605-1003\6e549e6605dc34d14ae6f5ce06712580_00c1ea3a-eca6-4e0c-81e8-ae9c3e708f9e
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\08abwx9z\campaigns8[1].enc to c:\docume~1\user\locals~1\temp\eiet\T45.tmp
- Copies filec:\documents and settings\user\local settings\temporary internet files\content.ie5\31xyf0sa\campaigns_c[1].bin to c:\docume~1\user\locals~1\temp\eiet\T4A.tmp
- Deletes c:\docume~1\user\locals~1\temp\NDr4E.tmp
Website Activity
One or more files with the name ZQ[1].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- Remote server connection to fp .outerinfo .co
- Port 80 IP:63.251.135.24
- TCP:127.0.0.1:1097 Port:16
- Port 80 IP:63.251.135.26
- Remote server connection to cu .outerinfo .co
- TCP:127.0.0.1:1100 Port:20
- Port 80 IP:63.251.135.16
- Port 80 IP:63.251.135.17
- TCP:127.0.0.1:1116 Port:20
- Port 80 IP:63.251.135.15
- Port 80 IP:66.11.119.72
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.