Prevx Research Division
"GONX7881.EXE"
Malicious SoftwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove GONX7881.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware group:
- Malicious Software
File Behavior
GONX7881.EXE has been seen to perform the following behavior:
- Creates system tray popups, messages, errors and security warnings
- Uses DNS to retrieve the IP address for web sites
GONX7881.EXE has been the subject of the following behavior:
- Executed as a Process
Country Of Origin
The filename GONX7881.EXE was first seen on Apr 1 2009 in the following geographical regions of the Webroot community:
- Canada on Apr 1 2009
- Spain on Apr 1 2009
Filesizes
The following file size has been seen:
- 200,873 bytes
- 224,953 bytes
- 39,424 bytes
File Type
The filename GONX7881.EXE refers to many versions of an executable program.
File Activity
One or more files with the name GONX7881.EXE creates, deletes, copies or moves the following files and folders:
- Deletes c:\docume~1\user\locals~1\temp\nsh6.tmp
- Creates c:\docume~1\user\locals~1\temp\nsn8.tmp
- Deletes c:\docume~1\user\locals~1\temp\nsnA.tmp
- Creates c:\docume~1\user\locals~1\temp\nsna.tmp\System.dll
- Creates c:\docume~1\user\locals~1\temp\rmtpqztqkj.dll
- Moves c:\docume~1\user\locals~1\temp\rmtpqztqkj.dll to c:\windows\system32\rmtpqztqkj.dll
- Creates c:\windows\system32\xnlvoeoxwfwliowc.exe
- Opens/modifes c:\autoexec.bat
- Deletes c:\docume~1\user\locals~1\temp\nsz10.tmp
- Deletes c:\docume~1\user\locals~1\temp\cv4F7C8.tmp
- Deletes c:\docume~1\user\locals~1\temp\nsna.tmp\System.dll
- Creates c:\documents and settings\user\application data\Microsof
- Creates c:\documents and settings\user\application data\microsoft\Crypt
- Creates c:\documents and settings\user\application data\microsoft\crypto\RS
- Creates c:\documents and settings\user\application data\microsoft\crypto\rsa\S-1-5-21-2752991226-1774555873-248915221-100
- Creates c:\docume~1\user\locals~1\temp\00000e0c00000e40.ur
- Deletes c:\docume~1\user\locals~1\temp\00000e0c00000e40.ur
- Deletes c:\docume~1\user\locals~1\temp\nsn17.tmp
- Creates c:\docume~1\user\locals~1\temp\nsc19.tmp
- Deletes c:\docume~1\user\locals~1\temp\nss1B.tmp
- Creates c:\docume~1\user\locals~1\temp\nss1b.tmp\System.dll
- Creates c:\docume~1\user\locals~1\temp\nss1b.tmp\Math.dll
- Deletes c:\windows\system32\nsk24.tmp
- Creates c:\windows\system32\nsk24.dll
- Creates c:\documents and settings\user\application data\Microsoft
- Creates c:\documents and settings\user\application data\microsoft\Crypto
- Creates c:\documents and settings\user\application data\microsoft\crypto\RSA
- Creates c:\documents and settings\user\application data\microsoft\crypto\rsa\S-1-5-21-2752991226-1774555873-248915221-1003
- Creates c:\docume~1\user\locals~1\temp\nss1b.tmp\nse2B.tmp
- Creates c:\windows\system32\159cdeb1-713e-2c3b-29c2-7ab5487d8ca0.exe
- Creates c:\docume~1\user\locals~1\temp\nss1b.tmp\NSISdl.dll
- Creates c:\docume~1\user\locals~1\temp\nss1b.tmp\nsss
- Deletes c:\docume~1\user\locals~1\temp\nss1b.tmp\nsss
- Deletes c:\docume~1\user\locals~1\temp\nss1b.tmp\Math.dll
- Deletes c:\docume~1\user\locals~1\temp\nss1b.tmp\nse2B.tmp
- Deletes c:\docume~1\user\locals~1\temp\nss1b.tmp\NSISdl.dll
- Deletes c:\docume~1\user\locals~1\temp\nss1b.tmp\System.dll
Network Activity
One or more files with the name GONX7881.EXE performs the following network events:
- DNS Lookup127.0.0.1 0
- DNS Lookup download.blueskyadagency.com
- DNS Lookup67.55.126.228 download.blueskyadagency.com
- DNS Lookup blueskyadagency.com
- DNS Lookup77.245.49.28 blueskyadagency.com
- DNS Lookup servedby.bigcashmarketing.net
- DNS Lookup85.92.158.77 servedby.bigcashmarketing.net
- DNS Lookup ad.globe7.com
- DNS Lookup77.238.174.11 ad.globe7.com
- DNS Lookup rotator.its.adjuggler.com
- DNS Lookup64.237.101.84 rotator.its.adjuggler.com
- DNS Lookup ad.adserverplus.com
- DNS Lookup77.238.174.11 ad.adserverplus.com
- DNS Lookup ad.yieldmanager.com
- DNS Lookup ad.directaclick.com
- DNS Lookup77.238.172.11 ad.directaclick.com
- DNS Lookup ad.tlvmedia.com
- DNS Lookup217.163.21.31 ad.tlvmedia.com
- DNS Lookup content.yieldmanager.edgesuite.net
- DNS Lookup88.221.26.32 content.yieldmanager.edgesuite.net
- DNS Lookup view.atdmt.com
- DNS Lookup cdn1.eyewonder.com
- DNS Lookup194.129.79.23 view.atdmt.com
- DNS Lookup88.221.26.17 cdn1.eyewonder.com
- DNS Lookup adsfac.eu
- DNS Lookup ad.uk.doubleclick.net
- DNS Lookup194.17.24.232 adsfac.eu
- DNS Lookup rmd.atdmt.com
- DNS Lookup88.221.26.210 rmd.atdmt.com
- DNS Lookup74.125.242.171 ad.uk.doubleclick.net
- DNS Lookup spe.atdmt.com
- DNS Lookup88.221.26.203 spe.atdmt.com
- DNS Lookup ad.foxnetworks.com
- DNS Lookup m1.emea.2mdn.net
- DNS Lookup217.163.21.31 ad.foxnetworks.com
- DNS Lookup amch.questionmarket.com
- DNS Lookup4.71.104.187 amch.questionmarket.com
- DNS Lookup88.221.26.56 m1.emea.2mdn.net
- DNS Lookup0.0.0.0 ff02::1
- DNS Lookup fms2.eyewonder.speedera.net
- DNS Lookup88.221.26.103 fms2.eyewonder.speedera.net
- DNS Lookup88.221.26.103 88.221.26.103
- DNS Lookup85.92.154.197 app.blueskyadagency.com
Website Activity
One or more files with the name GONX7881.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1082 Port:17
- Port 80 IP:67.55.126.228
- Port 80 IP:77.245.49.28
- Remote server connection to fms2 .eyewonder .speedera .ne
- Remote server connection to 88 .221 .26 .10
- TCP:127.0.0.1:1098 Port:23
- Port 80 IP:77.238.174.11
- Port 80 IP:85.92.158.77
- Port 80 IP:64.237.101.84
- Port 80 IP:77.238.172.11
- Port 80 IP:217.163.21.31
- Port 80 IP:88.221.26.32
- Port 80 IP:88.221.26.17
- Port 80 IP:194.17.24.232
- Port 80 IP:194.129.79.23
- Port 80 IP:88.221.26.210
- Port 80 IP:74.125.242.171
- Port 80 IP:4.71.104.187
- Port 80 IP:88.221.26.203
- Port 80 IP:88.221.26.56
- Port 80 IP:88.221.26.103
- Port 80 IP:85.92.154.197
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.