File Investigation Report
HWUPGRADE.EXE
Malicious SoftwarePC Cleanup in 3 Easy Steps
Use Prevx 3.0 to remove HWUPGRADE.EXE, along with any other viruses, spyware, adware, trojans, rootkits, worms, information stealers, keyloggers, bots, and other form of malicious threat that may reside on your PC.
- Think your PC might be Infected? Scan Now Prevx 3.0 will scan your PC in seconds to inform you whether your PC is clean or infected.
- Malware Removal Prevx 3.0 removes adware infections for free. More complicated infections require purchase of a malware removal license.
- Expert Assistance In the rare occurence that Prevx 3.0 malware removal fails - a Prevx Engineer will connect to your PC and manually disinfect.
- Money Back Guarantee for Individual Users If within the first 14 days, the Prevx Engineer finds it impossible to clean an infection from your PC, we give you your money back.
Associated Malware Groups
The filename is associated with the malware groups:
- Malicious Software
- Worm
- Malware Downloader
File Behavior
HWUPGRADE.EXE has been seen to perform the following behavior:
- Executes a Process
- This process creates other processes on disk
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Includes file creation code which could be used to test for interception by security products
- Opens browser pop ups
- Uses DNS to retrieve the IP address for web sites
- Visits web sites on your PC without you knowing
- Registers a Dynamic Link Library File
- This Process is a file infector which modifies program files to include a copy of the infection
- Drops known malicious software during execution
- Writes to another Process's Virtual Memory (Process Hijacking)
- This Process Deletes Other Processes From Disk
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Can communicate with other computer systems using HTTP protocols
- Copies files
- Creates or uses a background service to access the Internet using HTTP protocols
- Injects code into other processes
HWUPGRADE.EXE has been the subject of the following behavior:
- Downloaded from covert web sites without the user knowing
- Created as a process on disk
- Copied to multiple locations on the system
- Executed as a Process
- Registered as a Dynamic Link Library File
- Added as a Registry auto start to load Program on Boot up
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
Country Of Origin
The filename HWUPGRADE.EXE was first seen on Mar 26 2009 in the following geographical regions of the Prevx community:
- Spain on Mar 26 2009
- The United States on Nov 30 2009
- The United Kingdom on Nov 30 2009
- China on Dec 16 2009
File Name Aliases
HWUPGRADE.EXE can also use the following file names:
- HWUPGRADE_AJ[n].EXE
- VANCSW.EXE
- IJCX.EXE
- SFSO.EXE
- FFLM.EXE
- TVPQ.EXE
- DMYK.EXE
- HWUPGRADE[1].EXE
- 81219891.DAT
- 56266253.EXE
Filesizes
The following file size has been seen:
- 25,600 bytes
- 17,408 bytes
- 23,040 bytes
- 24,064 bytes
File Type
The filename HWUPGRADE.EXE refers to many versions of an executable program.
File Activity
One or more files with the name HWUPGRADE.EXE creates, deletes, copies or moves the following files and folders:
- Copies filehwupgrade.exe to c:\windows\hwupgrade.ex
- Creates c:\windows\msncom.exe
- Creates c:\windows\system32\ntvbn.exe
- Creates c:\windows\system32\winsmb.exe
- Creates c:\windows\system32\rswav.exe
- Creates c:\windows\system32\drivers\hwdrv.sys
- Deletes c:\windows\bfscv.exe
- Deletes c:\windows\msrcom.exe
Website Activity
One or more files with the name HWUPGRADE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- Remote server connection to zveryuga .com .u
- Remote server connection to depositfiles .co
- Remote server connection to fileshare213 .depositfiles .co
- Port 80 IP:193.178.147.6
- Port 80 IP:88.85.74.113
- Port 80 IP:208.88.224.237
- Remote server connection to rapidshare .co
- Remote server connection to rs145 .rapidshare .co
- Remote server connection to rs145tg .rapidshare .co
- Remote server connection to rs88 .rapidshare .co
- Remote server connection to rs88l32 .rapidshare .co
- Remote server connection to rs102 .rapidshare .co
- Remote server connection to rs102gc2 .rapidshare .co
- Remote server connection to rs611 .rapidshare .co
- Remote server connection to rs611tl4 .rapidshare .co
- Remote server connection to rs88l3 .rapidshare .co
- Remote server connection to rs94 .rapidshare .co
- Remote server connection to rs94l32 .rapidshare .co
- Remote server connection to rs102gc .rapidshare .co
- Remote server connection to rs601 .rapidshare .co
- Remote server connection to rs601l33 .rapidshare .co
- Remote server connection to rs88cg2 .rapidshare .co
- Remote server connection to rs94tg .rapidshare .co
- Remote server connection to rs102cg2 .rapidshare .co
- Remote server connection to rs601l32 .rapidshare .co
- Remote server connection to rs88tg .rapidshare .co
- Remote server connection to rs601tg .rapidshare .co
- Port 80 IP:195.122.131.22
- Port 80 IP:207.138.168.103
- Port 80 IP:195.122.131.89
- Port 80 IP:64.215.245.103
- Port 80 IP:62.140.9.2
- Port 80 IP:82.129.35.89
- Port 80 IP:195.122.131.95
- Port 80 IP:62.140.8.2
- Port 80 IP:195.219.1.89
- Port 80 IP:195.219.1.95
- Port 80 IP:195.122.131.103
- Port 80 IP:195.122.131.146
- Port 80 IP:213.155.149.12
- Port 80 IP:82.129.35.103
- Port 80 IP:62.140.7.2
- Port 80 IP:195.219.1.146
- Port 80 IP:62.67.57.89
- Port 80 IP:62.140.7.12
- Port 80 IP:62.67.57.95
- Port 80 IP:80.231.31.2
- Remote server connection to uploading .co
- Port 80 IP:88.85.72.9
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.