9.EXE - Dangerous

What you should do about 9.EXE:

Your PC is infected. The file called 9.EXE is considered unsafe and there may be other infections on your PC.

You should urgently check your PC and remove any malicious software including 9.EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't take the risk, check your PC now.

Download Prevx CSI Now

What we know about 9.EXE:

The filename 9.EXE was first seen on Jul 12 2007 in The EUROPEAN UNION. It has also been seen in the following geographical regions of the Prevx community:

  • SPAIN on Aug 16 2007
  • SOUTH AFRICA on Apr 9 2008
  • The UNITED KINGDOM on Feb 23 2008
  • MALAYSIA on Sep 11 2007
  • URUGUAY on Aug 16 2007
The filename 9.EXE refers to many versions of an executable program.

The most common file size is 27,648 bytes. But the following file sizes have also been seen:

  • 178,176 bytes
  • 33,935 bytes
  • 57,344 bytes
  • 1,145,125 bytes
  • 29,700 bytes
  • 105,472 bytes

The filename is associated with the malware group PSW.OnlineGames.Some files using the name 9.EXE are also associated with the malware groups:
  • PSW.Generic_c.LL
  • BackDoor.Hupigon3.AMFA
  • WORM.FUJACKS.AB

These files may have the following Vendor, Product, Version Information in the file header

9.EXE has been seen to perform the following behavior(s):

  • The Process is packed and/or encrypted using a software packing process
  • The Process is polymorphic and can change its structure
  • Adds Products to the system registry
  • Disables the built in Windows File Protection System
  • This Process Deletes Other Processes From Disk
  • This Process Creates Other Processes On Disk
  • Creates new folders in the file system
  • Opens browser pop ups
  • Creation and Registration of a Browser Helper Object in Internet Explorer
  • Adds a Registry Key (EXPLORER) to auto start Programs on system start Boot up
  • Executes a Process
  • Enables an In Process Object/Server - Common with DLL Injections
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • Modifies Windows Initialization And System Settings Used On Start up
  • The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents

9.EXE has been the subject of the following behavior(s):

  • Executed by Internet Explorer
  • Created as a process on disk
  • Executed as a Process
  • Has code inserted into its Virtual Memory space by other programs
  • Deleted as a process from disk
  • Copied to multiple locations on the system
  • Executed from Temporary Folders

9.EXE can also use the following file names:

  • 00641275.DAT
  • FILE[1].EXE
  • SVCHOST32.EXE
  • 58476766.SVD
  • 8.EXE
  • ~.EXE
  • 47048775.DAT
  • 9[1].EXE
  • 37372813.EXE
  • 17476635.SVD
  • MPLAY64[1].EXE
  • 84707913.DAT
  • 9[3].EXE
  • 9[4].EXE
  • 8SY.EXE
  • 19925174.EXE
  • DD130.EXE
  • WINOW.EXE
  • 49818737.DAT
  • DC2.EXE
  • 10849279.EXE
  • 59810193.EXE
  • 14096414.EXE
  • 9.EX
  • 20218681.EXE
  • 10436446.EXE
  • 57228612.EXE
  • 9[2].EXE
  • 46464884.EXE

Virus, Spyware & Malware Center