File Investigation Report
H.PIFMalicious Software
Your PC is infected. The file called H.PIF is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including H.PIF as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The filename is associated with the malware groups:
- Malicious Software
- P2P Share Worm
- Cloaked Malware
File Behavior
H.PIF has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- Registers a Dynamic Link Library File
- This Process Creates Other Processes On Disk
- Disables safe mode on your PC
- Opens browser pop ups
- The Process is polymorphic and can change its structure
- Executes a process using Internet Explorer
- Creates new folders in the file system
- Enables an In Process Object/Server - Common with DLL Injections
H.PIF has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Copied to multiple locations on the system
- This Process may have been infected by a file infecting virus
- This program is often downloaded from the web
- Registered as a Dynamic Link Library File
Country Of Origin
The filename H.PIF was first seen on Sep 7 2008 in the following geographical regions of the Prevx community:
- SPAIN on Sep 7 2008
- VIET NAM on Oct 3 2008
- EGYPT on Oct 15 2008
- The EUROPEAN UNION on Nov 1 2008
- GERMANY on Nov 6 2008
File Name Aliases
H.PIF can also use the following file names:
- WUAUCLT.EXE
- 80896603.DAT
- !I!WUAUCLT.EXE
- HBDP.PIF
- MM.EXE
- 46327012.DAT
- 93649067.DAT
- 17538415.SVD
- QZ.PIF
- 09876122.DAT
- CATCHME.TMP
- MM[1].EXE
- XX[n].EXE
- 6131T.EXE
- A.EXE
- MSCL.PIF
- 45760607.DAT
- LIS.PIF
Filesizes
The following file size has been seen:
- 24,576 bytes
- 15,872 bytes
- 14,863 bytes
- 6,919 bytes
- 20,552 bytes
- 14,537 bytes
Vendor, Product and Version Information
Files with the name H.PIF have been seen to have the following Vendor, Product and Version Information in the file header:
- Microsoft Corporation; Windows Update Automatic Updates; 7.0.6000.381 (winmain(wmbla).070730-1740)
- Microsoft Corporation; Windows Update Automatic Updates; 7, 0, 6000, 381
- Microsoft Corporations; Windows Update AutoUpdate Client; 5, 8, 4, 2471
- Microsoft Corporation; Windows Update Automatic Updates; 7, 0, 6000, 3832
- Microsoft Corporation; Windows Update AutoUpdate Client; 5, 8, 0, 2469
- Microsoft Corporations; Windows Update AutoUpdate Client; 5, 8, 5, 2471
File Type
The filename H.PIF refers to many versions of an executable program.
File Activity
One or more files with the name H.PIF creates, deletes, copies or moves the following files and folders:
- Deletes c:\windows\system32\mfc71.dll
- Deletes c:\program files\kingsoft\kingsoft internet security 2008\kasbrowsershield.dll
- Creates c:\windows\system32\drivers\beep.sys
- Moves c:\windows\system32\wuauclt.exe to c:\tttmm.tep
- Deletes d:\program files\kingsoft\kingsoft internet security 2008\kasbrowsershield.dll
- Deletes e:\program files\kingsoft\kingsoft internet security 2008\kasbrowsershield.dll
- Creates c:\AUTORUN.IN
- Creates d:\AUTORUN.IN
- Copies filec:\windows\system32\urlmon.dll to c:\windows\system32\dkmsskmgrs.dll
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\0000097c000009d0.ur
- Deletes c:\docume~1\user\locals~1\temp\0000097c000009d0.ur
- Creates c:\windows\system32\clbscastq.dll
- Creates c:\windows\system32\lsseaes.exe
- Creates c:\windows\fonts\svchost.exe
- Creates c:\windows\downloaded program files\svchost.exe
Registry Activity
One or more files with the name H.PIF creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main CompatibilityFlags value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d} Enable value:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main FullScreen no
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window_Placement [REG_BINARY, size: 44 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar Locked value:
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\sonya5554945@live.co.uk usertileurl http://blufiles.storage.msn.com/static/15
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\sonya5554945@live.co.uk idtiletimestamp 2008-04-17T10:42:09.000000-00:00
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\sonya5554945@live.co.uk anon @fmt|A=1F8425AAA9298AABE262F3D5FFFFFFFF&E=6d4&W=1||Mon, 03-Nov-2008 18:44:33 GMT|
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\sonya5554945@live.co.uk nap @fmt|V=1.6&E=67a&C=P-3VOZ__SopKKwZ-7rLuDHmGI951Mpxr8m6-TZ9Dh_hfJcerCNfjsQ&W=1||Sat, 26-Jul-2008 17:44:33 GMT|
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\sonya5554945@live.co.uk lastusedcredtype 1
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom ZoomFactor [REG_DWORD, value: 000186A0]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F UserFile [REG_BINARY, size: 79044 bytes]