avprotect.exe - Dangerous
avprotect.exe
Manual removal instructions:
Antivirus Report of avprotect.exe:
avprotect.exe
W32.Netsky.L@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.
Copies itself as %Windir%\AVprotect.exe.
Adds the value:
"HtProtect"="%Windir%\AVprotect.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Retrieves email addresses from the files that have these extensions:
.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .jsp .msg .oft .php .pl .rtf
.sht .shtm .tbb .txt .uin .vbs .wab .wsh .xml
The email has the following characteristics:
From:
Subject: The subject is one of the following:
Re: Important
Re: Your document
Re: Your details
Re: Approved
Message: The message is one of the following:
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.
Attachment: The attachment is one of the following:
your_file_%s.pif, details_%s.pif, document_%s.pif, %s.pif
where %s is the portion of the "To" address before the "@".
Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"HtProtect"="%Windir%\AVprotect.exe"
Automatic Removal:
Use RegRun Startup Optimizer to remove it from startup.
| avprotect.exe | Malware |
| avprotect.exe | Dangerous |
| avprotect.exe | High Risk |
Copies itself as %Windir%\AVprotect.exe.
Adds the value:
"HtProtect"="%Windir%\AVprotect.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Retrieves email addresses from the files that have these extensions:
.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .jsp .msg .oft .php .pl .rtf
.sht .shtm .tbb .txt .uin .vbs .wab .wsh .xml
The email has the following characteristics:
From:
Subject: The subject is one of the following:
Re: Important
Re: Your document
Re: Your details
Re: Approved
Message: The message is one of the following:
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.
Attachment: The attachment is one of the following:
your_file_%s.pif, details_%s.pif, document_%s.pif, %s.pif
where %s is the portion of the "To" address before the "@".
Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"HtProtect"="%Windir%\AVprotect.exe"
Automatic Removal:
Use RegRun Startup Optimizer to remove it from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.