McAfee > Theat Center > Virus Detail Page

Overview

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Upon installation, following changes occur on user's system.

The following files are created:

• %SystemDir%\drivers\acpidisk.sys
• %SystemDir%mscpx32r.det
• %SystemDir%mprmsgse.axz
• %WinDir%\Temp\~my[hexadecimal digit].tmp

The following registry keys are added:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpidisk
  "DisplayName" = acpidisk
  "ErrorControl" = 1
  "ImagePath" = %SystemDir%\drivers\acpidisk.sys
  "Start" = 2
  "Type" = 1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\acpidisk
  "DisplayName" = acpidisk
  "ErrorControl" = 1
  "ImagePath" = %SystemDir%\drivers\acpidisk.sys
  "Start" = 2
  "Type" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP
  "d" = (binary data)
  "p" = (binary data)
  "t" = (binary data)

It injects a dll into the process "Winlogon.exe" and attempts to terminate the following processes:

• ehsniffer.exe
• etherd.exe
• httplook.exe
• iris.exed
• netxray.exe
• sniffer.exe
• windump.exe
• wireshark.exe

It accesses the following site to show pop-up ads:

• chnsystem.com
  

Symptoms

Method of Infection

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants

N/A

All Information

Overview -

Characteristics

Characteristics -

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Upon installation, following changes occur on user's system.

The following files are created:

• %SystemDir%\drivers\acpidisk.sys
• %SystemDir%mscpx32r.det
• %SystemDir%mprmsgse.axz
• %WinDir%\Temp\~my[hexadecimal digit].tmp

The following registry keys are added:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpidisk
  "DisplayName" = acpidisk
  "ErrorControl" = 1
  "ImagePath" = %SystemDir%\drivers\acpidisk.sys
  "Start" = 2
  "Type" = 1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\acpidisk
  "DisplayName" = acpidisk
  "ErrorControl" = 1
  "ImagePath" = %SystemDir%\drivers\acpidisk.sys
  "Start" = 2
  "Type" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IDSCNP
  "d" = (binary data)
  "p" = (binary data)
  "t" = (binary data)

It injects a dll into the process "Winlogon.exe" and attempts to terminate the following processes:

• ehsniffer.exe
• etherd.exe
• httplook.exe
• iris.exed
• netxray.exe
• sniffer.exe
• windump.exe
• wireshark.exe

It accesses the following site to show pop-up ads:

• chnsystem.com
  

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

N/A