Registry Cleaner Geeks

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When the worm is executed, it copies itself to the following locations:

* %System%\system3_.exe
* %Windir%\system3_.exe

It also creates the following file:
%System%\autorun.ini

Next it modifies the following registry entry so that it runs when Windows
starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe system3_.exe"

It then changes the home and search page for Internet Explorer by setting

the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Page_URL" = "http://www.mydreamworld.50
webs.com"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "http://www.mydreamworld.50
webs.com"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
\Main\"Search Page" = "http://www.mydreamworld.50webs.com"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
\Main\"Start Page" = "http://www.mydreamworld.50webs.com"
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
\"Start Page" = "http://www.mydreamworld.50webs.com"

It also sets the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Schedule\"AtTaskMaxHours" = 0

It may also modify the Mozilla Firefox pref.js file to change the homepage
of the Firefox browser.

The worm then downloads a configuration file using the following URLs:

* h1.ripway.com/asdb0[NUMBER BETWEEN 00 AND 50]/setting.ini
* www.balu0[NUMBER BETWEEN 00 AND 24].0catch.com/setting/
setting.ini

The configuration file may contain instructions to download an update of
the worm.

If Yahoo! Messenger is not installed on the compromised computer, the
worm will attempt to download and install it from the following location:
rd.software.yahoo.com/msgr/9/msgr9us.exe

The worm will end processes with the following names:

* game_y.exe
* cmd.exe

It also attempts to close application windows that have the following strings
in their title:

* Bkav2006
* System Configuration
* Registry
* Windows Task

If the worm detects an application window with a title that contains the string "
[Firelion]", it will delete the following registry subkey and restart the computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\"IEProtection"

The worm attempts to spread by copying itself to all local and shared drive
as the following file:
%DriveLetter%\New Folder.exe

It will also send the following messages to contacts found in the address books
of Yahoo! Messenger and Google Talk:

* happy valentine day screen saver from http: //advgoogle.0catch.com/love.
scr and get new tips and tricks from URL
* happy valentine day screen saver and beautiful screen saver from lovers http: //advgoogle.0catch.com/love.scr and URL
* golden lovers rose screen saver from http: //advgoogle.0catch.com/love.scr
and see more from URL
* rose is always red ,see in http: //advgoogle.0catch.com/love.scr screen saver
from URL
* happy valentine day screen saver from http: //advgoogle.0catch.com/love.scr
and get new tips and tricks from URL
* I LOVE YOUUUUUUUUUUUUU from screensaver http: //advgoogle.0catch.
com/love.scr see more in URL
* happy valentine day screen saver from http: //advgoogle.0catch.com/love.scr
and get new tips and tricks from URL
* happy valentine day screen saver from http: //advgoogle.0catch.com/love.scr
and get new tips and tricks for lovers URL
* happy valentine day screen saver from http: //advgoogle.0catch.com/love.scr
and view secrets from private cam BIN
* asl please & @CRLF & I am 23 Female, Delhi (India) and you?

FREE SCAN:

Please click here for manual removal instructions.