Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type:
  • Protection Added: 2006-06-12

This trojan purports to be a spyware-removal utility.  It drops or tries to download several functional EXE and DLL files to perform its functions.  It also creates over a dozen garbage files and registry entries in the Windows and System directories depending on which version of this trojan is run.  These files and registry entries are meant to mimic common spyware and adware applications.  These garbage files are intended to be "detected" by it as spyware, to compel you to purchase an anti-spyware application.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

-- Update January 16, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:


The functional files are as follows:

  • users32.exe
  • adobepnl.dll
  • flashwindow.exe
  • main.exe
  • qjrkvy.exe
  • udpatwhf.exe
  • winflash.dll

The garbage files are the following, as created by main.exe:

  • %WinDir%\alexaie.dll (25,600 bytes)
  • %WinDir%\alxie328.dll (15,616 bytes)
  • %WinDir%\alxtb1.dll (31,488 bytes)
  • %WinDir%\BTGrab.dll (12,544 bytes)
  • %WinDir%\dlmax.dll (10,240 bytes)
  • %WinDir%\Pynix.dll (22,784 bytes)
  • %WinDir%\susp.exe (25,600 bytes)
  • %WinDir%\ZServ.dll (31,488 bytes)
  • %SysDir%\a.exe (21,504 bytes)
  • %SysDir%\alxres.dll (27,392 bytes)
  • %SysDir%\bridge.dll (22,784 bytes)
  • %SysDir%\dailytoolbar.dll (27,392 bytes)
  • %SysDir%\jao.dll (15,360 bytes)
  • %SysDir%\questmod.dll (11,520 bytes)
  • %SysDir%\runsrv32.dll (16,640 bytes)
  • %SysDir%\runsrv32.exe (20,480 bytes)
  • %SysDir%\tcpservice2.exe (29,184 bytes)
  • %SysDir%\txfdb32.dll (15,104 bytes)
  • %SysDir%\udpmod.dll (32,256 bytes)
  • %SysDir%\wstart.dll (20,224 bytes)

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

May see pop-up windows with the the following text:

  • Your computer is working slowly!
    Slow operation speed might have been caused by malicious spyware.  Download spyware remover now and run full system scan to remove all viruses and spyware from your computer!
    Click here to start downloading...
  • Danger! Spyware activity detected on your computer!
    Full system scan highly recommended to remove possible malicious spyware.  Scan now to remove all spyware and adware! 
    Visit security center web site and download spyware remover to protect your system against spyware and viruses.
  • Your computer is not protected against spyware!
    Spyware able to steal your data including passwords, credit card numbers, etc.  Scan your computer for spyware immediately.
    Spyware scan is highly recommended by Windows Security Center.
  • Warning! Potential spyware operation!
    Your computer is making unauthorized coies of your system and Internet files.  Run full scan now to prevent any unauthorized access to your files! Click here to download spyware remover...
  • Windows has detected an Internet attack attempt...
    Somebody's trying to infect your PC with spyware or harmful viruses.  Run full system scan now to protect yor PC from Internet attacks, hijacking attempts and spyware!
    Click here to download spyware remove for total protection.
  • Warning! Your security and privacy are at risk!
    Spyware has beet detected on your computer.
    Click here to run a FULL SYSTEM SCAN to protect your data.
    (Windows Security Center message)
  • Alert!  You are receiving spam! 
    This means that your computer is infected with spyware!
    Scan your computer for spyware and adware now.
    Click here to visit security center web site for more information...
  • Alert! A minimum of 7 spyware entries found.
    To remove all spyware and viruses click here to visit Security Center web site and download spyware remover for total protection.