Virus Profile: W32/YahLover.worm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/5/2006
Date Added: 9/18/2006
Origin: N/A
Length: Varies
Type: Virus
Subtype: Win32
DAT Required: 6930
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Aliases

W32/YahLover.worm.a, W32/YahLover.worm.gen
   

Virus Characteristics

-------- Updated on 18-March-2013 -------

Aliases –

  • Kaspersky    -    IM-Worm.Win32.Sohanad.gen
  • Fortinet          -    W32/Hakaglan.B!worm
  • Microsoft       -    worm:win32/nuqel.a
  • Nod32           -    Win32/Hakaglan.B

Characteristics –

“W32/YahLover.worm”
is detection for worm that spreads via removable drive and Yahoo IM. It is a worm written in AutoIT Script.

“W32/YahLover.worm”
a self-propagating program that can spread via Yahoo IM and send a message with a link which downloads itself to all the contacts of yahoo IM.

Upon execution the worm tries to connect the following URL through remote port 1381/http

  • Nhatquan[Removed].com
  • 204.[Removed].109:80
  • 75.[Removed].24:80


The Worm also copies itself into the below location:

  • %WINDIR%\system32\autorun.ini
  • %WINDIR%\system32\RVHOST.exe
  • %WINDIR%\RVHOST.exe
  • : [RemovableDrive]\ New Folder.exe
  • : [RemovableDrive]\ log2.exe
  • : [RemovableDrive]\[Folder Name]\ log2.exe
  • : [RemovableDrive]\[Folder Name]\[Folder Name].exe


Besides creating the files in removable drives as explained above, the malware also tried to hide folders on disk, and it copies itself with same name as the folder and uses this exe to start the malware whenever the user tries to open the folder. The malware also tries to spread over network shares.

The following registry keys have been added to the system:

  • HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\2
  • HKEY_USER\S-1-5--[Varies]\\Software\Microsoft\Windows\CurrentVersion\Policies\System


The following registry key values have been added to the system:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours: 0x00000000
  • HKEY_USER\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
  • HKEY_USER\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions: 0x00000001
  • HKEY_USER\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\
  • DisableTaskMgr: 0x00000001
  • DisableRegistryTools: 0x00000001

The above registry key value confirms that the worm creates a schedule tasks to run itself automatically on the compromised computer.

  • HKEY_USER\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared: "\New Folder.exe"
  • HKEY_USER\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger: "%WINDIR%\system32\RVHOST.exe"


The above mentioned registry key value confirms that the worm registers with the compromised system and executes itself upon every boot.

The following registry key values have been modified to the system:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe RVHOST.exe"
  • HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count:
    • 0x00000000
    • 0x00000001
  • HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance:
    • 0x00000000
    • 0x00000001
  • HKLM\SYSTEM\ControlSet001\Services\Schedule\NextAtJobId:
    • 0x00000001
    • 0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count:
    • 0x00000000
    • 0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance:
    • 0x00000000
    • 0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId:
    • 0x00000001
    • 0x00000002

The above mentioned registry value ensures that the worm registers into the winlogon entry with the compromised system and executes itself upon every boot.

-------- Updated on 16-May-2012 -------

W32/YahLover.worm is a worm detection that spreads via Yahoo Messenger, removable drives and network shares.

Also it disables system processes like Task manager, Registry editor and Folder options.

When executed the worm copies itself into the following location.

  • %Windir%\system32\regsvr.exe
  • %Windir%\system32\svchost .exe
  • %Windir%\regsvr.exe

The following files have been dropped.

  • %Windir%\system32\setup.ini
  • %Windir%\system32\setting.ini
  • %Windir%\Tasks\At1.job

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file AutoRun.inf is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

  • [Autorun]
  • Open= regsvr.exe
  • Shellexe cute= regsvr.exe
  • shell\Open\command= regsvr.exe
  • Shell=Open

The following registry key has been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared = "\New Folder .exe"

The worm spread to other mapped drives, such as network shares and removable drives by executing the above registry entry.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x00000000

The following registry confirms that, the worm disables the Folder Options in Windows Explorer, and Task Manager Options.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions = 0x00000001
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001

The following registry key confirms that the Trojan executes every time when windows starts.

  • HKEY_USERS\S-1-5-[varies]Software\Microsoft\Windows\CurrentVersion\Run\Msn Messsenger = "%Windir%\system32\regsvr.exe"

The following registry values have been modified to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe regsvr.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\NextAtJobId = 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId = 0x00000002

[Notes: C:\WINDOWS is %Windir%]

------ Updated on Feb-10-2012 ------

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.

Also it disables system processes like Task manager, Registry editor and Folder options.

When executed the worm copies itself into the following location.

  • %Windir%\system32\SVRCHOST.exe
  • %Windir%\system32\autorun.ini
  • %Windir%\SVRCHOST.exe
  • :[Removable Drive]:\SVRCHOST.exe
  • :[Removable Drive]:\New Games.exe

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file AutoRun.inf is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

  • [Autorun]
  • Open=SVRCHOST.exe
  • Shellexe cute=SVRCHOST.exe
  • Shell\Open\command=SVRCHOST.exe
  • Shell=Open

The following registry key has been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry values have been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared = "\New Games.exe"

The worm spread to other mapped drives, such as network shares and removable drives by executing the above registry entry

The following registry confirms that, the worm disables the Folder Options in Windows Explorer, and Task Manager Options.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions = 0x00000001
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 0x00000001
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001
  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
    MSN Messengger = "%Windir%\system32\SVRCHOST.exe"

The above mentioned registry key confirms that the Trojan executes every time when windows starts.

The following registry values have been modified to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue = 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SVRCHOST.exe"

[Notes: C:\WINDOWS is %Windir%]

---------------------------

----------- Updated on Jan-30-2012 ------------

“W32/YahLover.worm” is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.

Also it disables system processes like Task manager, Registry editor and Folder options

When executed the worm copies itself into the following location:

  • %Windir%\system32\regsvr.exe
  • %Windir%\system32\svchost .exe
  • %Windir%\regsvr.exe
  • :[Removable Drive]:\New Folder .exe
  • :[Removable Drive]:\regsvr.exe

The following files have been added to the system.

  • %Windir%\system32\28463\svchost.001
  • %Windir%\Tasks\At1.job
  • %Windir%\system32\setup.ini
  • %Windir%\system32\setting.ini

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [Autorun]
  • Open=regsvr.exe
  • Shellexecute=regsvr.exe
  • Shell\Open\command=regsvr.exe
  • Shell=Open

The following registry key has been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared = "\New Folder .exe"
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001

The above mentioned registry ensures that, the worm disables system processes like Task manager, Registry editor and Folder options.

  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
    Msn Messsenger = "%Windir%\system32\regsvr.exe"

The above mentioned registry ensures that, the worm registers run entry with the compromised system and execute itself upon every boot.

The following registry values have been modified to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe regsvr.exe"

The above mentioned registry ensures that, the worm registers with the compromised system and execute itself upon every boot.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId = 0x00000002

It following folder has been added to the system.

  • %Windir%\system32\28463

 

----------- Updated Jan-29-2011 ------------

File Information -

MD5 - 3A15F65F7447161F018513D71847F890
SHA1 - B3A7F22C47BF3D9CA2AA33F604D663DD0BA41A46

Aliases -

    • Comodo   - Worm.Win32.AutoIt.~NUP
    • Microsoft - Worm:Win32/Sohanad.AQ
    • Kaspersky - Worm.Win32.AutoIt.ch
    • Ikarus - Worm.Win32.AutoIt

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.
Also it disables system processes like Task manager, Registry editor and Folder options

Upon execution, the worm connects to the site “rnd009. [removed]ges.com” through port 80 to download malicious files.

The Worm copies iteself into the following location.

    • %Windir%\system32\ gphone.exe
    • %Windir%\ gphone.exe

The following files have been dropped

    • %Windir%\system32\autorun.ini
    • %Windir%\Tasks\At1.job

The worm attempts to spread by creating an autorun.ini file, which will run the worm automatically on systems which use the drives that are set to Autorun.

The following registry Keys has been added

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_USERS\S-1- [Varies]\Software\Policies\Microsoft\Internet Explorer\Control Panel

The following registry Values have been added

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours = 0x00000000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours = 0x00000000

The worm spread to other mapped drives, such as network shares and removable drives, by executing the following registry entry.

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared = "\New Folder.exe"

The following registry confirms that, the worm disables Regedit, Folder Options in Windows Explorer, and Task Manager Options.

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions = 0x00000001
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr =  0x00000001
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001

The below registry confirms that, "gphone.exe" executes every time when windows starts

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "%Windir%\System32\gphone.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe gphone.exe"
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\NextAtJobId = 0x00000002

The following registry values has been modified

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = <RND009. google.html [removed]ges.com>

After execution this worm changes the browser home page with the site name "rnd009.[removed]ges.com/google.html"

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
-----------------

----------------------- Updated June-26-2010 -----------------------

File Information -

MD5 - E3FFC5B9371B3B287B1243A6D3787A80
SHA1 - 80E3886BC3F879C9D848FAE16446C77F4EE2D417

Aliases -

    • Kaspersky   - Trojan.Win32.KillAV.ayh
    • Microsoft - Worm:Win32/Sohanad.I
    • Norman - W32/Obfuscated.H3!genr
    • Symantec - W32.Imaut.A

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.
It sends a message to all of the infected user's contacts with a link to a copy of itself.

Upon execution, the worm connects to the following site “setting3.[removed]mb.com” through port 80 to download malicious files.

The Worm copies iteself into the following location.

    • %Windir%\system32\SCVVHSOT.exe [Detected as W32/YahLover.worm]
    • %Windir%\system32\blastclnnn.exe [Detected as W32/YahLover.worm]
    • %Windir%\SCVVHSOT.exe [Detected as W32/YahLover.worm]

The following files have been dropped

    • %Windir%\system32\autorun.ini [Detected as W32/Hakaglan.inf]
    • %Windir%\system32\setting.ini
    • %Windir%\Tasks\At1.job
    • %UserProfile%\ Local Settings\Temporary Internet Files\Content.IE5\2NVJ9NG7\abuseFrozen[1].htm

The worm attempts to spread by creating an autorun.ini file, which will run the worm automatically on systems which use the drives that are set to Autorun.

The following registry Keys has been added

    • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry Values have been added

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\]
      AtTaskMaxHours =

 The worm spread to other mapped drives, such as network shares and removable drives, by executing the following registry entry.

    • [HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\]
      shared = "\New Folder.exe"

The following registry confirms that, the worm disables the Folder Options in Windows Explorer, and Task Manager Options.

    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
      NofolderOptions = 0x00000001
    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
      DisableTaskMgr =  0x00000001
      DisableRegistryTools = 0x00000001

The below registry confirms that, "Scvvhsot.exe" executes every time when windows starts

    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
      Yahoo Messengger = "%Windir%\System32\SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
      Shell = "Explorer.exe SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\]
      NextAtJobId = 0x00000002

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%UserProfile%\ = C:\Documents and Settings\[UserName]\Local Settings

-----------------------

Update December 7, 2007

McAfee Avert Labs has found a false detection with W32/Yahlover.worm and will be releasing the 5181 DAT Files to correct this issue.  The false detection is being seen on certain AutoIT 3.2.2.0 compiled executables.

 


The worm changes the custom "away" message in yahoo messenger to point to its download location.

Files Added

  • %WINDIR%\taskmng.exe 

Later variants may also add the following file:

  • %SYSDIR%\Autorun.ini

Registry

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \task manager="%WINDIR%\taskmng.exe"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disableregistrytools="1"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disabletaskmgr="1"
  • hkey_current_user\software\yahoo\pager\view\ymsgr_launchcast\content url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\yahoo\pager\view\ymsgr_buzz\content
    url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main\start
    page=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main
    \window title="[Random]"

The URLs pointed by the registry vary with diferrent variants, some of the URLs are

  • http[dot]//VuiVeVN.HP[blocked]
  • http[dot]//minhnhut.[blocked]

 

 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95