Skip to main content

TrojanDropper.Small_681d839a35


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Trojan-Dropper.Small!IK (Emsisoft)Behaviour: Trojan-Dropper, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 681d839a35c8ed276b3a855f83208542

SHA1: c5ca43921ab16b73ac60da9ac7b0d605b04b5554

SHA256: 1c0f5f729e12d6d72a0e8ed3a12592286ad677fe4c49b77e6f988ca27e509105

SSDeep: 12288:4ZCAbIe6evbqHkVTDiUSjOX/AWEbYcTwqjQNkmYU:dET6ObqE91eFjQi

Size: 745472 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2013-07-16 07:31:14

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

srchass.exe:456
%original file name%.exe:344
%original file name%.exe:1860
adobe.exe:1524

The Trojan-Dropper injects its code into the following process(es):

srchass.exe:1744
srchass.exe:2004
adobe.exe:1548

File activity

The process srchass.exe:1744 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11298[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[1].txt (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11297[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_4676b7504cee13b773a13c70827e7e6b[1].htm (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1] (1898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[1].txt (988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[2] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\st[2] (1862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\jquery[1].js (34989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[2].txt (1160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[2].txt (504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\p2.adhitzads[1] (841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1].htm (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[9].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_4676b7504cee13b773a13c70827e7e6b[1].html (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[2].com (542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[1] (1600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\CZ77JqUMP3[1].htm (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\16463376[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[1].html&M=5&r=0 (910 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\hottvgame[1].xml (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\index.dat (22128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_22d2c032873bd164a539f92b194a84e9[1].html (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[2].html&M=5&r=0 (935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\html5[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[10].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\adretargeting[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\CA8127G5.htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[6].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[1].com/&M=3&r=0 (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\family-anger-erupts-as-malaysia-jet-search-enters-12th-day[1].htm (3317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[3].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[2].txt (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[2].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[2].html&M=5&r=0 (935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\style[1].css (2939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\kompyang-shrimp-mushrooms[1] (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[2].com/&M=3&r=0 (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[3].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[2] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_59a683db56b35772216d07cabed45b9c[1].html (127 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[4].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\serv[1].htm (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\532e2ba977519369971961dzhakkas[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\tag[1].js (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[1] (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[1].htm (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[1].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\imp[1].html&M=5&r=0 (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[3].html&M=5&r=0 (910 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\ttj[2].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\kompyang-shrimp-mushrooms[1].htm (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\serv[1].htm (944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\st[1] (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[1].com (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CZ77JqUMP3[1] (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[1] (802 bytes)
%WinDir%\Debug\UserMode\userenv.log (6164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CAKPO1SZ.htm (1513 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[2].css (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_59a683db56b35772216d07cabed45b9c[1].html (127 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[3].com/&M=3&r=0 (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[2].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\300x250[1].htm (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\hottvgame[1].htm (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\CAW1M1HU.htm (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\st[1] (1891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[8].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\532e2ba977519369971961dzhakkas[1].com6855 (1007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[3].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_22d2c032873bd164a539f92b194a84e9[1].html (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\show_i[1].htm (2199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\hottvgame[1] (662 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11298[1] (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[2] (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[8].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@ads.yahoo[2].txt (12068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_22d2c032873bd164a539f92b194a84e9[1].htm (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[2] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[1].txt (281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[9].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[1].txt (2917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@zhakkas[1].txt (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[7].htm (742 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\style[1].css (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[2].txt (2720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[3].com (541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[5].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[1] (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_59a683db56b35772216d07cabed45b9c[1].htm (598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\jquery-migrate.min[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[2] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[1].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_58bb79633f2239a8625ce2ef473585d5[1].htm (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CA8D6JGH.htm (768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[1] (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@ads.yahoo[1].txt (12446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\st[1] (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\300x250[1].php (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[1].html&M=5&r=0 (921 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\serv[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\show_i[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11298[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\serv[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11297[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@ads.yahoo[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_22d2c032873bd164a539f92b194a84e9[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\tt[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_4676b7504cee13b773a13c70827e7e6b[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_22d2c032873bd164a539f92b194a84e9[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11298[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[2] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CZ77JqUMP3[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_22d2c032873bd164a539f92b194a84e9[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\hottvgame[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CAKPO1SZ.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_59a683db56b35772216d07cabed45b9c[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_4676b7504cee13b773a13c70827e7e6b[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_59a683db56b35772216d07cabed45b9c[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CA8D6JGH.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\tt[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_58bb79633f2239a8625ce2ef473585d5[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\CAW1M1HU.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tt[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\seg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\serv[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@ads.yahoo[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_59a683db56b35772216d07cabed45b9c[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\300x250[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\adretargeting[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[1].txt (0 bytes)

The process srchass.exe:2004 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\style[1].css (806 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\url[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tongji[1].js (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sound_high[1].gif (356 bytes)
%System%\CatRoot2\dberr.txt (481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@info.spiritsoft[1].txt (327 bytes)
%Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\bd.dat (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\splogo[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (201 bytes)
%Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\product.dat (1090 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\alexa[1].png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\tcfg.dat (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5300 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@linezing[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\mini[1].js (5 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@spiritsoft[1].txt (185 bytes)

The process %original file name%.exe:344 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe (3728 bytes)
%System%\drivers\etc\hosts (605 bytes)

The process %original file name%.exe:1860 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\adobe.exe (5441 bytes)

The process adobe.exe:1524 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe (5441 bytes)
%System%\drivers\etc\hosts (605 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe (0 bytes)

The process adobe.exe:1548 makes changes in the file system.


The Trojan-Dropper creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (42 bytes)

Registry activity

The process srchass.exe:1744 makes changes in the system registry.


The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "srchass.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1363225983"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 BC 23 49 FF D3 58 F4 61 3C 9C 06 06 E8 15 35"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process srchass.exe:456 makes changes in the system registry.


The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 AD CC BF B1 69 99 13 D7 4A 42 1E F6 6C E1 76"

The process srchass.exe:2004 makes changes in the system registry.


The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "srchass.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1363225983"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A A1 58 92 E9 1C FC 4B 8C AC 53 01 A5 4B 26 A9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"srchass.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe:*:Enabled:精灵软件"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"urlspace" = "%Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe -h"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:344 makes changes in the system registry.


The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 F5 0B D1 2B A3 71 96 73 84 F6 A4 B3 E5 7A AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"srchass.exe" = "????"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon" = "%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1860 makes changes in the system registry.


The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 24 DE 54 B5 A0 2B 49 2F C9 20 20 82 C6 42 B6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"adobe.exe" = "Smadav Antivirus Lokal Indonesia"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process adobe.exe:1524 makes changes in the system registry.


The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 C7 51 40 28 3F AE 0F 2F 0A 1A B9 2F 03 FB A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon" = "%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process adobe.exe:1548 makes changes in the system registry.


The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA B9 CE AA A7 6A 05 72 F5 55 55 C5 AC E4 D3 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\adobe.exe"

Network activity (URLs)

URL IP
hxxp://urlspirit.spiritsoft.cn/urlcore/olcfgs.dat?q=41121.10.112.147
hxxp://urlspirit.spiritsoft.cn/urlcore/svcreq7d475002.xml
hxxp://urlspirit.spiritsoft.cn/v4/url.html?v=4.0.2.1-1110
hxxp://urlspirit.spiritsoft.cn/v4/css/style.css
hxxp://urlspirit.spiritsoft.cn/urlcore/svcreq7d47531f.css
hxxp://urlspirit.spiritsoft.cn/v4/js/mini.js
hxxp://urlspirit.spiritsoft.cn/v4/images/sound_high.gif
hxxp://urlspirit.spiritsoft.cn/v4/images/splogo.png
hxxp://taurus.danuoyi.tbcache.com/813389/tongji.js
hxxp://urlspirit.spiritsoft.cn/v4/images/alexa.png
hxxp://dt.tongji.linezing.com/tongji.do?unit_id=813389&uv_id=29377704731066601466&uv_new=1&cna=&cg=&mid=&mmland=&ade=&adtm=&sttm=&cpa=&ss_id=2402429800&ss_no=0&ec=1&ref=&url=http://info.spiritsoft.cn/v4/url.html?v=4.0.2.1-1110&title=%u6D41%u91CF%u7CBE%u7075&charset=utf-8&domain=spiritsoft.cn&hashval=1366&filtered=0&app=Microsoft Internet Explorer&agent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)&color=32-bit&screen=1024x768&lg=en-us&je=1&fv=6.0&st=1395531884&vc=8dc6ec2d&ut=0&url_id=0&cnu=0.526017841543414242.156.167.82
hxxp://c.split.cnzz.com/stat.php?id=1189654&web_id=1189654
hxxp://z13.cnzz.com/stat.htm?id=1189654&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=101033554-1395534758-&showp=1024x768&st=0&sin=&t=undefinedundefinedundefinedundefined&rnd=311646931
hxxp://c.split.cnzz.com/core.php?web_id=1189654&t=z
hxxp://goo.gl/B2XCel173.194.43.41
hxxp://hottvgame.com/173.201.247.1
hxxp://hottvgame.com/wp-content/themes/adsimple/style.css
hxxp://googlecode.l.googleusercontent.com/svn/trunk/html5.js
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=165973923
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=iframe&ad_size=728x90&section=5130196&pub_url=hottvgame.com
hxxp://ib.anycast.adnxs.com/tt?id=1956116&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://ib.anycast.adnxs.com/tt?id=1956118&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=iframe&ad_size=160x600&section=5130196&pub_url=hottvgame.com
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=iframe&ad_size=300x250&section=5130196&pub_url=hottvgame.com
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=1956118&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=1956116&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://zhakkas.com/ads/show.php?z=26&pl=289&j=1&code=1395517506231108.161.136.184
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=728x90&u=hottvgame.com&s=5130196&T=3&_salt=0&B=10&H=http://hottvgame.com/&M=3&r=0
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=160x600&u=hottvgame.com&s=5130196&T=3&_salt=0&B=10&H=http://hottvgame.com/&M=3&r=0
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&u=hottvgame.com&s=5130196&T=3&_salt=0&B=10&H=http://hottvgame.com/&M=3&r=0
hxxp://ds-any-world.ngd.ysm.yahoodns.net/get-user-id?ver=2&s=5130196&ts=1395534760&sig=372faee14baf322c
hxxp://zhakkas.com/ads/show_i.php?b=18144613
hxxp://ib.anycast.adnxs.com/tt?id=1956120&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://pcookie.split.cnzz.com/app.gif?&cna=nn6iCV7zsTECAc43V1KXf4n8
hxxp://zhakkas.com/ads/show_i.php?a=1&x=TVRNNU5UVXpORGMyTUMweE9EUXVNVEEzTGpNNExqTTQ=&z=26&c=1&pl=289&plurl=&target=_blank
hxxp://ib.anycast.adnxs.com/seg?add=357274&t=2
hxxp://ib.anycast.adnxs.com/seg?add=357264&t=2
hxxp://ib.anycast.adnxs.com/ttj?id=2338468
hxxp://ib.anycast.adnxs.com/ttj?id=2282214&cb=1395534760&pubclickenc=[INSERT_CLICK_TAG]
hxxp://js.users.51.la/16463376.js222.187.221.28
hxxp://zhakkas.com/adserver/www/delivery/ajs.php?zoneid=7&target=_blank&cb=2356904958&charset=utf-8&loc=http://zhakkas.com/ads/show_i.php?a=1&x=TVRNNU5UVXpORGMyTUMweE9EUXVNVEEzTGpNNExqTTQ=&z=26&c=1&pl=289&plurl=&target=_blank&referer=http://zhakkas.com/ads/show_i.php?b=18144613
hxxp://creafi.adspirit.de/adretargeting.php?value=Adspirit_socialmedia_onview
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://hottvgame.com/&id=2338468
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://hottvgame.com/&id=2282214&cb=1395534760&pubclickenc=[INSERT_CLICK_TAG]
hxxp://zhakkas.com/adserver/www/delivery/lg.php?bannerid=1&campaignid=1&zoneid=7&loc=1&referer=http://zhakkas.com/ads/show_i.php?a=1&x=TVRNNU5UVXpORGMyTUMweE9EUXVNVEEzTGpNNExqTTQ=&z=26&c=1&pl=289&plurl=&target=_blank&cb=0f8ab668f9
hxxp://adhitzads.com/2658268.233.234.217
hxxp://p2.adhitzads.com/?z=26582&p=2389295945&l=http://zhakkas.com/ads/show_i.php?b=18144613&r=http://hottvgame.com/&c=168.233.234.214
hxxp://comewsee.com/
hxxp://p2.adhitzads.com/532e2ba977519369971961dzhakkas.com6855
hxxp://cpmtree.com/serv/tag.js
hxxp://cpmtree.com/serving/serv.aspx?affid=2015&W=728
hxxp://comewsee.com/wp-content/themes/curved-air/iestyle.css
hxxp://comewsee.com/wp-includes/js/jquery/jquery.js?ver=1.10.2
hxxp://comewsee.com/wp-content/themes/cur/style.css
hxxp://ib.anycast.adnxs.com/tt?id=2180899&referrer=[REFERRER_URL]
hxxp://comewsee.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
hxxp://comewsee.com/wp-content/themes/curved-air/tab.js
hxxp://ib.anycast.adnxs.com/ttj?id=2259390&size=728x90&promo_sizes=300x50,320x50,468x60,216x36&promo_alignment=center
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://www.comewsee.com/&id=2259390&size=728x90&promo_sizes=300x50,320x50,468x60,216x36&promo_alignment=center
hxxp://cpmtree.com/serving/serv.aspx?affid=2015&W=300
hxxp://ib.anycast.adnxs.com/ttj?id=2259389&size=300x250&promo_sizes=250x250,300x600,300x50,200x200,180x150,216x36&promo_alignment=center
hxxp://cpmtree.com/serving/serv.aspx?affid=2015&W=160
hxxp://comewsee.com/uncategorized/family-anger-erupts-as-malaysia-jet-search-enters-12th-day/
hxxp://ib.anycast.adnxs.com/ttj?id=2368657
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://www.comewsee.com/uncategorized/family-anger-erupts-as-malaysia-jet-search-enters-12th-day/&id=2368657
hxxp://hottvgame.com/?feed=rss2
hxxp://wikicashways.info/184.168.221.31
hxxp://a1778.g.akamai.net/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html
hxxp://a1778.g.akamai.net/html/437c26_4676b7504cee13b773a13c70827e7e6b.html
hxxp://a1778.g.akamai.net.0.1.cn.akamaitech.net/html/437c26_59a683db56b35772216d07cabed45b9c.html
hxxp://a1778.g.akamai.net.0.1.cn.akamaitech.net/html/437c26_22d2c032873bd164a539f92b194a84e9.html
hxxp://a1778.g.akamai.net.0.1.cn.akamaitech.net/html/437c26_58bb79633f2239a8625ce2ef473585d5.html
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=ad&ad_size=300x250&section=4745819&pub_url=${PUB_URL}
hxxp://ib.anycast.adnxs.com/ttj?id=2055267
hxxp://ib.anycast.adnxs.com/ttj?id=1494744&pubclick=[INSERT_CLICK_TAG]
hxxp://ads.yashi.com/11298208.43.240.158
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&s=4745819&_salt=0&B=10&H=&u=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html&M=5&r=0
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=2055267
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=1494744&pubclick=[INSERT_CLICK_TAG]
hxxp://ads.yashi.com/tag.js
hxxp://ib.anycast.adnxs.com/tt?id=2030925&cb={CACHEBUSTER}&referrer={REFERRER_URL}&pubclick={CLICK_URL}
hxxp://ib.anycast.adnxs.com/ttj?id=2055268
hxxp://ads.yashi.com/11299
hxxp://ds-any-world.ngd.ysm.yahoodns.net/iframe3?Id8LG1tqSAA8uoIBAAAAABprcwAAAAAAAgAAAAIAAAAAAP8AAAAHFS4RcAAAAAAA.C6LAAAAAACBuo0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADL6xgAAAAAAAIAAwAAgD8AuB6F61G4nj-4HoXrUbieP7gehetRuK4.uB6F61G4rj-amZmZmZm5P5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARBB3DwWJFib3ajlr1hE9sdbbIT9pcuFgAAAAAA==,,http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html,B=10&H=&M=5&Z=300x250&_salt=0&r=0&s=4745819,b50c2d16-b222-11e3-be13-f388cf8792b6,1395534788735
hxxp://ib.anycast.adnxs.com/ttj?id=1494750&pubclick=[INSERT_CLICK_TAG]
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=2055268
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=ad&ad_size=728x90&section=4745819&pub_url=${PUB_URL}
hxxp://ib.anycast.adnxs.com/tt?id=2030926&cb={CACHEBUSTER}&referrer={REFERRER_URL}&pubclick={CLICK_URL}
hxxp://ads.yashi.com/11297
hxxp://ib.anycast.adnxs.com/ttj?id=2055251
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=728x90&s=4745819&_salt=0&X=25344572&B=10&H=&u=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html&M=5&r=0
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=1494750&pubclick=[INSERT_CLICK_TAG]
hxxp://ib.anycast.adnxs.com/tt?id=2030924&cb={CACHEBUSTER}&referrer={REFERRER_URL}&pubclick={CLICK_URL}
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=2055251
hxxp://ib.anycast.adnxs.com/ttj?id=1494707&pubclick=[INSERT_CLICK_TAG]
hxxp://prworldnews.com/pre2/300x250.php
hxxp://ds-any-world.ngd.ysm.yahoodns.net/iframe3?Id8LG1tqSAClLIEBAAAAAPNUcwAAAAAAAgAAAAYAAAAAAP8AAAAHFS4RcAAAAAAAGJyNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADL6xgAAAAAAAIAAoYXJz8AXynLEMe6iD-LbOf7qfGSP18pyxDHupg.i2zn-6nxoj8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARRB3D8pzQPU6M8qZdh1aiWCnvBaM3t8qAAAAAA==,,http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html,B=10&H=&M=5&X=25344572&Z=728x90&_salt=0&r=0&s=4745819,b53b0406-b222-11e3-8a26-eb40398b6116,1395534789042
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=ad&ad_size=160x600&section=4745819&pub_url=${PUB_URL}
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=1494707&pubclick=[INSERT_CLICK_TAG]
hxxp://ib.anycast.adnxs.com/ttj?id=2385573&cb=1395534789&pubclick=hxxp://ads.yahoo.com/clk?3,eJytS8tugzAQ.JrcEMJeY7tCPTgNUEdA04Y-OFVgHCCC0AZaQr6-oET5go5WM7M7swgcirnmwAGInTOqwUGEaGWnuxRsw3IcBwBhiwKz7wyZ88BH.fdWPNSBdJdixiZ6VYO4oJgpufgNn.nR25IXdY399RiJf8EqoKfi6qUQbfKxPnPR.dYpc5-Xt5ovUYjlEK0EDt7lGO5lH8ZeHY4WSWI53d6qKTs.xWUV7d1TVNw-7w2j7PuvBYgF9qZRZXrIa31s2oOFETKH6mSqtjF.uuOuqnU3L1Ot7Jt6EgJMYfpJKKMZsy2itEaQMQYpAsUsjplmmmbmXP8D1LNumQ==,
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=160x600&s=4745819&_salt=0&X=25344572,25242789&B=10&H=&u=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html&M=5&r=0
hxxp://ib.anycast.adnxs.com/ttj?id=2406638&cb=[CACHEBUSTER]
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html&id=2385573&cb=1395534789&pubclick=hxxp://ads.yahoo.com/clk?3,eJytS8tugzAQ.JrcEMJeY7tCPTgNUEdA04Y-OFVgHCCC0AZaQr6-oET5go5WM7M7swgcirnmwAGInTOqwUGEaGWnuxRsw3IcBwBhiwKz7wyZ88BH.fdWPNSBdJdixiZ6VYO4oJgpufgNn.nR25IXdY399RiJf8EqoKfi6qUQbfKxPnPR.dYpc5-Xt5ovUYjlEK0EDt7lGO5lH8ZeHY4WSWI53d6qKTs.xWUV7d1TVNw-7w2j7PuvBYgF9qZRZXrIa31s2oOFETKH6mSqtjF.uuOuqnU3L1Ot7Jt6EgJMYfpJKKMZsy2itEaQMQYpAsUsjplmmmbmXP8D1LNumQ==,
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://ads.yahoo.com/iframe3?Id8LG1tqSAA8uoIBAAAAABprcwAAAAAAAgAAAAIAAAAAAP8AAAAHFS4RcAAAAAAA.C6LAAAAAACBuo0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADL6xgAAAAAAAIAAwAAgD8AuB6F61G4nj-4HoXrUbieP7gehetRuK4.uB6F61G4rj-amZmZmZm5P5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARBB3DwWJFib3ajlr1hE9sdbbIT9pcuFgAAAAAA==,,http%3A%2F%2Fchandlermon0211.wix.com.usrfiles.com%2Fhtml%2F437c26_4676b7504cee13b773a13c70827e7e6b.html,B%3D10%26H%3D%26M%3D5%26Z%3D300x250%26_salt%3D0%26r%3D0%26s%3D4745819,b50c2d16-b222-11e3-be13-f388cf8792b6,1395534788735&id=2406638&cb=[CACHEBUSTER]
hxxp://ds-any-world.ngd.ysm.yahoodns.net/iframe3?Id8LG1tqSAA8uoIBAAAAABprcwAAAAAAAAAAAAIAAAAAAAEAAQAHFS4RcAAAAAAA.C6LAAAAAACBuo0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADL6xgAAAAAAAIAAwAAgD8AuB6F61G4nj-4HoXrUbieP7gehetRuK4.uB6F61G4rj-amZmZmZm5P5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVRB3DxxJ9vduSqYB68pWsiQNEiWGSjveAAAAAA==,,http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html,B=10&H=&M=5&Z=300x250&_salt=0&r=0&s=4745819,bf47170a-b222-11e3-99c3-5b3dddd86d42,1395534805898
info.spiritsoft.cn121.10.112.147
web2.51.la117.21.224.31
ads.clovenetwork.com68.67.152.166
cnzz.mmstat.com42.121.149.42
chandlermon0211.wix.com.usrfiles.com23.0.165.32
pcookie.cnzz.com42.121.149.41
js.tongji.linezing.com195.27.31.240
ib.adnxs.com68.67.152.163
c.cnzz.com42.156.140.11
s11.cnzz.com1.99.192.16
rtb.creafi-online-media.com62.75.176.185
static.wix.com198.144.115.96
hzs11.cnzz.com42.156.140.26
anx.batanga.net68.67.152.95
www.comewsee.com192.186.202.166
ads.reduxmediagroup.com68.67.152.89
html5shiv.googlecode.com64.233.171.82
ads.fidelity-media.com68.67.152.128
s1.spiritsoft.cn122.110.61.222
ads.yahoo.com98.139.225.42
www.cpmtree.com64.150.189.45
www.prworldnews.com69.50.218.110
t.coUnresolvable


HOSTS file anomalies

The Trojan-Dropper modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 647 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1www.virustotal.com
127.0.0.1www.mcafee.com
127.0.0.1www.avira.com
127.0.0.1www.avast.com
127.0.0.1www.symantec.com
127.0.0.1www.clamwin.com
127.0.0.1www.kaspersky.com
127.0.0.1www.comodo.com
127.0.0.1www.norton.com
127.0.0.1www.avg.com
127.0.0.1www.novirusthanks.org
127.0.0.1virusscan.jotti.org
127.0.0.1www.viruschief.com
127.0.0.1www.fortiguard.com
127.0.0.1www.bitdefender.com
127.0.0.1www.f-secure.com
127.0.0.1www.facebook.com
127.0.0.1www.youtube.com
127.0.0.1www.smadav.com
127.0.0.1www.google.com
127.0.0.1www.bing.com
127.0.0.1www.smadav.net
127.0.0.1http://youtube.com


Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    srchass.exe:456
    %original file name%.exe:344
    %original file name%.exe:1860
    adobe.exe:1524

  2. Delete the original Trojan-Dropper file.
  3. Delete or disinfect the following files created/modified by the Trojan-Dropper:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11298[1] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[1].txt (140 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11297[1] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_4676b7504cee13b773a13c70827e7e6b[1].htm (798 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1] (1898 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[1].txt (988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[2] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\st[2] (1862 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\jquery[1].js (34989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[2].txt (1160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[2].txt (504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\p2.adhitzads[1] (841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1].htm (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[9].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_4676b7504cee13b773a13c70827e7e6b[1].html (338 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[2].com (542 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[1] (1600 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\CZ77JqUMP3[1].htm (280 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\16463376[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[1].html&M=5&r=0 (910 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\hottvgame[1].xml (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\index.dat (22128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_22d2c032873bd164a539f92b194a84e9[1].html (167 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[2].html&M=5&r=0 (935 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\html5[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[10].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\adretargeting[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\CA8127G5.htm (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[6].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[1].com/&M=3&r=0 (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\family-anger-erupts-as-malaysia-jet-search-enters-12th-day[1].htm (3317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[3].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[2].txt (292 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[2].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[2].html&M=5&r=0 (935 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\style[1].css (2939 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\kompyang-shrimp-mushrooms[1] (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[2].com/&M=3&r=0 (670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[3].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[2] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_59a683db56b35772216d07cabed45b9c[1].html (127 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[4].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\serv[1].htm (802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\532e2ba977519369971961dzhakkas[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\tag[1].js (312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[1] (802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[1].htm (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[1].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\imp[1].html&M=5&r=0 (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[3].html&M=5&r=0 (910 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\ttj[2].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\kompyang-shrimp-mushrooms[1].htm (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\serv[1].htm (944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\st[1] (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[1].com (561 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CZ77JqUMP3[1] (197 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[1] (802 bytes)
    %WinDir%\Debug\UserMode\userenv.log (6164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CAKPO1SZ.htm (1513 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[2].css (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_59a683db56b35772216d07cabed45b9c[1].html (127 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[3].com/&M=3&r=0 (585 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[2].js (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\300x250[1].htm (376 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\hottvgame[1].htm (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\CAW1M1HU.htm (793 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\st[1] (1891 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[8].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\532e2ba977519369971961dzhakkas[1].com6855 (1007 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[3].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_22d2c032873bd164a539f92b194a84e9[1].html (167 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\show_i[1].htm (2199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\hottvgame[1] (662 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11298[1] (802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[8].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@ads.yahoo[2].txt (12068 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_22d2c032873bd164a539f92b194a84e9[1].htm (818 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[2] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[1].txt (281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[9].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[1].txt (2917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@zhakkas[1].txt (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[7].htm (742 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\style[1].css (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[2].txt (2720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[3].com (541 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[5].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_59a683db56b35772216d07cabed45b9c[1].htm (598 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\jquery-migrate.min[1].js (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[2] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[1].css (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_58bb79633f2239a8625ce2ef473585d5[1].htm (446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CA8D6JGH.htm (768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[1] (802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@ads.yahoo[1].txt (12446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\st[1] (323 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\300x250[1].php (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[1].html&M=5&r=0 (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\style[1].css (806 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\url[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\stat[1].php (1121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tongji[1].js (1969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sound_high[1].gif (356 bytes)
    %System%\CatRoot2\dberr.txt (481 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@info.spiritsoft[1].txt (327 bytes)
    %Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\bd.dat (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\splogo[1].png (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (201 bytes)
    %Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\product.dat (1090 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\core[1].php (800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\alexa[1].png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\tcfg.dat (1 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5300 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@linezing[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\mini[1].js (5 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@spiritsoft[1].txt (185 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe (3728 bytes)
    %System%\drivers\etc\hosts (605 bytes)
    %Documents and Settings%\%current user%\Application Data\adobe.exe (5441 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "urlspace" = "%Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe -h"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "winlogon" = "%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "%Documents and Settings%\%current user%\Application Data\adobe.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps