Trojan.Win32.Cutwail.cfc (Kaspersky), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2bad0ff09870ff5f36b7e36bc4e3f01f
SHA1: c10d32a3fbfb5c87d02bf4ab9a723fff62111b2b
SHA256: c4ca4e69090043e88342521ac6a13f2a67c3c18872a8270cfd21e99c2caabf27
SSDeep: 768:RPrJP6jDA9Vv N0xbn4t7p6usoF36XEOR0Of:RVPCDAm0xb27pFs0KXEOR0Of
Size: 38400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SummerSoft
Created at: 2008-12-09 23:07:24
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):No processes have been created.The Trojan-PSW injects its code into the following process(es):
%original file name%.exe:1808
File activity
The process %original file name%.exe:1808 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@stepnet[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (27 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\cafxascijanu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (217 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msasys[1].txt (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\mibsga[1].htm (1100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\eygwindows.co[1].htm (1755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ixtractor[1].htm (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (19756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (30 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\teasing-video[1].htm (1055 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (16 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\racknstackwarehouse.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (0 bytes)
Registry activity
The process %original file name%.exe:1808 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DD 07 0C 00 02 00 11 00 03 00 2E 00 0E 00 FF 01"
"AppManagement" = "B5 1A 65 3D 15 EC C4 9C 74 4C 97 6F 47 1F F6 CE"
"cafxascijanuzap" = "6E 46 1E F5 CD A5 7D 55 A0 78 50 28 00 D7 AF 87"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 1F 4C 0D 1B 30 9A 3A D0 09 F6 1E 01 1F 10 BA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cafxascijanu" = "%Documents and Settings%\%current user%\cafxascijanu.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
URL | IP |
---|---|
hxxp://72.3.244.228/ | |
hxxp://216.243.236.35/ | |
hxxp://213.152.198.61/ | |
hxxp://49.50.8.93/v02/ | |
hxxp://65.181.70.3/ | |
hxxp://217.27.254.150/ | |
hxxp://5.9.94.34/ | |
hxxp://182.48.49.195/ | |
hxxp://209.160.23.206/ | |
hxxp://173.248.156.34/ | |
hxxp://60.191.129.142/ | |
hxxp://198.171.234.61/ | |
hxxp://193.104.35.207/ | |
hxxp://platinumregistration.com/ | 12.151.60.70 |
hxxp://canadienhorse.com/ | 69.27.120.7 |
hxxp://signsbyyou.com/ | 205.186.187.221 |
hxxp://virginiabeachhistory.org/ | 216.117.143.48 |
hxxp://cadrexport.com/ | 91.121.48.156 |
hxxp://192.220.97.141/ | |
hxxp://99.192.139.59/ | |
hxxp://amemarukun.com/ | 122.152.128.132 |
hxxp://premiumfudge.com/ | 69.5.0.127 |
hxxp://solartendas.com.br/ | 187.108.194.152 |
hxxp://206.161.193.98/ | |
hxxp://findersfayre.com/ | 208.76.82.37 |
hxxp://chesterfieldchamber.com/ | 50.62.148.216 |
hxxp://194.242.113.40/ | |
hxxp://creativegraphicsindia.com/ | 207.58.179.13 |
hxxp://cassidy.com/ | 205.186.187.174 |
hxxp://lancohills.com/ | 182.18.152.227 |
hxxp://cj-irinaka.com/ | 210.172.144.247 |
hxxp://112.78.116.219/ | |
hxxp://shokusen.co.jp/ | 210.129.90.13 |
hxxp://aitom.cz/ | 81.0.240.93 |
hxxp://orrhockey.com/ | 209.196.155.206 |
hxxp://metalsaw.com/ | 69.63.155.52 |
hxxp://computerlogicdirect.com/ | 208.78.155.38 |
hxxp://198.171.14.144/ | |
hxxp://dscbarcelona.com/ | 82.98.164.2 |
hxxp://lindseycompany.com/ | 38.113.1.157 |
hxxp://62.121.144.116/ | |
hxxp://chasemeadow.com/ | 217.199.187.62 |
hxxp://miniform.ru/ | 31.31.207.7 |
hxxp://111.89.207.71/ | |
hxxp://81.31.101.2/ | |
hxxp://dronasoft.com/ | 72.251.193.170 |
hxxp://bigmuddyumc.org/ | 205.186.133.109 |
hxxp://210.188.201.42/ | |
hxxp://hstechno.com/ | 211.202.2.112 |
hxxp://borneodinawan.com/ | 209.160.23.206 |
hxxp://imara-ing.com/ | 213.195.69.220 |
hxxp://psiweb.org/ | 82.165.41.45 |
hxxp://66.109.27.28/ | |
hxxp://hamon.com/ | 188.93.155.11 |
hxxp://backyardtirefire.com/ | 199.59.157.102 |
hxxp://194.126.200.44/ | |
hxxp://email.visionary.com/ | |
hxxp://210.172.144.61/ | |
hxxp://rogerturcotte.com/ | 69.84.147.18 |
hxxp://takeuchinouen.com/ | 210.172.144.21 |
hxxp://talkwireless.com/ | 69.49.46.248 |
hxxp://209.238.103.16/ | |
hxxp://67.210.119.235/ | |
hxxp://euroherbal.com/ | 212.166.68.8 |
hxxp://thepandapartnership.com/ | 195.171.95.162 |
hxxp://prognos.com/ | 80.74.154.246 |
hxxp://selc.com.au/ | 150.60.10.97 |
hxxp://87.233.19.215/ | |
hxxp://pegasogiochi.com/ | 217.72.102.113 |
hxxp://213.230.215.202/ | |
hxxp://darwin-tech.com/ | 184.172.49.3 |
hxxp://94.23.212.160/ | |
hxxp://theadlibgroup.com/ | 69.90.163.140 |
hxxp://e-kanbe.com/ | 202.122.142.40 |
hxxp://kbbrokerage.ca/ | 208.92.232.210 |
hxxp://thekpmgroup.com/ | 66.96.218.117 |
hxxp://e-genese.com/ | |
hxxp://genquip.com.au/ | 111.67.29.139 |
hxxp://cedartimbers.com/ | |
hxxp://67.210.103.195/ | |
hxxp://69.36.179.52/ | |
hxxp://kalspo-japan.com/ | 210.224.185.225 |
hxxp://ghostbusters.net/ | 69.163.170.209 |
hxxp://79.96.73.253/ | |
hxxp://80.51.22.5/ | |
hxxp://69.56.229.158/ | |
hxxp://85.214.100.84/ | |
hxxp://72.249.28.100/ | |
hxxp://83.65.246.237/ | |
hxxp://holtans.no/ | 212.33.133.94 |
hxxp://66.96.134.71/ | |
hxxp://dineetje.nl/ | 83.149.81.212 |
hxxp://businessassistance.com/ | 173.237.185.32 |
hxxp://210.188.195.106/ | |
hxxp://fphurley.co.uk/ | 80.76.217.198 |
hxxp://ortodoncia.com.ec/ | 199.231.93.57 |
hxxp://81.31.147.23/ | |
hxxp://baggaley.co.uk/ | 91.146.110.185 |
hxxp://webstroy.ru/ | 83.222.3.128 |
hxxp://wetradenetwork.com/ | 198.61.139.184 |
hxxp://103.9.168.166/ | |
hxxp://uglassit.com/ | 142.4.19.228 |
hxxp://archivists.com/ | 202.181.99.40 |
hxxp://173.255.134.38/ | |
hxxp://hotelmiamimilan.com/ | 94.136.45.111 |
hxxp://gnetmail2.co.za/ | |
hxxp://benefsnet.com/ | 5.39.75.25 |
hxxp://worldcom.org/ | 95.211.38.51 |
hxxp://tanjungbunga.com/ | 144.76.202.231 |
hxxp://119.47.118.86/ | |
hxxp://briangroce.com/ | 207.198.118.49 |
hxxp://vsx-061.serverdedicati.it/ | |
hxxp://networks2business.com/ | 188.121.62.26 |
hxxp://realview.tv/ | 217.69.43.28 |
hxxp://firstfreewichita.org/ | 67.192.235.57 |
hxxp://middleage.org/ | 208.112.45.106 |
hxxp://204.16.240.162/ | |
hxxp://142.4.4.133/ | |
hxxp://sargentsgardens.com/ | 63.164.138.120 |
hxxp://146673-www3.conquerclub.com/ | |
hxxp://vhosts11.aosoft.com/ | |
hxxp://greatsea.com.sg/ | 116.12.51.118 |
hxxp://borderloos.com/ | 109.108.149.61 |
hxxp://aridor.net/ | 193.238.208.73 |
hxxp://sterling-institute.com/ | |
hxxp://jm-duterque.com/ | 31.193.129.213 |
hxxp://ankauf-verkauf.de/ | 46.4.72.218 |
hxxp://ostan.org/ | 162.223.88.13 |
hxxp://kccop.org/ | 128.121.194.248 |
hxxp://phc-pal.org/ | 174.46.134.54 |
hxxp://kyokusen.com/ | 210.172.144.246 |
hxxp://ns207670.ovh.net/ | |
hxxp://66.29.156.131/ | |
hxxp://lb07.virt.lolipop.jp/ | |
hxxp://whatsyourangle.com/ | 207.170.237.99 |
hxxp://208.70.244.160/ | |
hxxp://66.181.240.100/ | |
hxxp://darentasia.com/ | 195.144.11.40 |
hxxp://acousticstage.org/ | 211.132.107.2 |
hxxp://174.141.224.80/ | |
hxxp://124.41.82.187/ | |
hxxp://ivanica.net/ | 149.255.58.41 |
hxxp://213.246.100.96/ | |
hxxp://hlfiction.net/ | 74.54.205.83 |
hxxp://96.234.178.45/ | |
hxxp://smtp.nixe.biz/ | |
hxxp://grand-prix-monaco.com/ | 80.93.93.58 |
lopezshackleford.com | 212.113.128.232 |
stropiyer.com | 31.169.73.115 |
accentcare.com | 207.58.165.220 |
gtouk.org.uk | 82.147.20.69 |
jacksontrucks.com | 71.40.14.189 |
centralofficesource.com | 65.200.38.34 |
performancewearinc.com | 64.118.84.6 |
cubedesigners.com | 94.23.236.136 |
hkmagia.com | 216.22.14.93 |
pm-yachts.cz | 195.210.29.3 |
paginasamarillasec.com | 67.228.13.106 |
fmyamato.co.jp | 118.243.114.102 |
fishypussy.com | 99.192.158.18 |
cleanroomindiabase.com | 66.185.18.155 |
charlestonwirelessgroup.com | 208.43.1.92 |
acpwc.com | 64.207.189.226 |
spiroll.co.uk | 69.73.162.83 |
villanievillani.it | 62.149.196.186 |
isri-inc.com | 210.171.136.45 |
davidrm.com | 216.38.52.165 |
mdwyerlaw.com | 69.16.250.12 |
citrox.co.uk | 87.106.45.102 |
codupha.com.vn | 210.245.121.60 |
invention13.net | 173.192.57.176 |
likemybody.com | 188.165.129.91 |
attikainternational.com | 94.136.44.115 |
tabula.com | 198.171.14.144 |
compplanning.com | 198.46.91.115 |
acdcas.com | 96.31.47.154 |
buffclothing.co.uk | 94.136.45.223 |
happy-earth.com | 210.172.144.61 |
iglesiasimoveis.com.br | 75.119.213.58 |
foto-finito.com | 210.172.144.248 |
onlinecomic.de | 46.163.114.252 |
buildingdesignersaustralia.com.au | 208.109.236.231 |
aquabelles.com | 64.90.55.243 |
rishichem.com | 74.50.110.226 |
libercourt.com | 217.16.1.89 |
castlefieldgallery.co.uk | 178.250.51.129 |
spacecommander.de | 213.131.233.141 |
anadonaire.com | 5.39.16.97 |
sbt.com.tr | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@stepnet[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (27 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\cafxascijanu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (217 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msasys[1].txt (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\mibsga[1].htm (1100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\eygwindows.co[1].htm (1755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ixtractor[1].htm (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (19756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (30 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\teasing-video[1].htm (1055 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (16 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cafxascijanu" = "%Documents and Settings%\%current user%\cafxascijanu.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.