HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Cutwail.a (v) (VIPRE), Trojan-Downloader.Win32.Cutwail!IK (Emsisoft), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1f077a3cb8346c7e3e68bab926090e46
SHA1: 5003b95c99eeb847d07843d6821003febe249bf0
SHA256: 310cf05052a7ae11f758cb5bd3b16ae06ffcbc989dfd870f493cd62704505112
SSDeep: 768:2voWc2LXvjkD3ioonyZSWgclyXQhW54PtRvk8ULkvKJta7s:soE7MiNnyljlDI4FREAKJX
Size: 44544 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1998-01-01 11:56:33
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
ctfmon.exe:252
The Trojan-PSW injects its code into the following process(es):
1f077a3cb8346c7e3e68bab926090e46.exe:2592
File activity
The process 1f077a3cb8346c7e3e68bab926090e46.exe:2592 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\phototype_com[1].txt (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\thedonaldsongroup_com[1].htm (9 bytes)
%Documents and Settings%\%current user%\Cookies\AZCFRAJS.txt (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cgc-england_com[1].htm (29 bytes)
%Documents and Settings%\%current user%\qiniqvypsydo.exe (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\paulrenna_com[1].txt (1919 bytes)
%Documents and Settings%\%current user%\Cookies\RWQF6Z18.txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\1P05ZG3S.txt (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\bocr[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\photoclubs_com[1].htm (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\trenpalau_com[1].htm (5 bytes)
%Documents and Settings%\%current user%\Cookies\DOHWPVS7.txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\PE1NR6HV.txt (132 bytes)
%Documents and Settings%\%current user%\Cookies\KNB134XP.txt (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\m[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\manuyantralaya_com[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\fraser-high_school_nz[1].htm (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\kurecci_or_jp[1].htm (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cksglobal_net[1].htm (31 bytes)
%Documents and Settings%\%current user%\Cookies\9B62C01A.txt (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\starmedia_ca[1].htm (1636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\teasing-video_com[1].htm (1351 bytes)
%Documents and Settings%\%current user%\Cookies\WWL0DXXO.txt (83 bytes)
%Documents and Settings%\%current user%\Cookies\72IJH17T.txt (148 bytes)
%Documents and Settings%\%current user%\Cookies\EOA82CB4.txt (117 bytes)
%Documents and Settings%\%current user%\Cookies\QS4HN7HG.txt (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\precisionsolutionsky_com[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\T4N99EVB.txt (245 bytes)
%Documents and Settings%\%current user%\Cookies\Q6NODL5H.txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\rueggeberg_com[1].txt (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\GVYEZ9PX.txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\lockerlookz_com[1].htm (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\mandi-man_com[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\JBUJ08DV.txt (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\teknorhino_com[1].htm (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\eygwindows_co_uk[1].htm (98 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\enzoyrodrigo_com_br[1].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\solutioncorp_com[1].txt (1991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\DRHTA3LY.txt (124 bytes)
%Documents and Settings%\%current user%\Cookies\RRAIDHCI.txt (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\automa_it[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ubsades_com[1].htm (254 bytes)
%Documents and Settings%\%current user%\Cookies\GKW74YFO.txt (272 bytes)
%Documents and Settings%\%current user%\Cookies\VHUHTU75.txt (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\ginalimo_com[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\X9QVRCGE.txt (128 bytes)
%Documents and Settings%\%current user%\Cookies\KZ6PR58X.txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\suspendedpage[1].htm (3 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\KNB134XP.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AZCFRAJS.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\WWL0DXXO.txt (0 bytes)
Registry activity
The process 1f077a3cb8346c7e3e68bab926090e46.exe:2592 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 30 53 26 BE 46 3D 04 7C 43 12 24 5E 61 A1 11"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"3092446134" = "DD 07 0A 00 03 00 02 00 05 00 12 00 13 00 51 03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "96 FA D2 AA F5 CD A5 7D 55 A0 78 DC 28 8C 64 AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"qiniqvypsydozap" = "75 4D 25 FC D4 AC F7 CF A7 7F 57 2F 7A 52 2A 02"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"qiniqvypsydo" = "%Documents and Settings%\%current user%\qiniqvypsydo.exe"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process ctfmon.exe:252 makes changes in a system registry.
The Trojan-PSW deletes the following value(s) in system registry:
The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
URL | IP |
---|---|
hxxp://thedonaldsongroup.com/ | 64.120.153.69 |
hxxp://acmepacificrepairs.com/ | 69.198.129.78 |
hxxp://buzzkillmedia.com/ | 173.201.140.128 |
hxxp://doctsf.com/ | 213.186.33.17 |
hxxp://cgc-england.com/ | 81.88.57.68 |
hxxp://christybarry.com/ | 66.49.139.143 |
hxxp://ginalimo.com/ | 209.105.227.150 |
hxxp://solutioncorp.com/ | 66.111.53.120 |
hxxp://stormwildlifeart.com/ | 70.86.7.138 |
hxxp://asj.co.jp/ | 219.118.206.4 |
hxxp://bigjohnsbeefjerky.com/ | 190.93.241.165 |
hxxp://kagu-hokuren.com/ | 60.43.132.135 |
hxxp://kurecci.or.jp/ | 119.245.143.88 |
hxxp://christybarry.com/cgi-sys/suspendedpage.cgi | |
hxxp://neurotoxininstitute.com/ | 190.93.243.134 |
hxxp://enzoyrodrigo.com.br/ | 216.245.218.146 |
hxxp://sigmametalsinc.com/ | 208.113.149.173 |
hxxp://rewardhits.com/ | 66.45.248.130 |
hxxp://cabooseonline.com/ | 192.138.20.228 |
hxxp://perc.ca/ | 69.89.31.118 |
hxxp://gamblingonlinemagazine.com/ | 198.1.90.242 |
hxxp://alternative-aquitaine.co.uk/ | 108.162.201.52 |
hxxp://paulrenna.com/ | 198.154.229.165 |
hxxp://appelfarm.org/ | 108.162.205.115 |
hxxp://www.sigmaaero.com/ | 208.113.225.142 |
hxxp://tessera.co.jp/ | 202.212.212.209 |
hxxp://egao.net/ | 121.83.133.146 |
hxxp://brookfarm.com.au/ | 116.251.204.207 |
hxxp://merceorti.com/ | 80.93.92.146 |
hxxp://eurasia.it/ | 54.229.116.65 |
hxxp://rodeoshow.com.au/ | 103.28.250.103 |
hxxp://churchsupplies.net/ | 66.232.99.164 |
hxxp://graceweb.net/ | 208.97.174.44 |
hxxp://precisionsolutionsky.com/ | 64.34.163.206 |
hxxp://telenavis.com/ | 80.245.173.163 |
hxxp://stecom.nl/ | 193.23.143.117 |
hxxp://youjoomla.com/ | 69.65.11.200 |
hxxp://avant-ime.com/ | 188.121.45.218 |
hxxp://teasing-video.com/ | 99.192.154.182 |
hxxp://chocolatecovers.com/ | 141.101.123.98 |
hxxp://t7k6a.x.incapdns.net/ | |
hxxp://padstow.com/ | 62.233.107.131 |
hxxp://cf-protected-www.graceweb.net.cdn.cloudflare.net/ | |
hxxp://d4drmedia.com/ | 208.70.247.105 |
hxxp://photoclubs.com/ | 209.50.251.101 |
hxxp://phototype.com/ | 216.70.113.196 |
hxxp://rueggeberg.com/ | 81.209.182.37 |
hxxp://4pipp.com/ | 141.101.116.69 |
hxxp://nd-evenementiel.com/ | 79.98.23.30 |
hxxp://minatech.net/ | 202.181.97.93 |
hxxp://eleterno.com/ | 82.98.86.162 |
hxxp://manuyantralaya.com/ | 108.163.209.234 |
hxxp://malagacorp.com/ | 199.204.137.151 |
hxxp://fraser-high.school.nz/ | 210.48.67.144 |
hxxp://stepnet.de/ | 91.250.116.6 |
hxxp://sspackaginggroup.com/ | 182.50.130.117 |
hxxp://safetyconnection.ca/ | 209.222.48.210 |
hxxp://ubsades.com/ | 144.76.86.115 |
hxxp://bocr.cz/ | 217.198.115.41 |
hxxp://courtney.ca/ | 67.223.102.97 |
hxxp://cksglobal.net/ | 46.249.205.175 |
hxxp://bocr.cz/bocr | |
hxxp://istanbultarim.com.tr/ | 31.7.35.112 |
hxxp://theartofhair.com/ | 198.57.254.76 |
hxxp://gcs-cpa.com/ | 64.14.68.37 |
hxxp://bocr.cz/bocr/ | |
hxxp://cf-protected-www.theartofhair.com.cdn.cloudflare.net/index.php?q=403.shtml | |
hxxp://totalearthcare.com.au/ | 108.162.196.53 |
hxxp://mail57.us2.mcsv.net/ | 173.231.139.57 |
hxxp://screaminpeach.com/ | 108.162.203.235 |
hxxp://altonhousehotel.com/ | 108.162.205.109 |
hxxp://mailchimp.com/about/mcsv/ | 50.22.201.236 |
hxxp://upsilon89.com/ | 151.236.48.69 |
hxxp://e-kagami.com/ | 54.249.238.243 |
hxxp://sullyfrance.com/ | 216.8.179.23 |
hxxp://racknstackwarehouse.com.au/ | 141.101.116.200 |
hxxp://mastergrp-spb.ru/ | 188.127.245.119 |
hxxp://arquiteturadigital.com/ | 208.113.187.143 |
hxxp://mandi-man.com/ | 210.172.144.61 |
hxxp://starmedia.ca/ | 168.144.92.210 |
hxxp://selldoor.pl/ | 212.85.112.239 |
hxxp://austriansurfing.at/ | 85.13.136.86 |
hxxp://selldoor.pl/m/ | |
hxxp://ziuabarbatului.ro/ | 194.50.126.226 |
hxxp://acsmedioambiente.com/ | 50.97.221.19 |
hxxp://trenpalau.com/ | 217.149.11.231 |
hxxp://eyggroup.com/ | 85.233.160.22 |
hxxp://eygwindows.co.uk/ | |
hxxp://adultlivechat.us/ | 74.119.145.130 |
hxxp://automa.it/ | 62.149.203.92 |
meridies.org | 127.0.0.1 |
tutuji-saitama.com | 124.108.33.192 |
www.graceweb.net | 108.162.196.90 |
gablemarine.com | 141.101.126.46 |
brandone.us | 103.9.101.61 |
xn--22c6bfh8abch1g1b0ap6a9vxa.com | 192.254.222.46 |
brownlumber.net | 70.34.140.71 |
avisay.com | 127.0.0.1 |
in1.smtp.messagingengine.com | 66.111.4.71 |
gulfcoen.net | 209.67.228.186 |
lestersupstatesports.com | 68.169.63.231 |
ecsnj.com | 75.146.221.101 |
msasys.com | 216.70.112.211 |
acerbinky.com | 198.57.253.228 |
cbsprinting.com.au | 141.101.116.74 |
ibcd.com.br | 192.168.0.1 |
ydental.com | 157.7.144.5 |
hair-hutte.com | 210.172.144.24 |
crank-scrapers.com | 64.119.182.121 |
www.rodeoshow.com.au | 199.83.128.103 |
mxs.mail.ru | 94.100.176.20 |
orion-networks.net | 127.0.0.1 |
tenpole.com | 127.0.0.1 |
www.screaminpeach.com | 108.162.203.235 |
aerotech.com.hk | 61.238.46.42 |
smtp.mail.yahoo.com | 63.250.193.228 |
belmontflora.com | 180.210.201.135 |
brookhousegas.co.uk | 176.32.230.27 |
usgwarchives.net | 67.205.102.15 |
vnhanoi.com | 222.122.56.41 |
gmail-smtp-in.l.google.com | 74.125.142.26 |
fractalcom.net | 202.166.193.68 |
alt4.gmail-smtp-in.l.google.com | 173.194.65.26 |
kellyspropertyservices.com | 74.220.215.76 |
www.phototype.com | 216.70.113.196 |
mucc.org | 173.236.196.34 |
penavision.co.in | 127.0.0.1 |
www.photoclubs.com | 209.50.251.101 |
brhd.org | 192.185.226.23 |
vpx.com | 198.58.103.98 |
nataliecurtiss.com | 192.168.100.1 |
www.avant-ime.com | 188.121.45.218 |
soapandmore.com | 67.228.196.94 |
hartleyfoundation.org | 204.11.101.219 |
adfolsa.com.ec | 74.220.215.55 |
fxd24.com | 198.57.156.135 |
kondarihotel.com.au | 66.147.244.82 |
szostka.com | 127.0.0.1 |
cassdelivers.org | 206.188.193.144 |
denville.ca | 204.11.237.35 |
www.bigjohnsbeefjerky.com | 190.93.241.165 |
tafinance.com | 103.28.12.23 |
nc-concept.com | 94.23.247.172 |
www.solutioncorp.com | 66.111.53.120 |
csmbc.org | 129.121.224.188 |
comfortinsulation.com | 69.42.58.38 |
lockerlookz.com | 50.63.84.77 |
al-mawared.com | 209.50.248.224 |
www.theartofhair.com | 108.162.199.64 |
kingscoteit.com | 206.51.236.38 |
www.teknorhino.com | 66.45.248.130 |
clovisportales.com | 66.96.161.128 |
freepatentauction.com | 213.186.33.4 |
geodecisions.com | 216.174.25.93 |
katsumata-arch.com | 210.188.201.168 |
mail7.digitalwaves.co.nz | 127.0.0.1 |
free-service.de | 176.28.53.122 |
darshanvatika.com | 208.91.198.42 |
theautospas.com | 70.32.102.108 |
www.eygwindows.co.uk | 173.0.129.54 |
naijagurus.com | Unresolvable |
graintrain.coop | Unresolvable |
antakyaturu.com | Unresolvable |
meubles-jacquelin.com | Unresolvable |
x-cellcommunications.de | Unresolvable |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate the original Trojan-PSW's process (How to End a Process With the Task Manager).
- Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\phototype_com[1].txt (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\thedonaldsongroup_com[1].htm (9 bytes)
%Documents and Settings%\%current user%\Cookies\AZCFRAJS.txt (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cgc-england_com[1].htm (29 bytes)
%Documents and Settings%\%current user%\qiniqvypsydo.exe (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\paulrenna_com[1].txt (1919 bytes)
%Documents and Settings%\%current user%\Cookies\RWQF6Z18.txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\1P05ZG3S.txt (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\bocr[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\photoclubs_com[1].htm (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\trenpalau_com[1].htm (5 bytes)
%Documents and Settings%\%current user%\Cookies\DOHWPVS7.txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\PE1NR6HV.txt (132 bytes)
%Documents and Settings%\%current user%\Cookies\KNB134XP.txt (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\m[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\manuyantralaya_com[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\fraser-high_school_nz[1].htm (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\kurecci_or_jp[1].htm (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cksglobal_net[1].htm (31 bytes)
%Documents and Settings%\%current user%\Cookies\9B62C01A.txt (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\starmedia_ca[1].htm (1636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\teasing-video_com[1].htm (1351 bytes)
%Documents and Settings%\%current user%\Cookies\WWL0DXXO.txt (83 bytes)
%Documents and Settings%\%current user%\Cookies\72IJH17T.txt (148 bytes)
%Documents and Settings%\%current user%\Cookies\EOA82CB4.txt (117 bytes)
%Documents and Settings%\%current user%\Cookies\QS4HN7HG.txt (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\precisionsolutionsky_com[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\T4N99EVB.txt (245 bytes)
%Documents and Settings%\%current user%\Cookies\Q6NODL5H.txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\rueggeberg_com[1].txt (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\GVYEZ9PX.txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\lockerlookz_com[1].htm (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\mandi-man_com[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\JBUJ08DV.txt (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\teknorhino_com[1].htm (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\eygwindows_co_uk[1].htm (98 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\enzoyrodrigo_com_br[1].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\solutioncorp_com[1].txt (1991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\DRHTA3LY.txt (124 bytes)
%Documents and Settings%\%current user%\Cookies\RRAIDHCI.txt (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\automa_it[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ubsades_com[1].htm (254 bytes)
%Documents and Settings%\%current user%\Cookies\GKW74YFO.txt (272 bytes)
%Documents and Settings%\%current user%\Cookies\VHUHTU75.txt (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\ginalimo_com[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\X9QVRCGE.txt (128 bytes)
%Documents and Settings%\%current user%\Cookies\KZ6PR58X.txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\suspendedpage[1].htm (3 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"qiniqvypsydo" = "%Documents and Settings%\%current user%\qiniqvypsydo.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.