Gen:Variant.Graftor.125024 (BitDefender), Trojan.Win32.Cutwail.cfo (Kaspersky), BackDoor.Bulknet.1299 (DrWeb), Gen:Variant.Graftor.125024 (B) (Emsisoft), PWSZbot-FOF!98844D0D8B28 (McAfee), WS.Reputation.1 (Symantec), Trojan-Downloader.Win32.Cutwail (Ikarus), Gen:Variant.Graftor.125024 (FSecure), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 98844d0d8b28ef5bd97bd82b0eaf5b82
SHA1: f3e3dd628670a808e1383e819f907c7844ce7aa4
SHA256: 059dd442f33feba010ea994a5418b61430c85cf7f7fa39f9e5c71c3888b81be1
SSDeep: 1536:iPMZBEr5QREE7lzaOtId9PHs65Jp Pst7J:i0ZBsih7gbd9PVJoEx
Size: 85504 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-28 15:44:57
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):No processes have been created.The Trojan-PSW injects its code into the following process(es):
%original file name%.exe:1548
File activity
The process %original file name%.exe:1548 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\timeturkey[1].htm (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\rovoneli[1].htm (261 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rodeoshow.com[1].txt (273 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atr-technologies[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@re-wakefield.co[1].txt (235 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@istanbultarim.com[1].txt (239 bytes)
%Documents and Settings%\%current user%\vinukykeapud.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bocr[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[2].txt (239 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safetyconnection[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\home[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\redconeretreat[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lockerlookz[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\kamaruka.vic.edu[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\eleterno[1].htm (17 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (235 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (297 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[2].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\suspendedpage[1].htm (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pcpeds[1].txt (219 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[1].txt (160 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (152 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (22552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[2].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\momonophoto[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\urantiaproject[1].htm (756 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\churchclothes[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\timeturkey[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\rovoneli[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bocr[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safetyconnection[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\home[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\redconeretreat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lockerlookz[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\kamaruka.vic.edu[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\eleterno[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\slcago[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sarpy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\momonophoto[1].htm (0 bytes)
Registry activity
The process %original file name%.exe:1548 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"vinukykeapudzap" = "7B 53 2B 03 DA B2 8A 62 3A 12 E9 C1 99 71 49 94"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DD 07 0C 00 01 00 17 00 03 00 35 00 28 00 92 02"
"AppManagement" = "A7 7F 57 2F 07 DE B6 8E 66 3E 16 ED C5 11 E8 C0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 4D 85 99 91 E7 C6 77 40 8F D8 54 EA 33 18 BD"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vinukykeapud" = "%Documents and Settings%\%current user%\vinukykeapud.exe"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://bocr.cz/ | 217.198.115.41 |
| hxxp://sigmametalsinc.com/ | 208.113.149.173 |
| hxxp://timeturkey.com/ | 89.19.17.218 |
| hxxp://rovoneli.com/ | 144.76.86.115 |
| hxxp://hostphd.com.br/ | 192.196.156.73 |
| hxxp://eyggroup.com/ | 85.233.160.22 |
| hxxp://wlf.louisiana.gov/ | 184.106.119.164 |
| hxxp://bocr.cz/bocr | |
| hxxp://urantiaproject.com/ | 69.94.124.47 |
| hxxp://cath4choice.org/ | 76.12.228.8 |
| hxxp://eygwindows.co.uk/ | |
| hxxp://sullyfrance.com/ | 216.8.179.23 |
| hxxp://www.sigmaaero.com/ | 208.113.225.142 |
| hxxp://bocr.cz/bocr/ | |
| hxxp://d4drmedia.com/ | 208.70.247.105 |
| hxxp://mail57.us2.mcsv.net/ | 173.231.139.57 |
| hxxp://141.101.116.118/ | |
| hxxp://fraser-high.school.nz/ | 210.48.67.144 |
| hxxp://mojacar-vacaciones.com/ | 12.158.190.246 |
| hxxp://re-wakefield.co.uk/ | 141.101.117.86 |
| hxxp://mailchimp.com/about/mcsv/ | 50.22.201.236 |
| hxxp://safetyconnection.ca/ | 209.222.48.210 |
| hxxp://79.98.23.30/ | |
| hxxp://miltinio-teatras.lt/ | 92.61.39.244 |
| hxxp://padstow.com/ | 62.233.107.131 |
| hxxp://bethisraelcenter.org/ | 204.213.246.4 |
| hxxp://geodecisions.com/ | 216.174.25.93 |
| hxxp://iaiglobal.or.id/ | 49.50.8.93 |
| hxxp://capitalcitytuxedo.com/ | 67.223.102.236 |
| hxxp://redconeretreat.com/ | 173.204.163.136 |
| hxxp://csmbc.org/ | 149.47.157.224 |
| hxxp://slcago.org/ | 97.74.80.192 |
| hxxp://kafrit.com/ | 62.219.2.230 |
| hxxp://coopsupermarkt.nl/ | 213.247.43.95 |
| hxxp://momonophoto.com/ | 203.189.105.136 |
| hxxp://199.83.132.93/ | |
| hxxp://guberman.com.br/ | 186.202.149.17 |
| hxxp://bigjohnsbeefjerky.com/ | 190.93.241.165 |
| hxxp://totalearthcare.com.au/ | 108.162.192.154 |
| hxxp://e-kagami.com/ | 54.249.238.243 |
| hxxp://buzzkillmedia.com/ | 173.201.140.128 |
| hxxp://christybarry.com/ | 66.49.139.143 |
| hxxp://christybarry.com/cgi-sys/suspendedpage.cgi | |
| hxxp://50.97.221.19/ | |
| hxxp://gablemarine.com/ | 141.101.126.46 |
| hxxp://brookfarm.com.au/ | 116.251.204.207 |
| hxxp://188.93.212.32/ | |
| hxxp://goodvaluecenter.com/ | 108.162.202.140 |
| hxxp://sztartufi.com/ | 95.110.192.171 |
| hxxp://leadershipforum.us/ | 66.39.30.185 |
| hxxp://95.110.200.253/ | |
| hxxp://rodeoshow.com.au/ | 103.28.250.103 |
| hxxp://t7k6a.x.incapdns.net/ | |
| hxxp://chscreative.com/ | 95.85.15.57 |
| hxxp://racknstackwarehouse.com.au/ | 141.101.116.200 |
| hxxp://boundbydesign.com/ | 97.74.55.128 |
| hxxp://perc.ca/ | 69.89.31.118 |
| hxxp://nanfangcw.com/ | 119.145.168.16 |
| hxxp://upsilon89.com/ | 151.236.48.69 |
| hxxp://fabianonline.de/ | 88.198.7.211 |
| hxxp://iaiglobal.or.id/v02 | |
| hxxp://schiedel.it/ | 217.145.99.26 |
| hxxp://lindsaymuskies.com/ | 70.86.133.242 |
| hxxp://areafor.com/ | 185.2.130.31 |
| hxxp://goodtimestove.com/ | 108.175.156.203 |
| hxxp://ziuabarbatului.ro/ | 194.50.126.226 |
| hxxp://trilatino.org/ | 65.254.248.203 |
| hxxp://automa.it/ | 95.110.195.52 |
| hxxp://newstarit.com/ | 74.86.195.192 |
| hxxp://kamaruka.vic.edu.au/ | 112.140.176.61 |
| hxxp://alain-cristina.fr/ | 213.186.33.19 |
| hxxp://astechindo.com/ | 119.235.30.117 |
| hxxp://sarpy.com/ | 66.37.225.130 |
| hxxp://gemeauxrecords.com/ | 122.152.128.150 |
| hxxp://beautifulworksforyou.com/ | 64.207.145.142 |
| hxxp://geothermusa.com/ | 50.62.125.1 |
| hxxp://mirasmart.com/ | 198.46.141.242 |
| hxxp://nc-engineering.com/ | 5.159.228.49 |
| hxxp://eleterno.com/ | 184.168.233.1 |
| hxxp://sicklescorp.com/ | 207.58.128.176 |
| hxxp://movielodge.com/ | 146.82.204.123 |
| hxxp://nuritech.com/ | 222.239.78.139 |
| hxxp://cen-wealth.com/ | 184.172.26.250 |
| hxxp://zdnic.com/ | 46.4.30.139 |
| hxxp://churchsupplies.net/ | 66.232.99.164 |
| hxxp://digitalshell.net/ | 174.36.6.111 |
| hxxp://cieam.com.br/ | 184.107.204.130 |
| hxxp://sortedorganizing.com/ | 74.220.199.6 |
| hxxp://simmons-huynh.org/ | 50.62.41.212 |
| hxxp://iaiglobal.or.id/v02/ | |
| hxxp://alemnet.org/ | 81.92.217.235 |
| hxxp://dogchat.co.uk/ | 205.196.222.203 |
| hxxp://yniteh.ru/ | 82.146.40.77 |
| hxxp://q-productions.com/ | 216.117.177.69 |
| hxxp://autoakcesoria.com.pl/ | 212.85.97.185 |
| hxxp://clarendonmarketing.com/ | 62.128.202.97 |
| hxxp://wykrywacze.com.pl/ | 194.169.227.15 |
| hxxp://gameznstuff.com/ | 74.125.224.41 |
| hxxp://huyserasphalt.com/ | 69.163.228.228 |
| hxxp://eaam.org/ | 85.25.146.108 |
| hxxp://bghydro.com/ | 71.92.77.190 |
| hxxp://consolerepairguy.com/ | 156.34.233.155 |
| hxxp://gruponexus.com.ar/ | 75.98.175.50 |
| hxxp://typowerspring.com/ | 202.39.245.6 |
| hxxp://courthousetravelclinic.com/ | 50.63.139.195 |
| hxxp://korea-engine.com/ | 222.122.86.253 |
| hxxp://realtors.co.il/ | 198.64.249.178 |
| hxxp://cidvale.com.br/ | 187.33.34.70 |
| hxxp://amcenter.ru/ | 188.94.91.44 |
| hxxp://gesyuku.net/ | 157.7.184.19 |
| hxxp://rdiamondgroup.com/ | 66.119.165.58 |
| hxxp://tubaloo.net/ | 204.232.156.35 |
| hxxp://pengadindy.com/ | 199.230.52.72 |
| hxxp://unityfdn.org/ | 208.85.226.200 |
| hxxp://kationo.com/ | 49.50.8.69 |
| hxxp://sepalumic.com/ | 188.165.218.66 |
| hxxp://fas-assur.com/ | 213.186.33.87 |
| hxxp://accountancywales.com/ | 141.101.116.184 |
| hxxp://tenak.org/ | 192.254.194.147 |
| hxxp://tomballbible.org/ | 205.186.175.198 |
| hxxp://marbet.com/ | 176.9.141.61 |
| hxxp://centinelafeed.com/ | 66.96.131.51 |
| hxxp://fano.net/ | 95.110.204.251 |
| hxxp://activeday.com/ | 50.28.22.229 |
| hxxp://soilsystem.com/ | 210.172.144.23 |
| hxxp://eastwesteye.com/ | 216.104.33.234 |
| hxxp://forodeopinion.org/ | 46.105.127.76 |
| hxxp://autoesteller.com/ | 198.136.63.96 |
| hxxp://hotelportonmedellin.com/ | 74.55.240.194 |
| hxxp://ogunquitbeach.com/ | 64.226.226.116 |
| hxxp://digitalsmarthomes.com/ | 69.90.223.224 |
| hxxp://kendo24.com/ | 212.218.192.17 |
| hxxp://lisavillar.com/ | 209.59.167.128 |
| hxxp://manuelandsonscarpetcleaning.net/ | 173.192.168.242 |
| hxxp://fabrizio.net/ | 216.120.237.103 |
| hxxp://ontimegamefeeders.com/ | 142.4.22.195 |
| hxxp://accommodationinvenice.com/ | 62.149.227.232 |
| hxxp://connection507.com/ | 209.105.229.60 |
| hxxp://fondoarco.it/ | 79.125.13.0 |
| hxxp://simdog.net/ | 174.132.133.82 |
| hxxp://webvenues.com/ | 198.66.255.180 |
| hxxp://dynatec-vp.com/ | 211.13.204.3 |
| hxxp://turbo-separator.ch/ | 80.74.145.50 |
| hxxp://fotofilmes.com.br/ | 69.175.99.162 |
| hxxp://ercotravels.com/ | 198.154.226.124 |
| hxxp://jjrjr.com/ | 74.208.164.214 |
| hxxp://ertebatsanat.com/ | 91.98.29.146 |
| hxxp://styloshoes.com/ | 185.28.36.38 |
| hxxp://cobrasystems.com/ | 184.168.151.229 |
| hxxp://hugheschem.com/ | 203.122.59.43 |
| hxxp://thelogoloft.com/ | 76.12.80.107 |
| hxxp://clarkebasementsystems.com/ | 50.56.161.202 |
| hxxp://fuentenebro.com.es/ | 212.142.132.70 |
| hxxp://colourtex.co.in/ | 174.132.183.227 |
| hxxp://netalive.org/ | 217.150.250.111 |
| hxxp://stimpson.com/ | 205.186.179.197 |
| hxxp://zocher.us/ | 64.111.127.245 |
| hxxp://iftcargas.com.br/ | 108.167.175.110 |
| hxxp://nsjnail.com/ | 202.143.64.38 |
| hxxp://mundysflorist.com/ | 213.229.121.172 |
| hxxp://chapsrus.com/ | 199.36.105.162 |
| hxxp://thecamelnet.com/ | 149.47.141.168 |
| hxxp://rmmfg.com/ | 162.144.56.223 |
| hxxp://myjeweller.com.au/ | 128.242.87.51 |
| hxxp://coopcoach.ch/ | 85.237.85.61 |
| hxxp://stomaster.com/ | 161.58.72.151 |
| hxxp://tokushukai.com/ | 133.242.9.199 |
| hxxp://leesos.com/ | 218.38.12.35 |
| hxxp://nbgeneralsoft.ro/ | 86.123.3.190 |
| hxxp://chakuonya.com/ | 49.212.88.87 |
| hxxp://jps-salledebain.net/ | 95.128.74.58 |
| hxxp://sadotrans.com/ | 188.132.194.16 |
| hxxp://klasiquegoldens.com/ | 216.172.104.4 |
| hxxp://recoding.net/ | 46.38.175.198 |
| hxxp://absolutaire.com/ | 50.28.60.108 |
| hxxp://oasis-land.com/ | 91.232.125.10 |
| hxxp://kselsig.com/ | 192.232.209.199 |
| hxxp://3dwebstudio.com.br/ | 199.201.89.27 |
| hxxp://oprs.org/ | 198.1.79.36 |
| hxxp://gruponunez.com/ | 77.240.127.10 |
| hxxp://palomoyporras.com/ | 184.106.58.109 |
| hxxp://igpromocions.com/ | 164.138.208.139 |
| hxxp://temple-sinai.net/ | 192.232.204.85 |
| hxxp://ccvaughan.com/ | 50.22.242.35 |
| hxxp://jackshainman.com/ | 198.1.82.122 |
| hxxp://j-english.net/ | 112.78.112.106 |
| hxxp://ultrapowder.com/ | 210.166.220.107 |
| hxxp://pedrottivini.com/ | 62.149.204.115 |
| hxxp://lockportpark.org/ | 184.168.193.48 |
| hxxp://indygojunction.com/ | 70.32.105.174 |
| hxxp://ndi.net.pl/ | 193.105.32.5 |
| hxxp://zappa.com.mx/ | 208.76.82.133 |
| hxxp://metaxasarch.com/ | 198.58.124.131 |
| hxxp://icomco.com/ | 67.228.43.208 |
| hxxp://deryaltd.com.tr/ | 188.132.205.141 |
| hxxp://blossomvalleybiblechurch.com/ | 64.14.78.35 |
| hxxp://irvink.com/ | 175.107.131.177 |
| hxxp://azcec.org/ | 67.205.39.250 |
| hxxp://brahouse.ro/ | 80.86.106.123 |
| hxxp://futureligonier.org/ | 137.118.32.81 |
| hxxp://customsignstore.com/ | 80.249.161.149 |
| hxxp://m-sj.or.jp/ | 210.155.248.145 |
| hxxp://gerryraymonda.com/ | 174.37.200.162 |
| hxxp://ntfire.net/ | 64.77.84.66 |
| hxxp://mcloone.com/ | 50.57.40.42 |
| hxxp://oaklandholidayparade.com/ | 66.71.249.202 |
| hxxp://aestheticsoft.com/ | 86.57.246.177 |
| hxxp://airfloatsys.com/ | 50.56.193.181 |
| hxxp://badwinkel.be/ | 195.81.125.36 |
| hxxp://wisperisp.com/ | 38.114.71.98 |
| hxxp://hosttayim.com/ | 188.138.72.198 |
| hxxp://premierhotels.co.za/ | 216.70.99.175 |
| hxxp://auxsoinsdespetits.com/ | 209.41.133.210 |
| hxxp://photographe-31.com/ | 213.186.33.3 |
| hxxp://flower-gekijo.com/ | 210.172.144.245 |
| hxxp://opportunity-inc.com/ | 208.122.226.210 |
| hxxp://cabcollege.org/ | 108.162.198.181 |
| hxxp://mojaxxllinia.com/ | 91.185.200.6 |
| hxxp://nutri-tech.com.au/ | 174.120.144.74 |
| hxxp://opale-net.net/ | 216.130.181.140 |
| hxxp://niigata-koi.com/ | 210.172.144.242 |
| hxxp://standrewspres.com/ | 67.210.102.9 |
| hxxp://tornayabogados.com/ | 85.238.2.245 |
| hxxp://internetway.net/ | 178.16.164.211 |
| hxxp://mprojp.com/ | 210.172.144.248 |
| hxxp://autoglass-takatsuki.com/ | 210.188.195.101 |
| hxxp://mickeyshorr.com/ | 198.20.224.224 |
| hxxp://southlinksgolf.com/ | 174.120.70.214 |
| hxxp://koka-kanko.org/ | 202.229.27.125 |
| hxxp://power-oldie.com/ | 78.47.90.12 |
| hxxp://cdpublications.com/ | 209.213.117.205 |
| hxxp://lordhaldonhotel.co.uk/ | 192.155.90.223 |
| hxxp://nagoya67.com/ | 122.152.128.166 |
| hxxp://garyfoundation.com/ | 198.154.194.17 |
| realtechre.com | 127.0.0.1 |
| ebda.org.pl | 81.2.201.235 |
| xmassalt.com | 210.172.144.179 |
| daytonaffair.org | 74.218.130.98 |
| fatvirgin.com | 216.108.226.14 |
| gracechicago.com | 127.0.0.1 |
| sasquatch.com | 184.173.67.65 |
| in1.smtp.messagingengine.com | 66.111.4.72 |
| umutgumrukleme.com | 85.17.253.48 |
| galloplast.com | 46.16.58.6 |
| callaisofs.com | 209.124.203.131 |
| greencroft.org | 209.235.193.33 |
| cadeclinic.com | 203.98.74.146 |
| k-ryokuen.com | 219.101.65.6 |
| vitalur.by | 178.159.246.76 |
| www.rodeoshow.com.au | 199.83.128.103 |
| mxs.mail.ru | 94.100.176.20 |
| tenpole.com | 127.0.0.1 |
| konishi-hp.com | 122.219.254.148 |
| www.momonophoto.com | 203.189.105.136 |
| eomc.net | 213.208.149.2 |
| blumencorso.com | 83.65.246.206 |
| timbertrading.it | 81.31.155.45 |
| gmail-smtp-in.l.google.com | 74.125.142.27 |
| milnsbridge.com.au | 198.58.126.237 |
| hayan-design.com | 222.122.39.96 |
| biotek.com | 72.3.161.227 |
| alt4.gmail-smtp-in.l.google.com | 74.125.136.27 |
| elvial.gr | 178.238.227.82 |
| aethora.com | 67.207.143.253 |
| madih.info | 72.29.82.72 |
| adult-vids.com | 66.230.173.51 |
| redeinformatica.net | 217.160.206.205 |
| nataliecurtiss.com | 192.168.100.1 |
| xing-group.com | 59.106.165.171 |
| tollefsondesign.com | 192.168.0.1 |
| foamearphonecover.com | 94.136.36.27 |
| chunkymuscle.com | 37.130.231.239 |
| nasuken.com | 59.106.165.171 |
| www.bigjohnsbeefjerky.com | 190.93.241.165 |
| goldhostusa.com | 142.4.20.117 |
| welcomingcenter.org | 166.78.162.166 |
| saber-scorpion.com | 216.55.168.44 |
| concls.com | 66.193.46.49 |
| genmar.gen.tr | 127.0.0.1 |
| www.iaiglobal.or.id | 49.50.8.93 |
| cambridgeny.net | 66.35.48.26 |
| marineware.com | 66.96.147.120 |
| accel.lt | 127.0.0.1 |
| qualitypunch.com | 173.201.189.225 |
| rmpdesign.com | 79.170.192.247 |
| mail7.digitalwaves.co.nz | 127.0.0.1 |
| reflite.com | 210.248.135.16 |
| alcapelhost.com | 173.224.120.224 |
| accu-swift.com | 184.107.166.98 |
| goodhill.com.kh | 119.82.249.9 |
| www.eygwindows.co.uk | 173.0.131.15 |
| yourorlandogetaway.com | Unresolvable |
| manuyantralaya.com | Unresolvable |
| hifuken.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\timeturkey[1].htm (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\rovoneli[1].htm (261 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rodeoshow.com[1].txt (273 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atr-technologies[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@re-wakefield.co[1].txt (235 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@istanbultarim.com[1].txt (239 bytes)
%Documents and Settings%\%current user%\vinukykeapud.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bocr[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[2].txt (239 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safetyconnection[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\home[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\redconeretreat[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lockerlookz[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\kamaruka.vic.edu[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\eleterno[1].htm (17 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (235 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (297 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[2].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\suspendedpage[1].htm (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pcpeds[1].txt (219 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[1].txt (160 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (152 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (22552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[2].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\momonophoto[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\urantiaproject[1].htm (756 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vinukykeapud" = "%Documents and Settings%\%current user%\vinukykeapud.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.