Trojan.Win32.Cutwail.cex (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1424df189cf82cd21e6929eefb0da760
SHA1: b6074ec4d83da36da521931c917fbe844c3ed511
SHA256: 2c49b300b7b6a69f897f1b0bbc0ae894035c4367aa6149a894687da203b2f53a
SSDeep: 768:iIdb VltyLTE9gDNgpvfxyRpigLVhKtXaXo4CK9:iIsRcIeDNgLyKgLVhKtl4b9
Size: 38400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2008-11-02 19:13:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
The Trojan-PSW injects its code into the following process(es):
%original file name%.exe:1572
File activity
The process wuauclt.exe:344 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan-PSW deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:1572 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\jyrvicewyxmu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\urantiaproject[1].htm (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\403[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sdlp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@starmedia[1].txt (223 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (235 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\solutioncorp[1].htm (4184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\shipeliteexpress[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ctr4process[1].txt (230 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.servico-ind[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\coketh[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (20720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@istanbultarim.com[1].txt (239 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (0 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1572 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DD 07 0C 00 00 00 16 00 08 00 0B 00 2B 00 6A 03"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"jyrvicewyxmuzap" = "C2 9A 72 4A 22 F9 D1 A9 F4 CC A4 7C 54 2C 04 DB"
"AppManagement" = "23 FA D2 AA 82 5A 32 7D 55 2D 05 DC B4 8C 64 3C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 88 78 14 FC 13 C1 23 DD 77 1C 75 6F 73 B2 79"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"jyrvicewyxmu" = "%Documents and Settings%\%current user%\jyrvicewyxmu.exe"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
URL | IP |
---|---|
hxxp://upsilon89.com/ | 151.236.48.69 |
hxxp://myfilecenter.com/ | 66.33.213.228 |
hxxp://mattiussiecologia.com/ | 95.110.200.253 |
hxxp://cabooseonline.com/ | 192.138.20.228 |
hxxp://totalearthcare.com.au/ | 108.162.193.154 |
hxxp://agence-des-druides.com/ | 213.186.33.3 |
hxxp://saios.net/ | 157.7.184.19 |
hxxp://mandi-man.com/ | 210.172.144.61 |
hxxp://denville.ca/ | 204.11.237.35 |
hxxp://shs-sales.co.uk/ | 193.36.43.104 |
hxxp://solutioncorp.com/ | 209.208.32.245 |
hxxp://brookfarm.com.au/ | 116.251.204.207 |
hxxp://nuritech.com/ | 222.239.78.139 |
hxxp://combine.or.id/ | 202.162.33.14 |
hxxp://servico-ind.com/ | 85.159.56.120 |
hxxp://xing-group.com/ | 59.106.165.171 |
hxxp://trinity-works.com/ | 219.94.206.70 |
hxxp://servico-ind.com/index.asp | |
hxxp://vandeks.com/ | 144.76.86.115 |
hxxp://skaner.com.pl/ | 109.234.111.40 |
hxxp://teasing-video.com/ | 99.192.154.182 |
hxxp://churchsupplies.net/ | 66.232.99.164 |
hxxp://naijagurus.com/ | 192.64.112.193 |
hxxp://areafor.com/ | 185.2.130.31 |
hxxp://sortedorganizing.com/ | 74.220.199.6 |
hxxp://digpro.se/ | 89.221.250.12 |
hxxp://cbsprinting.com.au/ | 141.101.116.74 |
hxxp://sspackaginggroup.com/ | 182.50.130.36 |
hxxp://cath4choice.org/ | 76.12.228.8 |
hxxp://urantiaproject.com/ | 69.94.124.47 |
hxxp://glmghotels.com/ | 141.101.116.108 |
hxxp://y8k6h.x.incapdns.net/ | |
hxxp://optiver.com.au/ | 217.195.114.124 |
hxxp://cksglobal.net/ | 185.21.133.34 |
hxxp://aciuba.com.br/ | 186.249.220.203 |
hxxp://wkhk.net/ | 203.189.104.242 |
hxxp://www.optiver.com/sydney/ | 217.195.124.19 |
hxxp://starmedia.ca/ | 141.101.125.75 |
hxxp://agrarno.ru/ | 178.63.17.213 |
hxxp://bigtopmultimedia.com/ | 108.162.198.246 |
hxxp://plus.ba/ | 141.101.116.246 |
hxxp://altonhousehotel.com/ | 108.162.205.109 |
hxxp://lognetic.com/ | 78.47.37.140 |
hxxp://geodecisions.com/ | 216.174.25.93 |
hxxp://penavision.co.in/ | 174.136.57.160 |
hxxp://stop-ddos.me/ | 195.22.26.252 |
hxxp://merceorti.com/ | 80.93.92.146 |
hxxp://christybarry.com/ | 66.49.139.143 |
hxxp://christybarry.com/cgi-sys/suspendedpage.cgi | |
hxxp://tessera.co.jp/ | 210.150.6.88 |
hxxp://sdlp.ie/ | 141.101.117.223 |
hxxp://goodvaluecenter.com/ | 108.162.201.140 |
hxxp://buzzkillmedia.com/ | 173.201.140.128 |
hxxp://asterisk.com.sg/ | 211.25.3.196 |
hxxp://hostphd.com.br/ | 192.196.156.73 |
hxxp://beechwoodmetalworks.com/ | 69.163.135.152 |
hxxp://ctr4process.org/ | 108.162.204.164 |
hxxp://acicinvestor.ca/ | 207.150.203.36 |
hxxp://s2s.fr/ | 195.64.165.29 |
hxxp://asj.co.jp/ | 219.118.206.4 |
hxxp://istanbultarim.com.tr/ | 108.162.198.72 |
hxxp://fleshercorp.com/ | 64.111.24.104 |
hxxp://rea-soft.ru/ | 78.47.135.34 |
hxxp://ctr4process.org/403.shtml | |
hxxp://tvndra.net/ | 91.216.141.46 |
hxxp://ryumachi-jp.com/ | 111.68.174.253 |
hxxp://toddpipe.com/ | 173.247.243.173 |
hxxp://shakeyspizza.ph/ | 66.135.32.56 |
hxxp://marcusgrimes.co.uk/ | 109.74.242.160 |
hxxp://sun-ele.co.jp/ | 210.169.184.168 |
hxxp://unslp.edu.bo/ | 50.28.58.0 |
hxxp://coketh.com/ | 59.106.13.131 |
hxxp://sarpy.com/ | 66.37.225.130 |
hxxp://youjoomla.com/ | 69.65.11.200 |
hxxp://victoria.com.pl/ | 89.161.158.128 |
hxxp://robertmcintyre.com.au/ | 199.73.58.66 |
hxxp://nasz-sklep.pl/ | 91.192.164.134 |
hxxp://vanguardpkg.com/ | 50.62.115.1 |
hxxp://authentica-travel.com/ | 68.168.112.98 |
hxxp://shipeliteexpress.com/ | 67.59.133.211 |
hxxp://avant-ime.com/ | 188.121.45.218 |
hxxp://empordalia.com/ | 5.56.61.199 |
hxxp://racknstackwarehouse.com.au/ | 141.101.117.200 |
hxxp://appelfarm.org/ | 108.162.205.115 |
hxxp://tutuji-saitama.com/ | 157.7.160.37 |
hxxp://link-list-uk.com/ | 91.109.14.224 |
hxxp://sztartufi.com/ | 95.110.192.171 |
hxxp://theprintinghouseltd.co.uk/ | 46.20.228.113 |
hxxp://unitedearthgroup.com/ | 213.171.195.105 |
hxxp://mastechn.com/ | 64.207.148.243 |
hxxp://automa.it/ | 95.110.195.52 |
hxxp://enzoyrodrigo.com.br/ | 216.245.218.146 |
hxxp://etcycles.com/ | 68.171.36.109 |
hxxp://hinnenwiese.de/ | 85.13.135.246 |
hxxp://isle-karnataka.org/ | 209.99.40.223 |
hxxp://careerstodaycanada.com/ | 76.77.71.5 |
hxxp://ezmedi.com/ | 218.150.78.243 |
hxxp://calvarycemeterydayton.org/ | 198.1.91.2 |
hxxp://csmbc.org/ | 149.47.157.224 |
hxxp://caeweb.com/ | 204.152.118.133 |
hxxp://lexjuridica.com/ | 176.28.103.205 |
hxxp://rt-printing.com/ | 69.94.108.207 |
hxxp://cromwellharbor.com/ | 173.45.246.222 |
hxxp://cfgreaterjackson.org/ | 12.108.68.136 |
hxxp://trivax.com/ | 216.172.104.2 |
hxxp://arpeges.org/ | 88.190.216.198 |
hxxp://coe.pku.edu.cn/ | 162.105.5.245 |
hxxp://constancehotels.com/ | 46.21.202.14 |
hxxp://e-ciencia.com/ | 46.105.32.97 |
hxxp://syntrinsic.com/ | 69.16.192.61 |
hxxp://easytrip.net/ | 216.154.212.124 |
hxxp://ask-romein.com/ | 185.30.205.148 |
hxxp://dataweave.com.au/ | 208.113.174.41 |
hxxp://moshk.com/ | 46.165.224.57 |
hxxp://vivawebinternet.com.br/ | 208.113.185.210 |
hxxp://5-market.com/ | 210.172.144.179 |
hxxp://mojos.com/ | 216.171.235.189 |
hxxp://mtrx.net/ | 72.55.184.109 |
hxxp://mediadevelopment.com/ | 66.35.84.54 |
hxxp://omikrondokk.hu/ | 81.0.69.163 |
hxxp://lavozdelared.net/ | 217.160.7.132 |
hxxp://dicre.com/ | 203.189.104.227 |
hxxp://gocommunications.ch/ | 91.193.21.190 |
hxxp://cabv.com/ | 46.105.111.215 |
hxxp://imperiumhomes.com/ | 200.58.114.10 |
hxxp://392430.com/ | 219.94.128.96 |
hxxp://solutiodesign.com/ | 64.14.68.156 |
hxxp://petairusa.com/ | 85.234.137.80 |
hxxp://dialadinner.com.hk/ | 122.128.107.29 |
hxxp://slow-db.com/ | 59.106.166.251 |
hxxp://atlantis-shisui.com/ | 210.172.144.246 |
hxxp://cvswl.org/ | 216.35.196.47 |
hxxp://bangertcomputer.com/ | 64.13.232.135 |
hxxp://aedsrl.it/ | 85.94.217.210 |
hxxp://bedfordlaw.com/ | 69.27.119.9 |
hxxp://ans-service.com/ | 67.227.252.139 |
hxxp://3moulins.com/ | 80.74.64.7 |
hxxp://olganon.org/ | 198.143.166.17 |
hxxp://roselani.com/ | 72.52.242.220 |
hxxp://mail.kanglin.com.tw/ | 211.75.193.131 |
hxxp://toyotafound.or.jp/ | 202.218.52.67 |
hxxp://alpes-campings.com/ | 94.247.180.34 |
hxxp://atlasztravel.hu/ | 195.70.57.6 |
hxxp://putujemouevropu.org/ | 46.22.145.53 |
hxxp://jidoucenter.com/ | 211.133.134.82 |
hxxp://poyrazoto.com.tr/ | 37.230.104.123 |
hxxp://ramybrook.com/ | 208.86.153.246 |
hxxp://searrp.org/ | 103.6.196.150 |
hxxp://palmbeachbeaute.com/ | 108.174.158.213 |
hxxp://camphillscotland.org.uk/ | 62.255.174.64 |
hxxp://thlabel.com/ | 114.80.156.67 |
hxxp://capacitacionypnd.com/ | 69.64.81.51 |
hxxp://aschroofing.com/ | 184.168.46.66 |
hxxp://slakes.net/ | 72.29.68.107 |
hxxp://bradleybray.com.au/ | 203.143.82.28 |
hxxp://reflex.com.pl/ | 62.129.214.85 |
hxxp://watermaticcoolers.com/ | 67.227.138.16 |
hxxp://kitchencollage.com/ | 67.225.214.101 |
hxxp://schuster-treppen.de/ | 212.227.54.147 |
hxxp://worldtourism.com.au/ | 203.144.4.66 |
hxxp://maybellecarter.com/ | 198.20.250.199 |
hxxp://cimtech.ca/ | 168.144.87.138 |
hxxp://saweightlosscenter.com/ | 50.28.84.225 |
hxxp://mjfdesigns.com/ | 94.23.11.23 |
hxxp://hotelkunlun.com/ | 119.31.233.123 |
hxxp://acuprint.com/ | 216.35.197.49 |
hxxp://aandporchids.com/ | 216.30.187.127 |
hxxp://koeppl.com/ | 178.77.96.167 |
hxxp://rokayfloral.com/ | 67.212.167.194 |
hxxp://technicorp.co.cr/ | 67.210.101.185 |
hxxp://earthworks-j.com/ | 211.1.224.76 |
hxxp://rabinco.com.my/ | 202.75.53.90 |
hxxp://iberclean.com/ | 198.58.86.155 |
hxxp://saudireadymix.com.sa/ | 216.55.98.216 |
hxxp://invertek.co.uk/ | 109.228.11.78 |
hxxp://minority-inc.com/ | 180.222.182.167 |
hxxp://norm-fasteners.com.tr/ | 78.129.226.93 |
hxxp://peralesaguiar.com.ar/ | 200.58.107.237 |
hxxp://exo2.co.uk/ | 87.117.239.204 |
hxxp://internationalcabinets.com.au/ | 66.244.147.199 |
hxxp://rentinmarin.com/ | 199.59.58.68 |
hxxp://uwlowcountry.org/ | 69.64.77.63 |
hxxp://dpmsystems.com/ | 67.225.236.114 |
hxxp://insulationaustralia.com.au/ | 118.127.40.56 |
hxxp://uhren-schmuckhaus-moeckel.de/ | 83.169.16.130 |
hxxp://easy-networx.de/ | 217.91.166.9 |
hxxp://chicanofederation.org/ | 66.240.194.76 |
hxxp://imsa.com.ar/ | 5.9.198.70 |
hxxp://solustan.com/ | 64.13.192.118 |
hxxp://agro-trans.biz/ | 217.96.23.27 |
hxxp://luksus.net.pl/ | 195.238.166.18 |
hxxp://monsoybenet.com/ | 85.214.148.76 |
hxxp://provang.com/ | 204.27.61.50 |
hxxp://gvcustomsoftware.com.au/ | 111.223.234.21 |
hxxp://telemkting.com/ | 184.107.156.250 |
hxxp://isisgroup.co.uk/ | 80.88.198.8 |
hxxp://adaptworkforce.com/ | 217.19.254.22 |
hxxp://businessengineers.de/ | 217.110.123.146 |
hxxp://admik.ru/ | 46.4.196.154 |
hxxp://autocidade.com.br/ | 67.19.82.226 |
hxxp://alshares.com/ | 37.58.82.167 |
hxxp://thevelvetstore.com/ | 74.121.236.92 |
hxxp://diving-bg.com/ | 91.196.124.63 |
hxxp://tinnitus.se/ | 89.221.250.20 |
hxxp://rokyu.net/ | 49.212.34.96 |
hxxp://newfocas.co.uk/ | 46.20.227.248 |
hxxp://ohnosha.co.jp/ | 203.145.245.160 |
hxxp://progir.com/ | 81.25.121.212 |
hxxp://cpi.com.ar/ | 69.25.136.17 |
hxxp://waco-cccc.com/ | 68.171.34.203 |
hxxp://inglett-stubbs.com/ | 70.32.68.171 |
hxxp://sankalpplacement.com/ | 216.55.136.132 |
hxxp://ekahosting.com/ | 72.44.94.117 |
hxxp://marinescape.co.nz/ | 119.47.118.89 |
hxxp://mc-integ.co.uk/ | 149.255.63.116 |
hxxp://afsservice.com/ | 216.55.143.63 |
hxxp://rdidiamonds.com/ | 67.151.215.130 |
hxxp://ipoaonline.org/ | 70.32.68.135 |
hxxp://littleblue.com/ | 92.48.127.198 |
hxxp://computerlogicdirect.com/ | 208.78.155.38 |
hxxp://plubiz.com/ | 91.121.36.93 |
hxxp://oremc.com/ | 137.118.32.114 |
hxxp://rmslive.com/ | 217.114.175.80 |
hxxp://ibntel.com/ | 68.178.158.24 |
hxxp://roulottesdecampagne.com/ | 178.33.106.197 |
hxxp://sps-jia.cz/ | 195.113.221.6 |
hxxp://snowboardweb.net/ | 210.172.144.27 |
hxxp://dtc-telecom.co.uk/ | 37.61.234.11 |
hxxp://musawa.ps/ | 174.46.134.54 |
hxxp://marcanthony.com/ | 199.103.61.58 |
hxxp://pluto.com.au/ | 27.131.73.214 |
hxxp://unitrix.sk/ | 37.9.170.179 |
hxxp://narsaria.com/ | 174.142.222.216 |
hxxp://korsil.ru/ | 77.246.146.106 |
hxxp://ray-jp.com/ | 219.94.203.112 |
hxxp://gazdic.com/ | 209.41.133.210 |
hxxp://zanyhost.com/ | 108.60.130.154 |
hxxp://dominos.co.id/ | 202.169.44.158 |
hxxp://goodwins-removals.com/ | 84.39.115.126 |
hxxp://3int.net/ | 149.126.96.164 |
hxxp://tacsa.ws/ | 64.150.187.245 |
hxxp://aozoramame.com/ | 211.1.227.93 |
hxxp://mortgageleads.com/ | 184.105.209.117 |
hxxp://247petreturn.com/ | 67.211.47.40 |
hxxp://safedoormatic.com/ | 202.91.240.67 |
hxxp://casino-top.net/ | 94.23.75.101 |
hxxp://tomgegax.com/ | 69.163.184.244 |
hxxp://fsesudmuntenia.ro/ | 128.140.230.196 |
hxxp://efoa.org/ | 94.107.192.101 |
hxxp://sagsheriff.com/ | 198.7.59.141 |
hxxp://carteluz.com.ar/ | 200.58.120.9 |
hxxp://the-marketing-company.at/ | 78.138.92.184 |
hxxp://lelund.com/ | 65.60.53.221 |
hxxp://locbem.com.br/ | 199.48.164.230 |
hxxp://nnppd.com/ | 64.177.91.97 |
hxxp://neaco.co.uk/ | 62.255.174.104 |
hxxp://werta.net/ | 87.120.40.16 |
hxxp://magnatekenterprises.com/ | 75.119.192.177 |
hxxp://hwplan.org/ | 216.26.168.132 |
hxxp://ashleyquinncpas.com/ | 206.51.225.190 |
maki-hs.com | 203.137.80.208 |
counsellingpsychotherapytoronto.com | 173.236.125.2 |
alt1.aspmx.l.google.com | 216.239.34.10 |
authoritative.net | 66.33.213.228 |
ns10.worldnic.com | 206.188.199.44 |
kurecci.or.jp | 119.245.143.88 |
dns.other-world.com | 204.11.64.5 |
in1.smtp.messagingengine.com | 66.111.4.71 |
www.traderush.com | 199.83.132.93 |
bluecolash.com | 213.239.215.247 |
s-style.co.jp | 209.238.128.37 |
www.myfilecenter.com | 66.33.213.228 |
ibcd.com.br | 192.168.0.1 |
pekachemie.com | 213.217.60.186 |
limaingenieriayconstruccion.com | 192.254.143.157 |
vitalur.by | 178.159.246.76 |
mxs.mail.ru | 94.100.176.20 |
www.avant-ime.com | 188.121.45.218 |
norakuroya.com | 175.45.136.72 |
alt4.gmail-smtp-in.l.google.com | 74.125.136.26 |
audio-direkt.net | 127.0.0.1 |
www.servico-ind.com | 85.159.56.120 |
natvideo.com | 208.122.223.237 |
doggybag.org | 62.193.211.35 |
atanor.ru | 82.138.1.142 |
allaroundbouncing.com | 66.241.231.114 |
gmail-smtp-in.l.google.com | 74.125.142.26 |
ecotechsystem.com | 93.93.200.130 |
hpp-services.com | 127.0.0.1 |
born-club.com | 37.140.192.111 |
aethora.com | 67.207.143.253 |
www.trinity-works.com | 219.94.206.70 |
craigrichards.com | 67.228.168.156 |
iwantsex.org | 178.32.60.125 |
nataliecurtiss.com | 192.168.100.1 |
konishi-hp.com | 122.219.254.148 |
ns-fra.proofpoint.com | 62.209.50.50 |
tenpole.com | 127.0.0.1 |
pro-networks.co.uk | 109.73.165.20 |
mxa-00105401.gslb.pphosted.com | 208.84.67.208 |
vivare.nl | 89.105.202.47 |
gjk.com.pl | 148.81.111.98 |
ns87.hostia.name | 213.155.29.186 |
www.cbsprinting.com.au | 141.101.116.74 |
www.solutioncorp.com | 209.208.32.245 |
www.beechwoodmetalworks.com | 69.163.135.152 |
tokushima-med.jrc.or.jp | 180.37.239.56 |
www.ctr4process.org | 108.162.203.164 |
theartofhair.com | 0.0.0.0 |
agrohorizonte.com.ar | 201.253.108.68 |
www.wkhk.net | 203.189.104.242 |
mx.directgroup.org | 83.220.44.51 |
bredainternet.nl | 127.0.0.1 |
blagotvoritel.org | 87.120.6.182 |
www.saios.net | 157.7.184.19 |
iaiglobal.or.id | 49.50.8.93 |
fineartsassociation.org | 70.33.214.138 |
mail7.digitalwaves.co.nz | 127.0.0.1 |
iwamoto-hiroyoshi.com | 210.172.144.61 |
aspmx4.googlemail.com | 173.194.78.26 |
smtp.live.com | 65.55.162.200 |
www.vanguardpkg.com | 50.62.115.1 |
bospianoservice.nl | 195.211.73.89 |
trenpalau.com | Unresolvable |
aspmx3googlemail.com | Unresolvable |
pointopines.com | Unresolvable |
nichedictionary.com | Unresolvable |
aspmx2.googlemail.com | Unresolvable |
aspmx.l.google.com | Unresolvable |
meubles-jacquelin.com | Unresolvable |
meridies.org | Unresolvable |
manuyantralaya.com | Unresolvable |
alt2.aspmx.l.google.com | Unresolvable |
toutenmeuse.com | Unresolvable |
hoyuu.com | Unresolvable |
aspmx5.googlemail.com | Unresolvable |
hifuken.com | Unresolvable |
mxb-00105401.gslb.pphosted.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
- Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\jyrvicewyxmu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\urantiaproject[1].htm (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\403[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sdlp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@starmedia[1].txt (223 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (235 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\solutioncorp[1].htm (4184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\shipeliteexpress[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ctr4process[1].txt (230 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.servico-ind[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\coketh[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (20720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@istanbultarim.com[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"jyrvicewyxmu" = "%Documents and Settings%\%current user%\jyrvicewyxmu.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.