Trojan.Win32.Cutwail.cex (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1424df189cf82cd21e6929eefb0da760
SHA1: b6074ec4d83da36da521931c917fbe844c3ed511
SHA256: 2c49b300b7b6a69f897f1b0bbc0ae894035c4367aa6149a894687da203b2f53a
SSDeep: 768:iIdb VltyLTE9gDNgpvfxyRpigLVhKtXaXo4CK9:iIsRcIeDNgLyKgLVhKtl4b9
Size: 38400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2008-11-02 19:13:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
The Trojan-PSW injects its code into the following process(es):
%original file name%.exe:1572
File activity
The process wuauclt.exe:344 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan-PSW deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:1572 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\jyrvicewyxmu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\urantiaproject[1].htm (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\403[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sdlp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@starmedia[1].txt (223 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (235 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\solutioncorp[1].htm (4184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\shipeliteexpress[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ctr4process[1].txt (230 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.servico-ind[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\coketh[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (20720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@istanbultarim.com[1].txt (239 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (0 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1572 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DD 07 0C 00 00 00 16 00 08 00 0B 00 2B 00 6A 03"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"jyrvicewyxmuzap" = "C2 9A 72 4A 22 F9 D1 A9 F4 CC A4 7C 54 2C 04 DB"
"AppManagement" = "23 FA D2 AA 82 5A 32 7D 55 2D 05 DC B4 8C 64 3C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 88 78 14 FC 13 C1 23 DD 77 1C 75 6F 73 B2 79"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"jyrvicewyxmu" = "%Documents and Settings%\%current user%\jyrvicewyxmu.exe"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://upsilon89.com/ | 151.236.48.69 |
| hxxp://myfilecenter.com/ | 66.33.213.228 |
| hxxp://mattiussiecologia.com/ | 95.110.200.253 |
| hxxp://cabooseonline.com/ | 192.138.20.228 |
| hxxp://totalearthcare.com.au/ | 108.162.193.154 |
| hxxp://agence-des-druides.com/ | 213.186.33.3 |
| hxxp://saios.net/ | 157.7.184.19 |
| hxxp://mandi-man.com/ | 210.172.144.61 |
| hxxp://denville.ca/ | 204.11.237.35 |
| hxxp://shs-sales.co.uk/ | 193.36.43.104 |
| hxxp://solutioncorp.com/ | 209.208.32.245 |
| hxxp://brookfarm.com.au/ | 116.251.204.207 |
| hxxp://nuritech.com/ | 222.239.78.139 |
| hxxp://combine.or.id/ | 202.162.33.14 |
| hxxp://servico-ind.com/ | 85.159.56.120 |
| hxxp://xing-group.com/ | 59.106.165.171 |
| hxxp://trinity-works.com/ | 219.94.206.70 |
| hxxp://servico-ind.com/index.asp | |
| hxxp://vandeks.com/ | 144.76.86.115 |
| hxxp://skaner.com.pl/ | 109.234.111.40 |
| hxxp://teasing-video.com/ | 99.192.154.182 |
| hxxp://churchsupplies.net/ | 66.232.99.164 |
| hxxp://naijagurus.com/ | 192.64.112.193 |
| hxxp://areafor.com/ | 185.2.130.31 |
| hxxp://sortedorganizing.com/ | 74.220.199.6 |
| hxxp://digpro.se/ | 89.221.250.12 |
| hxxp://cbsprinting.com.au/ | 141.101.116.74 |
| hxxp://sspackaginggroup.com/ | 182.50.130.36 |
| hxxp://cath4choice.org/ | 76.12.228.8 |
| hxxp://urantiaproject.com/ | 69.94.124.47 |
| hxxp://glmghotels.com/ | 141.101.116.108 |
| hxxp://y8k6h.x.incapdns.net/ | |
| hxxp://optiver.com.au/ | 217.195.114.124 |
| hxxp://cksglobal.net/ | 185.21.133.34 |
| hxxp://aciuba.com.br/ | 186.249.220.203 |
| hxxp://wkhk.net/ | 203.189.104.242 |
| hxxp://www.optiver.com/sydney/ | 217.195.124.19 |
| hxxp://starmedia.ca/ | 141.101.125.75 |
| hxxp://agrarno.ru/ | 178.63.17.213 |
| hxxp://bigtopmultimedia.com/ | 108.162.198.246 |
| hxxp://plus.ba/ | 141.101.116.246 |
| hxxp://altonhousehotel.com/ | 108.162.205.109 |
| hxxp://lognetic.com/ | 78.47.37.140 |
| hxxp://geodecisions.com/ | 216.174.25.93 |
| hxxp://penavision.co.in/ | 174.136.57.160 |
| hxxp://stop-ddos.me/ | 195.22.26.252 |
| hxxp://merceorti.com/ | 80.93.92.146 |
| hxxp://christybarry.com/ | 66.49.139.143 |
| hxxp://christybarry.com/cgi-sys/suspendedpage.cgi | |
| hxxp://tessera.co.jp/ | 210.150.6.88 |
| hxxp://sdlp.ie/ | 141.101.117.223 |
| hxxp://goodvaluecenter.com/ | 108.162.201.140 |
| hxxp://buzzkillmedia.com/ | 173.201.140.128 |
| hxxp://asterisk.com.sg/ | 211.25.3.196 |
| hxxp://hostphd.com.br/ | 192.196.156.73 |
| hxxp://beechwoodmetalworks.com/ | 69.163.135.152 |
| hxxp://ctr4process.org/ | 108.162.204.164 |
| hxxp://acicinvestor.ca/ | 207.150.203.36 |
| hxxp://s2s.fr/ | 195.64.165.29 |
| hxxp://asj.co.jp/ | 219.118.206.4 |
| hxxp://istanbultarim.com.tr/ | 108.162.198.72 |
| hxxp://fleshercorp.com/ | 64.111.24.104 |
| hxxp://rea-soft.ru/ | 78.47.135.34 |
| hxxp://ctr4process.org/403.shtml | |
| hxxp://tvndra.net/ | 91.216.141.46 |
| hxxp://ryumachi-jp.com/ | 111.68.174.253 |
| hxxp://toddpipe.com/ | 173.247.243.173 |
| hxxp://shakeyspizza.ph/ | 66.135.32.56 |
| hxxp://marcusgrimes.co.uk/ | 109.74.242.160 |
| hxxp://sun-ele.co.jp/ | 210.169.184.168 |
| hxxp://unslp.edu.bo/ | 50.28.58.0 |
| hxxp://coketh.com/ | 59.106.13.131 |
| hxxp://sarpy.com/ | 66.37.225.130 |
| hxxp://youjoomla.com/ | 69.65.11.200 |
| hxxp://victoria.com.pl/ | 89.161.158.128 |
| hxxp://robertmcintyre.com.au/ | 199.73.58.66 |
| hxxp://nasz-sklep.pl/ | 91.192.164.134 |
| hxxp://vanguardpkg.com/ | 50.62.115.1 |
| hxxp://authentica-travel.com/ | 68.168.112.98 |
| hxxp://shipeliteexpress.com/ | 67.59.133.211 |
| hxxp://avant-ime.com/ | 188.121.45.218 |
| hxxp://empordalia.com/ | 5.56.61.199 |
| hxxp://racknstackwarehouse.com.au/ | 141.101.117.200 |
| hxxp://appelfarm.org/ | 108.162.205.115 |
| hxxp://tutuji-saitama.com/ | 157.7.160.37 |
| hxxp://link-list-uk.com/ | 91.109.14.224 |
| hxxp://sztartufi.com/ | 95.110.192.171 |
| hxxp://theprintinghouseltd.co.uk/ | 46.20.228.113 |
| hxxp://unitedearthgroup.com/ | 213.171.195.105 |
| hxxp://mastechn.com/ | 64.207.148.243 |
| hxxp://automa.it/ | 95.110.195.52 |
| hxxp://enzoyrodrigo.com.br/ | 216.245.218.146 |
| hxxp://etcycles.com/ | 68.171.36.109 |
| hxxp://hinnenwiese.de/ | 85.13.135.246 |
| hxxp://isle-karnataka.org/ | 209.99.40.223 |
| hxxp://careerstodaycanada.com/ | 76.77.71.5 |
| hxxp://ezmedi.com/ | 218.150.78.243 |
| hxxp://calvarycemeterydayton.org/ | 198.1.91.2 |
| hxxp://csmbc.org/ | 149.47.157.224 |
| hxxp://caeweb.com/ | 204.152.118.133 |
| hxxp://lexjuridica.com/ | 176.28.103.205 |
| hxxp://rt-printing.com/ | 69.94.108.207 |
| hxxp://cromwellharbor.com/ | 173.45.246.222 |
| hxxp://cfgreaterjackson.org/ | 12.108.68.136 |
| hxxp://trivax.com/ | 216.172.104.2 |
| hxxp://arpeges.org/ | 88.190.216.198 |
| hxxp://coe.pku.edu.cn/ | 162.105.5.245 |
| hxxp://constancehotels.com/ | 46.21.202.14 |
| hxxp://e-ciencia.com/ | 46.105.32.97 |
| hxxp://syntrinsic.com/ | 69.16.192.61 |
| hxxp://easytrip.net/ | 216.154.212.124 |
| hxxp://ask-romein.com/ | 185.30.205.148 |
| hxxp://dataweave.com.au/ | 208.113.174.41 |
| hxxp://moshk.com/ | 46.165.224.57 |
| hxxp://vivawebinternet.com.br/ | 208.113.185.210 |
| hxxp://5-market.com/ | 210.172.144.179 |
| hxxp://mojos.com/ | 216.171.235.189 |
| hxxp://mtrx.net/ | 72.55.184.109 |
| hxxp://mediadevelopment.com/ | 66.35.84.54 |
| hxxp://omikrondokk.hu/ | 81.0.69.163 |
| hxxp://lavozdelared.net/ | 217.160.7.132 |
| hxxp://dicre.com/ | 203.189.104.227 |
| hxxp://gocommunications.ch/ | 91.193.21.190 |
| hxxp://cabv.com/ | 46.105.111.215 |
| hxxp://imperiumhomes.com/ | 200.58.114.10 |
| hxxp://392430.com/ | 219.94.128.96 |
| hxxp://solutiodesign.com/ | 64.14.68.156 |
| hxxp://petairusa.com/ | 85.234.137.80 |
| hxxp://dialadinner.com.hk/ | 122.128.107.29 |
| hxxp://slow-db.com/ | 59.106.166.251 |
| hxxp://atlantis-shisui.com/ | 210.172.144.246 |
| hxxp://cvswl.org/ | 216.35.196.47 |
| hxxp://bangertcomputer.com/ | 64.13.232.135 |
| hxxp://aedsrl.it/ | 85.94.217.210 |
| hxxp://bedfordlaw.com/ | 69.27.119.9 |
| hxxp://ans-service.com/ | 67.227.252.139 |
| hxxp://3moulins.com/ | 80.74.64.7 |
| hxxp://olganon.org/ | 198.143.166.17 |
| hxxp://roselani.com/ | 72.52.242.220 |
| hxxp://mail.kanglin.com.tw/ | 211.75.193.131 |
| hxxp://toyotafound.or.jp/ | 202.218.52.67 |
| hxxp://alpes-campings.com/ | 94.247.180.34 |
| hxxp://atlasztravel.hu/ | 195.70.57.6 |
| hxxp://putujemouevropu.org/ | 46.22.145.53 |
| hxxp://jidoucenter.com/ | 211.133.134.82 |
| hxxp://poyrazoto.com.tr/ | 37.230.104.123 |
| hxxp://ramybrook.com/ | 208.86.153.246 |
| hxxp://searrp.org/ | 103.6.196.150 |
| hxxp://palmbeachbeaute.com/ | 108.174.158.213 |
| hxxp://camphillscotland.org.uk/ | 62.255.174.64 |
| hxxp://thlabel.com/ | 114.80.156.67 |
| hxxp://capacitacionypnd.com/ | 69.64.81.51 |
| hxxp://aschroofing.com/ | 184.168.46.66 |
| hxxp://slakes.net/ | 72.29.68.107 |
| hxxp://bradleybray.com.au/ | 203.143.82.28 |
| hxxp://reflex.com.pl/ | 62.129.214.85 |
| hxxp://watermaticcoolers.com/ | 67.227.138.16 |
| hxxp://kitchencollage.com/ | 67.225.214.101 |
| hxxp://schuster-treppen.de/ | 212.227.54.147 |
| hxxp://worldtourism.com.au/ | 203.144.4.66 |
| hxxp://maybellecarter.com/ | 198.20.250.199 |
| hxxp://cimtech.ca/ | 168.144.87.138 |
| hxxp://saweightlosscenter.com/ | 50.28.84.225 |
| hxxp://mjfdesigns.com/ | 94.23.11.23 |
| hxxp://hotelkunlun.com/ | 119.31.233.123 |
| hxxp://acuprint.com/ | 216.35.197.49 |
| hxxp://aandporchids.com/ | 216.30.187.127 |
| hxxp://koeppl.com/ | 178.77.96.167 |
| hxxp://rokayfloral.com/ | 67.212.167.194 |
| hxxp://technicorp.co.cr/ | 67.210.101.185 |
| hxxp://earthworks-j.com/ | 211.1.224.76 |
| hxxp://rabinco.com.my/ | 202.75.53.90 |
| hxxp://iberclean.com/ | 198.58.86.155 |
| hxxp://saudireadymix.com.sa/ | 216.55.98.216 |
| hxxp://invertek.co.uk/ | 109.228.11.78 |
| hxxp://minority-inc.com/ | 180.222.182.167 |
| hxxp://norm-fasteners.com.tr/ | 78.129.226.93 |
| hxxp://peralesaguiar.com.ar/ | 200.58.107.237 |
| hxxp://exo2.co.uk/ | 87.117.239.204 |
| hxxp://internationalcabinets.com.au/ | 66.244.147.199 |
| hxxp://rentinmarin.com/ | 199.59.58.68 |
| hxxp://uwlowcountry.org/ | 69.64.77.63 |
| hxxp://dpmsystems.com/ | 67.225.236.114 |
| hxxp://insulationaustralia.com.au/ | 118.127.40.56 |
| hxxp://uhren-schmuckhaus-moeckel.de/ | 83.169.16.130 |
| hxxp://easy-networx.de/ | 217.91.166.9 |
| hxxp://chicanofederation.org/ | 66.240.194.76 |
| hxxp://imsa.com.ar/ | 5.9.198.70 |
| hxxp://solustan.com/ | 64.13.192.118 |
| hxxp://agro-trans.biz/ | 217.96.23.27 |
| hxxp://luksus.net.pl/ | 195.238.166.18 |
| hxxp://monsoybenet.com/ | 85.214.148.76 |
| hxxp://provang.com/ | 204.27.61.50 |
| hxxp://gvcustomsoftware.com.au/ | 111.223.234.21 |
| hxxp://telemkting.com/ | 184.107.156.250 |
| hxxp://isisgroup.co.uk/ | 80.88.198.8 |
| hxxp://adaptworkforce.com/ | 217.19.254.22 |
| hxxp://businessengineers.de/ | 217.110.123.146 |
| hxxp://admik.ru/ | 46.4.196.154 |
| hxxp://autocidade.com.br/ | 67.19.82.226 |
| hxxp://alshares.com/ | 37.58.82.167 |
| hxxp://thevelvetstore.com/ | 74.121.236.92 |
| hxxp://diving-bg.com/ | 91.196.124.63 |
| hxxp://tinnitus.se/ | 89.221.250.20 |
| hxxp://rokyu.net/ | 49.212.34.96 |
| hxxp://newfocas.co.uk/ | 46.20.227.248 |
| hxxp://ohnosha.co.jp/ | 203.145.245.160 |
| hxxp://progir.com/ | 81.25.121.212 |
| hxxp://cpi.com.ar/ | 69.25.136.17 |
| hxxp://waco-cccc.com/ | 68.171.34.203 |
| hxxp://inglett-stubbs.com/ | 70.32.68.171 |
| hxxp://sankalpplacement.com/ | 216.55.136.132 |
| hxxp://ekahosting.com/ | 72.44.94.117 |
| hxxp://marinescape.co.nz/ | 119.47.118.89 |
| hxxp://mc-integ.co.uk/ | 149.255.63.116 |
| hxxp://afsservice.com/ | 216.55.143.63 |
| hxxp://rdidiamonds.com/ | 67.151.215.130 |
| hxxp://ipoaonline.org/ | 70.32.68.135 |
| hxxp://littleblue.com/ | 92.48.127.198 |
| hxxp://computerlogicdirect.com/ | 208.78.155.38 |
| hxxp://plubiz.com/ | 91.121.36.93 |
| hxxp://oremc.com/ | 137.118.32.114 |
| hxxp://rmslive.com/ | 217.114.175.80 |
| hxxp://ibntel.com/ | 68.178.158.24 |
| hxxp://roulottesdecampagne.com/ | 178.33.106.197 |
| hxxp://sps-jia.cz/ | 195.113.221.6 |
| hxxp://snowboardweb.net/ | 210.172.144.27 |
| hxxp://dtc-telecom.co.uk/ | 37.61.234.11 |
| hxxp://musawa.ps/ | 174.46.134.54 |
| hxxp://marcanthony.com/ | 199.103.61.58 |
| hxxp://pluto.com.au/ | 27.131.73.214 |
| hxxp://unitrix.sk/ | 37.9.170.179 |
| hxxp://narsaria.com/ | 174.142.222.216 |
| hxxp://korsil.ru/ | 77.246.146.106 |
| hxxp://ray-jp.com/ | 219.94.203.112 |
| hxxp://gazdic.com/ | 209.41.133.210 |
| hxxp://zanyhost.com/ | 108.60.130.154 |
| hxxp://dominos.co.id/ | 202.169.44.158 |
| hxxp://goodwins-removals.com/ | 84.39.115.126 |
| hxxp://3int.net/ | 149.126.96.164 |
| hxxp://tacsa.ws/ | 64.150.187.245 |
| hxxp://aozoramame.com/ | 211.1.227.93 |
| hxxp://mortgageleads.com/ | 184.105.209.117 |
| hxxp://247petreturn.com/ | 67.211.47.40 |
| hxxp://safedoormatic.com/ | 202.91.240.67 |
| hxxp://casino-top.net/ | 94.23.75.101 |
| hxxp://tomgegax.com/ | 69.163.184.244 |
| hxxp://fsesudmuntenia.ro/ | 128.140.230.196 |
| hxxp://efoa.org/ | 94.107.192.101 |
| hxxp://sagsheriff.com/ | 198.7.59.141 |
| hxxp://carteluz.com.ar/ | 200.58.120.9 |
| hxxp://the-marketing-company.at/ | 78.138.92.184 |
| hxxp://lelund.com/ | 65.60.53.221 |
| hxxp://locbem.com.br/ | 199.48.164.230 |
| hxxp://nnppd.com/ | 64.177.91.97 |
| hxxp://neaco.co.uk/ | 62.255.174.104 |
| hxxp://werta.net/ | 87.120.40.16 |
| hxxp://magnatekenterprises.com/ | 75.119.192.177 |
| hxxp://hwplan.org/ | 216.26.168.132 |
| hxxp://ashleyquinncpas.com/ | 206.51.225.190 |
| maki-hs.com | 203.137.80.208 |
| counsellingpsychotherapytoronto.com | 173.236.125.2 |
| alt1.aspmx.l.google.com | 216.239.34.10 |
| authoritative.net | 66.33.213.228 |
| ns10.worldnic.com | 206.188.199.44 |
| kurecci.or.jp | 119.245.143.88 |
| dns.other-world.com | 204.11.64.5 |
| in1.smtp.messagingengine.com | 66.111.4.71 |
| www.traderush.com | 199.83.132.93 |
| bluecolash.com | 213.239.215.247 |
| s-style.co.jp | 209.238.128.37 |
| www.myfilecenter.com | 66.33.213.228 |
| ibcd.com.br | 192.168.0.1 |
| pekachemie.com | 213.217.60.186 |
| limaingenieriayconstruccion.com | 192.254.143.157 |
| vitalur.by | 178.159.246.76 |
| mxs.mail.ru | 94.100.176.20 |
| www.avant-ime.com | 188.121.45.218 |
| norakuroya.com | 175.45.136.72 |
| alt4.gmail-smtp-in.l.google.com | 74.125.136.26 |
| audio-direkt.net | 127.0.0.1 |
| www.servico-ind.com | 85.159.56.120 |
| natvideo.com | 208.122.223.237 |
| doggybag.org | 62.193.211.35 |
| atanor.ru | 82.138.1.142 |
| allaroundbouncing.com | 66.241.231.114 |
| gmail-smtp-in.l.google.com | 74.125.142.26 |
| ecotechsystem.com | 93.93.200.130 |
| hpp-services.com | 127.0.0.1 |
| born-club.com | 37.140.192.111 |
| aethora.com | 67.207.143.253 |
| www.trinity-works.com | 219.94.206.70 |
| craigrichards.com | 67.228.168.156 |
| iwantsex.org | 178.32.60.125 |
| nataliecurtiss.com | 192.168.100.1 |
| konishi-hp.com | 122.219.254.148 |
| ns-fra.proofpoint.com | 62.209.50.50 |
| tenpole.com | 127.0.0.1 |
| pro-networks.co.uk | 109.73.165.20 |
| mxa-00105401.gslb.pphosted.com | 208.84.67.208 |
| vivare.nl | 89.105.202.47 |
| gjk.com.pl | 148.81.111.98 |
| ns87.hostia.name | 213.155.29.186 |
| www.cbsprinting.com.au | 141.101.116.74 |
| www.solutioncorp.com | 209.208.32.245 |
| www.beechwoodmetalworks.com | 69.163.135.152 |
| tokushima-med.jrc.or.jp | 180.37.239.56 |
| www.ctr4process.org | 108.162.203.164 |
| theartofhair.com | 0.0.0.0 |
| agrohorizonte.com.ar | 201.253.108.68 |
| www.wkhk.net | 203.189.104.242 |
| mx.directgroup.org | 83.220.44.51 |
| bredainternet.nl | 127.0.0.1 |
| blagotvoritel.org | 87.120.6.182 |
| www.saios.net | 157.7.184.19 |
| iaiglobal.or.id | 49.50.8.93 |
| fineartsassociation.org | 70.33.214.138 |
| mail7.digitalwaves.co.nz | 127.0.0.1 |
| iwamoto-hiroyoshi.com | 210.172.144.61 |
| aspmx4.googlemail.com | 173.194.78.26 |
| smtp.live.com | 65.55.162.200 |
| www.vanguardpkg.com | 50.62.115.1 |
| bospianoservice.nl | 195.211.73.89 |
| trenpalau.com | Unresolvable |
| aspmx3googlemail.com | Unresolvable |
| pointopines.com | Unresolvable |
| nichedictionary.com | Unresolvable |
| aspmx2.googlemail.com | Unresolvable |
| aspmx.l.google.com | Unresolvable |
| meubles-jacquelin.com | Unresolvable |
| meridies.org | Unresolvable |
| manuyantralaya.com | Unresolvable |
| alt2.aspmx.l.google.com | Unresolvable |
| toutenmeuse.com | Unresolvable |
| hoyuu.com | Unresolvable |
| aspmx5.googlemail.com | Unresolvable |
| hifuken.com | Unresolvable |
| mxb-00105401.gslb.pphosted.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
- Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\jyrvicewyxmu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\urantiaproject[1].htm (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\403[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sdlp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@racknstackwarehouse.com[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@starmedia[1].txt (223 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (235 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\solutioncorp[1].htm (4184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\shipeliteexpress[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ctr4process[1].txt (230 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.servico-ind[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\coketh[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (20720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@istanbultarim.com[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"jyrvicewyxmu" = "%Documents and Settings%\%current user%\jyrvicewyxmu.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.