Trojan-Downloader.Win32.Cutwail_217b643887

by malwarelabrobot on July 31st, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-Downloader.Win32.Cutwail!IK (Emsisoft), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Technical Details

Removal Recommendations

MD5: 217b643887dd7ad9ef4151832dc1b401
SHA1: a069bc6775712d1cb0a08292eae7165ebac6f16b
SHA256: 95ef97b5e2c79b07c9607fb5fc0cad2a6b1854200ecc3d4d75af511f0e78c343
SSDeep: 768:tdt0631lXgLa1RKCuU96162lO 6jfFJiQQV0kpSVoiHYBQhBYpJw2xsvPK:tH0ClQLavtY1D6zFDs0/Ki4qmrRq6
Size: 142339 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-28 00:17:31

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

217b643887dd7ad9ef4151832dc1b401.exe:1860

The Trojan-Downloader injects its code into the following process(es):

217b643887dd7ad9ef4151832dc1b401.exe:740

File activity

The process 217b643887dd7ad9ef4151832dc1b401.exe:740 makes changes in a file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@topex[1].txt (185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\djkentaro[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\starmedia[1].htm (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dithd[1].htm (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ixtractor[1].htm (801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\violadagamba[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fujino-lab[1].htm (2057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\paulrenna[1].htm (1225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ziuabarbatului[1].txt (158 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.microsoft[1].txt (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\celebikalip.com[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\csmbc[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\teknorhino[1].htm (2124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\google[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\atr-technologies[1].htm (18 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\teasing-video[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\dormfantasies[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\racknstackwarehouse.com[1].htm (1340 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\actfactory[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tessera.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (150 bytes)
%Documents and Settings%\%current user%\rapixxagibna.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\suspended[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@winery[1].txt (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\paulrenna[1].htm (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cath4choice[1].htm (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\niray.com[1].htm (1480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mibsga[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@facebook[1].txt (172 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\capitalcitytuxedo[1].htm (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tollefsondesign[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ompgp.co[1].htm (17 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (29108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\winery[1] (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\unitedearthgroup[1].htm (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\egao[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (1878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\e-shuukyaku[1].htm (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\gjk.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@topex[2].txt (332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tss[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\arckepesajandek[1].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\chscreative[1].htm (1736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\shipeliteexpress[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@empordalia[2].txt (321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mastechn[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\thedonaldsongroup[1].htm (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\geodecisions[1].htm (40 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msasys[1].txt (204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\momonophoto[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\suspendedpage[2].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iktus[1].htm (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sun-ele.co[1].htm (11 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.microsoft[2].txt (147 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\osouji-school[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aipi.co[1].htm (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ans-service[1].htm (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\vanguardpkg[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\graintrain[2].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fraser-high.school[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\precisionsolutionsky[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\boundbydesign[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geodecisions[1].txt (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\westsidechurch[1].htm (17 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neurotoxininstitute[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[2].txt (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixemia[1].htm (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\acsmedioambiente[1].htm (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\frederickallergy[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sarpy[1].htm (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\naijagurus[1].htm (573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\capitalcitytuxedo[1].htm (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\trenpalau[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\arckepesajandek[2].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sun-ele.co[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eygwindows.co[1].htm (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\le-mariage[1].htm (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\floridadoubled[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\arckepesajandek[1].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\kafrit[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cabooseonline[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\graintrain[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@empordalia[1].txt (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\koetterfireprotection[1].htm (1522 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[3].txt (641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\geothermusa[1].htm (498 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[1].txt (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\violadagamba[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\easyformations[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\paulrenna[1].htm (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cksglobal[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\etcycles[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\acsmedioambiente[1].htm (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\forslav[1].htm (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\photoclubs[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jacksonsallamerican[1].htm (1178 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@easyformations[1].txt (152 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\graintrain[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\arckepesajandek[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sun-ele.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\violadagamba[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@topex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\graintrain[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tutuji-saitama[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@empordalia[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\arckepesajandek[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\capitalcitytuxedo[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\paulrenna[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\paulrenna[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\acsmedioambiente[1].htm (0 bytes)

Registry activity

The process 217b643887dd7ad9ef4151832dc1b401.exe:740 makes changes in a system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "74 D8 B0 88 60 38 10 E7 BF 97 6F 47 1F F6 CE A6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 70 A4 FA F9 72 79 FE 5F D1 19 30 57 18 F5 05"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"rapixxagibnazap" = "66 CA A2 7A 52 2A 02 D9 25 FC D4 AC 84 5C 34 0C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rapixxagibna" = "%Documents and Settings%\%current user%\rapixxagibna.exe"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

Network activity (URLs)

URL	IP
hxxp://photoclubs.com/	209.50.251.101
hxxp://penavision.co.in/	174.136.57.160
hxxp://nataliecurtiss.com/	74.208.102.126
hxxp://teasing-video.com/	99.192.154.182
hxxp://alternative-aquitaine.co.uk/	212.69.207.90
hxxp://marcusgrimes.co.uk/	109.74.242.160
hxxp://nazcapictures.com/	69.0.211.58
hxxp://gamblingonlinemagazine.com/	198.1.90.242
hxxp://kvadratoff.ru/	188.93.212.32
hxxp://kafrit.com/	62.219.13.240
hxxp://arckepesajandek.hu/	5.56.32.1
hxxp://sun-ele.co.jp/	210.169.184.168
hxxp://ans-service.com/	67.227.167.46
hxxp://enzoyrodrigo.com.br/	69.162.126.154
hxxp://osouji-school.com/	211.13.204.3
hxxp://victoria.com.pl/	89.161.158.128
hxxp://korta-sa.com/	91.200.116.10
hxxp://merceorti.com/	193.42.143.42
hxxp://www.google.com/	74.125.226.210
hxxp://error.logol.ru/suspended/	188.93.212.36
hxxp://icigrain.com/	76.12.81.22
hxxp://www.google.ca/?gws_rd=cr	74.125.226.216
hxxp://unitedearthgroup.com/	213.171.195.105
hxxp://icigrain.com/cgi-sys/suspendedpage.cgi
hxxp://thesergery.com/	203.83.219.109
hxxp://myfilecenter.com/	66.33.213.228
hxxp://ajdo.net/	210.175.78.151
hxxp://krafthaus.com/	49.50.249.60
hxxp://perc.ca/	69.89.31.118
hxxp://kamaruka.vic.edu.au/	27.54.85.145
hxxp://fujino-lab.com/	210.143.109.204
hxxp://norakuroya.com/	175.45.136.72
hxxp://stormwildlifeart.com/	70.86.7.138
hxxp://momonophoto.com/	203.189.105.136
hxxp://tenpole.com/	59.106.126.144
hxxp://violadagamba.com/	74.124.195.5
hxxp://agrarno.ru/	178.63.17.213
hxxp://selldoor.pl/	212.85.112.239
hxxp://avisay.com/	184.154.160.15
hxxp://tutuji-saitama.com/	124.108.33.192
hxxp://microsoft.com/	64.4.11.37
hxxp://selldoor.pl/m/
hxxp://chscreative.com/	80.68.90.24
hxxp://nuritech.com/	210.183.236.113
hxxp://lb1.www.ms.akadns.net/
hxxp://paulrenna.com/	198.154.229.165
hxxp://cksglobal.net/	91.186.20.51
hxxp://egao.net/	121.83.133.146
hxxp://lb1.www.ms.akadns.net/en-ca/default.aspx
hxxp://sigmametalsinc.com/	208.113.149.173
hxxp://neurotoxininstitute.com/	141.101.112.135
hxxp://glmghotels.com/	190.93.243.62
hxxp://niray.com.cn/	118.144.82.146
hxxp://www.sigmaaero.com/	208.113.225.142
hxxp://westhillsstl.org/	67.192.235.56
hxxp://espace-hotelier.com/	176.31.103.151
hxxp://miltinio-teatras.lt/	92.61.39.244
hxxp://unslp.edu.bo/	50.28.1.127
hxxp://meubles-jacquelin.com/	95.142.166.167
hxxp://midwestga.com/	108.175.148.57
hxxp://mibsga.com/
hxxp://leadershipforum.us/	66.39.30.185
hxxp://sztartufi.com/	95.110.192.171
hxxp://pcpeds.com/	216.122.144.146
hxxp://mastechn.com/	64.207.147.184
hxxp://gcs-cpa.com/	64.14.68.37
hxxp://nd-evenementiel.com/	79.98.23.45
hxxp://dithd.com/	216.177.135.4
hxxp://capitalcitytuxedo.com/	67.223.102.253
hxxp://easyformations.net/	88.208.216.219
hxxp://frederickallergy.com/	64.203.75.13
hxxp://arquiteturadigital.com/ (Malicious)	208.113.187.143
hxxp://jacksonsallamerican.com/	69.167.178.142
hxxp://bigtopmultimedia.com/	217.115.114.4
hxxp://topex.ro/	193.226.61.45
hxxp://beechwoodmetalworks.com/	69.163.135.152
hxxp://wkhk.net/	203.189.104.242
hxxp://le-mariage.com/	46.105.107.214
hxxp://actfactory.net/	203.183.64.166
hxxp://rewardhits.com/	66.45.248.130
hxxp://thedonaldsongroup.com/	64.120.153.69
hxxp://e-storming.com/	91.121.66.183
hxxp://avant-ime.com/	82.194.73.144
hxxp://chocolatecovers.com/	67.192.11.2
hxxp://starmedia.ca/	168.144.92.210
hxxp://heliomare.nl/	85.158.207.109
hxxp://youjoomla.com/	174.37.5.207
hxxp://mastergrp-spb.ru/	81.176.232.102
hxxp://mastergrp-spb.ru/cgi-sys/suspendedpage.cgi
hxxp://geodecisions.com/	216.174.25.93
hxxp://ezmedi.com/	218.150.78.243
hxxp://berkshirebusiness.org/	64.99.80.30
hxxp://etcycles.com/	68.171.36.109
hxxp://mattiussiecologia.com/	62.149.232.215
hxxp://pixemia.com/	91.146.97.34
hxxp://mattiussiecologia.com/en/index.aspx
hxxp://denville.ca/	204.11.237.35
hxxp://msasys.com/	216.70.112.211
hxxp://coe.pku.edu.cn/	162.105.5.245
hxxp://tavdi.com/	65.98.59.242
hxxp://toddpipe.com/	173.247.243.173
hxxp://boundbydesign.com/	64.13.250.94
hxxp://adultlivechat.us/	74.119.145.130
hxxp://precisionsolutionsky.com/	64.34.168.92
hxxp://shs-sales.co.uk/	193.36.43.104
hxxp://ixtractor.com/	209.222.7.227
hxxp://cath4choice.org/	76.12.228.8
hxxp://djkentaro.com/	124.146.222.27
hxxp://stecom.nl/	193.23.143.117
hxxp://shipeliteexpress.com/	67.59.133.211
hxxp://theprintinghouseltd.co.uk/	46.20.228.113
hxxp://figabara.com/	85.153.11.99
hxxp://colourprint.nl/	91.233.105.63
hxxp://eomc.net/	213.208.149.82
hxxp://isp-h.com/	210.172.144.22
hxxp://fleshercorp.com/	64.111.24.104
hxxp://acsmedioambiente.com/	50.97.221.19
hxxp://biurimex.pl/	89.161.181.123
hxxp://tss.org/	209.200.238.15
hxxp://orion-networks.net/	69.31.13.222
hxxp://trenpalau.com/	217.149.1.49
hxxp://woodlandhillwinery.com/	100.42.52.112
hxxp://woodlandhillwinery.com/winery/
hxxp://hoyuu.com/	202.234.167.139
hxxp://westsidechurch.org/	67.59.85.80
hxxp://graintrain.coop/	69.36.165.48
hxxp://acmepacificrepairs.com/	69.198.129.78
hxxp://fruitspot.co.za/	41.203.18.34
hxxp://nori-k.com/	210.172.144.24
hxxp://paintball.be/	213.186.33.19
hxxp://dormfantasies.com/	184.94.149.35
hxxp://spiti.org/	212.67.194.161
hxxp://fastarchofamerica.com/	75.119.209.232
hxxp://ompgp.co.jp/	204.227.165.46
hxxp://kagu-hokuren.com/	60.43.132.135
hxxp://atr-technologies.com/	206.208.115.190
hxxp://e-kagami.com/	54.249.238.243
hxxp://vanguardpkg.com/	66.96.147.110
hxxp://fraser-high.school.nz/	210.48.67.144
hxxp://cabooseonline.com/	208.72.2.42
hxxp://asterisk.com.sg/	103.5.151.176
hxxp://istanbultarim.com.tr/	31.7.35.95
hxxp://schiedel.it/	217.145.99.26
hxxp://racknstackwarehouse.com.au/	27.50.89.123
hxxp://combine.or.id/	202.162.33.14
hxxp://optiver.com.au/	217.195.114.124
hxxp://sdlp.ie/	81.17.241.30
hxxp://www.optiver.com/sydney/	217.195.124.19
hxxp://shbrazil.com/	50.23.134.43
hxxp://audience-web.net/	64.247.178.252
hxxp://audience-web.net/cgi-sys/suspendedpage.cgi
hxxp://churchsupplies.net/	66.232.99.164
hxxp://padstow.com/	62.233.107.131
hxxp://authentica-travel.com/	68.168.112.98
hxxp://screaminpeach.com/	67.225.249.28
hxxp://theartofhair.com/	203.98.75.57
hxxp://wildrosemarketing.com/	184.168.19.1
hxxp://csmbc.org/	129.121.224.188
hxxp://lognetic.com/	78.47.37.140
hxxp://mojacar-vacaciones.com/	12.158.190.246
hxxp://tollefsondesign.com/	74.55.16.138
hxxp://xing-group.com/	59.106.167.61
hxxp://malagacorp.com/	199.204.137.151
hxxp://brijindia.com/	67.18.185.98
hxxp://floridadoubled.com/	64.59.81.104
hxxp://easygen.com/	212.84.66.99
hxxp://empordalia.com/	87.98.231.3
hxxp://totalearthcare.com.au/	108.162.196.53
hxxp://austriansurfing.at/	85.13.136.86
hxxp://celebikalip.com.tr/	94.75.200.75
hxxp://aipi.co.nz/	210.5.53.124
hxxp://areafor.com/	37.46.74.136
hxxp://totalearthcare.com.au/cgi-sys/suspendedpage.cgi
hxxp://lockerlookz.com/	184.168.152.53
hxxp://forslav.com/ (Malicious)	81.95.115.61
hxxp://gjk.com.pl/	193.239.44.106
hxxp://bigjohnsbeefjerky.com/	216.70.102.33
hxxp://eyggroup.com/	85.233.160.22
hxxp://eygwindows.co.uk/
hxxp://s2s.fr/	194.206.221.211
hxxp://iktus.fr/	37.59.56.171
hxxp://coopsupermarkt.nl/	213.247.43.95
hxxp://telenavis.com/	80.245.173.163
hxxp://sarpy.com/	66.37.225.130
hxxp://koetterfireprotection.com/	208.131.143.4
hxxp://geothermusa.com/	208.109.181.105
hxxp://tessera.co.jp/	202.212.212.209
hxxp://tvndra.net/	213.239.134.100
hxxp://agence-des-druides.com/	91.121.36.162
meridies.org	0.0.0.0
digpro.se	89.221.250.12
www.ixtractor.com	209.222.7.227
www.photoclubs.com	209.50.251.101
reyesconstruction.com	69.175.7.194
www.msasys.com	216.70.112.211
in1.smtp.messagingengine.com	66.111.4.73
www.microsoft.com	1.103.192.54
plainscotton.org	69.16.204.164
bredainternet.nl	127.0.0.1
testpile.com	127.0.0.1
indianz.com	64.38.12.138
www.cabooseonline.com	208.72.2.42
surfinggoatdairy.com	216.218.220.34
shakeyspizza.ph	122.55.79.88
emconfm.com	209.17.116.2
www.ans-service.com	67.227.167.46
serviamus.com	67.231.20.52
cbsprinting.com.au	198.106.178.190
www.jacksonsallamerican.com	69.167.178.142
qginformatik.com	94.23.33.98
www.atr-technologies.com	206.208.115.190
kashiwa-kk.com	59.106.27.187
btitravel.com	141.101.116.14
eternalbeautyproducts.com.au	119.31.229.183
firealarms.com	141.101.124.241
rcap.org	67.20.123.71
adfolsa.com.ec	74.220.215.55
naijagurus.com	209.62.65.58
konishi-hp.com	122.219.254.103
smtp.mail.yahoo.com	98.138.105.21
www.momonophoto.com	203.189.105.136
vnhanoi.com	222.122.56.41
justconnect.co.za	217.118.24.138
fnam.pt	198.1.127.233
www.westsidechurch.org	67.59.85.80
clx.com.br	187.45.193.74
alt4.gmail-smtp-in.l.google.com	173.194.69.26
hartmultimedia.com	196.215.136.111
sensasilelaki.com	203.223.135.241
skaner.com.pl	85.128.137.179
cyclo-tourisme.com	46.31.193.190
4pipp.com	111.111.111.111
www.kagu-hokuren.com	60.43.132.135
mxs.mail.ru	94.100.176.20
www.racknstackwarehouse.com.au	27.50.89.123
acetravel-lb.com	142.4.31.244
www.beechwoodmetalworks.com	69.163.135.152
dicksvalleyservice.com	173.193.3.203
ziuabarbatului.ro	194.50.126.226
aiem.qc.ca	184.173.196.237
academiakurutziaga.com	213.186.33.3
hillusa.com	216.227.211.86
www.wkhk.net	203.189.104.242
debtrescueusa.com	66.7.195.227
doctsf.com	91.121.177.201
studiolegalegiommi.it	93.95.216.172
www.myfilecenter.com	66.33.213.228
www.facebook.com	31.13.69.128
www.gamblingonlinemagazine.com	198.1.90.242
www.bigjohnsbeefjerky.com	216.70.102.33
www.mibsga.com	173.201.232.241
e-shuukyaku.com	211.13.204.3
nc-concept.com	94.23.247.172
www.westhillsstl.org	67.192.235.56
medischmanagement.nl	67.205.41.19
weinbauerfinancial.com	206.196.124.161
www.djkentaro.jp	124.146.222.27
gmail-smtp-in.l.google.com	173.194.76.26
www.hoyuu.com	202.234.167.139
www.teknorhino.com	66.45.248.130
www.chscreative.com	80.68.90.24
theautospas.com	216.70.109.220
lotuswell.ch	176.28.25.45
bitlarge.com	220.109.215.210
mail7.digitalwaves.co.nz	127.0.0.1
engsmotortruck.com	67.205.52.43
yalestreet.com	209.11.140.131
www.eygwindows.co.uk	173.0.129.54
vexolpost.com	Unresolvable
herpes-zone.com	Unresolvable
x-cellcommunications.de	Unresolvable
choice-select.com	Unresolvable
audio-direkt.net	Unresolvable
ballandwall.biz	Unresolvable
sspackaginggroup.com	Unresolvable
golfpark-moossee.ch	Unresolvable

Rootkit activity

No anomalies have been detected.

Propagation

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

217b643887dd7ad9ef4151832dc1b401.exe:1860
Delete the original Trojan-Downloader file.
Delete or disinfect the following files created/modified by the Trojan-Downloader:

%Documents and Settings%\%current user%\Cookies\Current_User@topex[1].txt (185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\djkentaro[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\starmedia[1].htm (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dithd[1].htm (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ixtractor[1].htm (801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\violadagamba[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fujino-lab[1].htm (2057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\paulrenna[1].htm (1225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ziuabarbatului[1].txt (158 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.microsoft[1].txt (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\celebikalip.com[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\csmbc[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\teknorhino[1].htm (2124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\google[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\atr-technologies[1].htm (18 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\teasing-video[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\dormfantasies[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\racknstackwarehouse.com[1].htm (1340 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\actfactory[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tessera.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (150 bytes)
%Documents and Settings%\%current user%\rapixxagibna.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\suspended[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@winery[1].txt (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\paulrenna[1].htm (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cath4choice[1].htm (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\niray.com[1].htm (1480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mibsga[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@facebook[1].txt (172 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\capitalcitytuxedo[1].htm (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tollefsondesign[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ompgp.co[1].htm (17 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (29108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\winery[1] (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\unitedearthgroup[1].htm (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\egao[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (1878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\e-shuukyaku[1].htm (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\gjk.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@topex[2].txt (332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tss[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\arckepesajandek[1].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\chscreative[1].htm (1736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\shipeliteexpress[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@empordalia[2].txt (321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mastechn[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\thedonaldsongroup[1].htm (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\geodecisions[1].htm (40 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msasys[1].txt (204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\momonophoto[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\suspendedpage[2].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iktus[1].htm (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sun-ele.co[1].htm (11 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.microsoft[2].txt (147 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\osouji-school[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aipi.co[1].htm (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ans-service[1].htm (107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\vanguardpkg[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\graintrain[2].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fraser-high.school[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\precisionsolutionsky[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\boundbydesign[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geodecisions[1].txt (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\westsidechurch[1].htm (17 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neurotoxininstitute[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[2].txt (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixemia[1].htm (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\acsmedioambiente[1].htm (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\frederickallergy[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sarpy[1].htm (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\naijagurus[1].htm (573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\capitalcitytuxedo[1].htm (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\trenpalau[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\arckepesajandek[2].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sun-ele.co[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eygwindows.co[1].htm (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\le-mariage[1].htm (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\floridadoubled[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\arckepesajandek[1].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\kafrit[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cabooseonline[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\graintrain[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@empordalia[1].txt (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\koetterfireprotection[1].htm (1522 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[3].txt (641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\geothermusa[1].htm (498 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[1].txt (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\violadagamba[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\easyformations[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\paulrenna[1].htm (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cksglobal[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\etcycles[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\acsmedioambiente[1].htm (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\forslav[1].htm (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\photoclubs[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jacksonsallamerican[1].htm (1178 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@easyformations[1].txt (152 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rapixxagibna" = "%Documents and Settings%\%current user%\rapixxagibna.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan-Downloader.Win32.Cutwail_217b643887

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan-Downloader.Win32.Cutwail_217b643887

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet