Application.Agent.RA_5bec3c6a99

by malwarelabrobot on September 25th, 2016 in Malware Descriptions.

Application.Agent.RA (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5bec3c6a9950cf902e71b84dc814c3f9
SHA1: 039346de7ddf0d4643b923af7869301ce7bf84fa
SHA256: 8c44f634f2dadab0801b91cfea8fe9c0ae923eaed037c5bf38e76f6651f136ea
SSDeep: 24576:NSVIldvD5VEmCVYoC6K5lgdIpGeAMWO6ACa4vD3:kVIld9VEnYr6KkSIBMWOCPD3
Size: 790578 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

taskkill.exe:1296
taskkill.exe:668
47222.exe:484
7841335.exe:1448
tasklist.exe:1128
tasklist.exe:508
tasklist.exe:1188
tasklist.exe:560
tasklist.exe:528
tasklist.exe:888
tasklist.exe:456
tasklist.exe:1768
tasklist.exe:500
tasklist.exe:476
tasklist.exe:1108
tasklist.exe:1496
tasklist.exe:1036
tasklist.exe:1928
tasklist.exe:1756
tasklist.exe:504
tasklist.exe:256
tasklist.exe:492
tasklist.exe:1312
%original file name%.exe:2024
beckinsale.exe:308
find.exe:1712
find.exe:996
find.exe:1084
find.exe:752
find.exe:292
find.exe:452
find.exe:1048
find.exe:212
find.exe:656
find.exe:1744
find.exe:592
find.exe:352
find.exe:544
find.exe:1008
find.exe:252
find.exe:648
find.exe:1760
find.exe:256
find.exe:812
find.exe:1764

The Application injects its code into the following process(es):

scavenges.exe:700

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process scavenges.exe:700 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\crossdomain[2].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CAOTE15Q.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[1].xml (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\CAQNWTQV.xml (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CAQ3WXYV.xml (722 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CAFJ4KGE.xml (848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\bgg[1].png (198 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sneezespoliticizing[2].txt (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CAMJM7AF.xml (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[2].xml (634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CAUFUD56.xml (856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\CA0XSNW5.xml (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[2].xml (705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[1].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1082 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\player1[1].swf (11393 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (15228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CALVL4K4.xml (771 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CAU4KCGG.xml (760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\crossdomain[3].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[3].xml (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CA2FS5Y3.xml (760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CAC1YL8R.xml (710 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jwplayer1[1].js (73901 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[6].xml (701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\logo[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\ova-jw[1].swf (18321 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\page-4[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CA52W54W.xml (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CA5SNBXC.xml (714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\page-4[1].htm (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[7].xml (592 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[4].xml (689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CA2VQRYT.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[2].xml (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\logo[1].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\CA4XM74P.xml (766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\crossdomain[2].xml (130 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sxx (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[5].xml (630 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\CA8F23EV.xml (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\player1[1].swf (8845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\style[1].css (736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[6].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CAVQDK5D.xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[5].xml (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[1].xml (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\style[2].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CATLWWU9.xml (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[1].xml (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[2].xml (708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\analytics[1].js (353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[7].xml (633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[5].xml (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[7].xml (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\page-4[1].html (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\page-4[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[5].xml (691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CAUVWX23.xml (775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sneezespoliticizing[1].txt (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@everclips[2].txt (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CA51ZV9K.xml (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[6].xml (613 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CA2VQRYT.gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\page-4[1].html (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sneezespoliticizing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (0 bytes)

The process 47222.exe:484 makes changes in the file system.
The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)

The process 7841335.exe:1448 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy5.tmp\SimpleFC.dll (5289 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy5.tmp\SimpleFC.dll (0 bytes)

The process %original file name%.exe:2024 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Program Files%\cultivators\beckinsale.exe (1030 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\7841335.exe (3090 bytes)
%Program Files%\hydrophobic\settings.dll (10159 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\hamad.lnk (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\47222.exe (1094 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%System%\drivers\etc\hosts (123 bytes)
%WinDir%\settings.dll (10159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\ShellLink.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\AccessControl.dll (13 bytes)
%Program Files%\hydrophobic\scavenges.exe (5020 bytes)
%WinDir%\scavenges.exe (5020 bytes)
%Program Files%\hydrophobic\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\System.dll (11 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\ShellLink.dll (0 bytes)

The process beckinsale.exe:308 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp\ExecCmd.dll (4 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp (0 bytes)

Registry activity

The process taskkill.exe:1296 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 7B BE 56 BD FE 73 0F 27 14 B2 49 4F 5E 5D 7C"

The process taskkill.exe:668 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 31 32 2E D2 B6 7C 86 0C F0 66 4A 30 BA 92 AB"

The process scavenges.exe:700 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016092420160925]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016092420160925]
"CachePrefix" = ":2016092420160925:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016092420160925]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016092420160925\"

"CacheOptions" = "11"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016092420160925]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 E6 7A 16 4C DC FD E0 42 3F A3 24 42 71 8C 5F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040920140410]

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 47222.exe:484 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 93 06 4D 9F 9E ED 15 0D D7 86 03 40 69 DE C0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 7841335.exe:1448 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 1A 99 F6 62 CE CB 3D 02 FB DF 20 B8 48 63 DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process tasklist.exe:1128 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB AE 38 D6 86 12 1E E5 5A 63 26 B5 B2 08 7F 9A"

The process tasklist.exe:508 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 93 A6 53 2C 8F EF A6 7C 2A B4 6C 76 EF 61 FF"

The process tasklist.exe:1188 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 0D 02 9D CB 77 66 0A A8 54 53 21 40 A8 34 F2"

The process tasklist.exe:560 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 76 8B 66 77 1F B4 81 F3 2F 7B B4 2F C0 86 7A"

The process tasklist.exe:528 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 34 E5 D2 A6 07 C0 9A 42 40 29 A8 87 92 FA 49"

The process tasklist.exe:888 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E C0 62 AA 25 16 21 F8 F8 2A F1 B5 1C 90 11 C7"

The process tasklist.exe:456 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 2E 02 1B 2A E3 D7 EC 15 9C 72 90 5F 41 8A D7"

The process tasklist.exe:1768 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B A3 54 F0 53 37 0C 78 FE 92 4D 95 48 4B 38 49"

The process tasklist.exe:500 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 5F 7A 1F 66 14 DD 36 D3 23 F5 91 43 9A 5F A0"

The process tasklist.exe:476 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C B4 BC 98 48 7B 3B E9 8B 70 E2 6F 5A 5A 49 9F"

The process tasklist.exe:1108 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 9B 92 8B CA A1 04 3E 04 98 1E 09 70 39 41 10"

The process tasklist.exe:1496 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 47 BF 0A A0 30 D3 AC DB 8B 6B 32 85 80 4F A4"

The process tasklist.exe:1036 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A F4 C1 F8 53 2C B1 62 2E 8D D1 06 48 CD 8A 86"

The process tasklist.exe:1928 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 2A 31 53 3B 35 A3 92 0D 6F FC 77 04 18 83 D7"

The process tasklist.exe:1756 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 50 E9 4D 72 FB C0 1C 1D 71 B9 D0 A0 02 C1 04"

The process tasklist.exe:504 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 5B 83 6B A3 79 B5 1C BD F4 F0 51 9E FD 54 6B"

The process tasklist.exe:256 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 8E 65 13 60 C1 67 12 13 A1 3A A8 9E FA A8 45"

The process tasklist.exe:492 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 E9 CE 99 45 55 55 A9 84 FA AE 7A D6 C3 C2 1D"

The process tasklist.exe:1312 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 76 B4 36 4C 4D 1D E5 3F 44 39 F1 00 51 CA EB"

The process %original file name%.exe:2024 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 80 80 F0 89 03 9E 5A EE A6 07 5C E7 58 05 0E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"laplante" = "%Program Files%\hydrophobic\scavenges.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cheapening" = "%Program Files%\hydrophobic\scavenges.exe"

"twitch" = "%Program Files%\hydrophobic\scavenges.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"embellished" = "%Program Files%\hydrophobic\scavenges.exe"

The process beckinsale.exe:308 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 C4 F3 04 38 40 BD DA 04 A3 9A 51 FA 12 C8 7F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"recoveries" = "%Program Files%\hydrophobic\scavenges.exe"

"beckinsale" = "%Program Files%\cultivators\beckinsale.exe"

The process find.exe:1712 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 52 DA 7F 18 BC F8 75 13 D8 3C BC 52 47 1A 35"

The process find.exe:996 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 59 5E 09 06 4E 05 F0 8A 51 5E 55 8E 70 CB A7"

The process find.exe:1084 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 AC C5 93 9C 54 00 B7 5A 36 69 13 8A B5 48 DE"

The process find.exe:752 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A E5 9C B2 50 0A B7 AE 24 6D 76 A1 70 4F 91 84"

The process find.exe:292 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 F5 DF 15 03 C5 5B DC F3 57 2B 4F 03 A9 B9 52"

The process find.exe:452 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 86 B5 73 F3 C7 D3 16 84 B2 DE 31 CA 06 02 37"

The process find.exe:1048 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 59 F1 12 E7 B1 8E 88 8C 3D 99 B0 FB 76 24 D9"

The process find.exe:212 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 12 B4 29 CB 23 CB B6 74 4C D3 A1 DB B3 45 5F"

The process find.exe:656 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 74 0B 6C 02 D0 55 07 4F 82 5D C9 94 C3 28 77"

The process find.exe:1744 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B E7 01 32 D2 58 91 1A 04 83 8E 09 7B 28 21 9F"

The process find.exe:592 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 1D B9 7F BB 1D D5 75 69 93 8F E1 B4 4C CD F4"

The process find.exe:352 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 68 2E 9E 89 8C 71 E0 9F 96 5D 8D 21 1E FB D8"

The process find.exe:544 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 6A F2 54 4A 03 54 84 DB A3 D9 E5 3E 0B D8 0B"

The process find.exe:1008 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 98 D7 CB 70 74 25 D0 1E FB A0 BA AC AE AD 83"

The process find.exe:252 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 64 9B 09 40 C7 79 3D E8 B8 66 30 34 26 97 23"

The process find.exe:648 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 5D 87 19 CF 73 E9 97 7C F8 63 64 79 7C B4 4C"

The process find.exe:1760 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 8E 56 87 09 E6 63 61 7F 7D A2 E0 AF 20 EB 97"

The process find.exe:256 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 18 5A 2B F7 F0 BA C0 CC 22 FD EC 5D CE 17 42"

The process find.exe:812 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 4B DC EB AC 09 49 33 93 74 DD B5 D2 6F 7B AB"

The process find.exe:1764 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 16 8A F7 01 A6 56 BC 0E BB 55 79 80 53 82 0D"

Dropped PE files

MD5 File path
4a70aa2020197bfad5237309b86ea3a7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\47222.exe
0a99ed69e95582f3f4cbb712f0471bda c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\7841335.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf7.tmp\ExecCmd.dll
d88126816547db80bd46feb676536d23 c:\Program Files\cultivators\beckinsale.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\hydrophobic\Microsoft.Win32.TaskScheduler.dll
d7afec8bac8a26db0e1af4dcb0770f01 c:\Program Files\hydrophobic\scavenges.exe
476235234a7450e582334c2b6ed54439 c:\Program Files\hydrophobic\settings.dll
c8ff52bfddc6898c202c08c4a61a3d22 c:\WINDOWS\Microsoft.Win32.TaskScheduler.dll
d7afec8bac8a26db0e1af4dcb0770f01 c:\WINDOWS\clemens.exe
476235234a7450e582334c2b6ed54439 c:\WINDOWS\settings.dll

HOSTS file anomalies

The Application modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 110
7bcde813c50a0b0e20e5f9f233bc3040
29de0a3a7170f7dd71267eee2449b462
ca004345bdd1cb292744ed711de04d19
2a9af6bcab5eb49d9a62a6ea72cdd286
e4e8ea421895b321bea9afa16d8a6fb5
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333
14055969428fc76bc66b28491ff90d63
2b8b2136bdf153f722ecd721fabcf1aa
9dec231998f0f3d8301aa5c1a6e0119f
0affe53e87c71d2b7f9066427a5d71e5
3f92282b316430f68d847ff93565f264
1f4ab1b0f88d2b1805bcfbdaa2c461f1
3fadc54dc0f9a4e6af4b370749973ec3
2d43a582840285217ab6adaf45ff8c22
4ad98fe1fd6a020f491e31eb4aa16205
562254cc7ac0f92876c4964400fb6cd7
a261aa83665bed04243da16ecade0df0
bea91233ff3a67b260b02a18d7cb54c2
b1a5b5b97ab40559c62f27923a7322c1
830674c88d54f6aa3c6f1bcf72147f75

URLs

URL IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t=
hxxp://www.clangburkitt.info/count.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t=&rand= 162.222.194.132
hxxp://cocomo.tremorhub.com/itd.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t=&rand=
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=1328718889&t=pageview&_s=1&dl=http://www.sneezespoliticizing.pw/index5.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1916x902&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1820530431&cid=275100794.1474669669&tid=UA-74694740-5&_r=1&z=1493545654
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.3.47
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.86
hxxp://b770b459a2.site.internapcdn.net/page-4.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/everclips/page-4.html?lid=937115
hxxp://widgets.amung.us/draw/?w=colored&n=1660&c=000000ffffff&p= 173.192.200.70
hxxp://everclips.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1474669672000
hxxp://everclips.net/1.js 162.222.194.11
hxxp://b770b459a2.site.internapcdn.net/page-4.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/everclips/page-4.htm?lid=937115
hxxp://109.201.148.40/bck.php?1474669673000
hxxp://everclips.net/player1.swf 162.222.194.11
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=AE6DCCEC6DE64FDB7C6913056BE81137&sc_random=0.14739253353705806&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1916&h=902&camefrom=http://www.everclips.net/page-4.html?lid=937115&u=http://www.everclips.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.3.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=49617149&t=pageview&_s=1&dl=http://www.everclips.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1916x902&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=394821786&cid=773942889.1474669675&tid=UA-74694740-2&_r=1&z=1049102214
hxxp://b770b459a2.site.internapcdn.net/style.css
hxxp://b770b459a2.site.internapcdn.net/img/logo.png
hxxp://b770b459a2.site.internapcdn.net/img/bgg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://everclips.net/ova-jw.swf 162.222.194.11
hxxp://www.sneezespoliticizing.pw/index5.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t= 52.85.185.23
hxxp://www.google-analytics.com/analytics.js 173.194.113.206
hxxp://www.statcounter.com/counter/counter.js 151.249.89.141
hxxp://www.everclips.net/page-4.htm?lid=937115 69.88.149.139
hxxp://www.sneezespoliticizing.pw/func.js?r=5 52.85.185.23
hxxp://www.everclips.net/page-4.html?lid=937115 69.88.149.139
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=49617149&t=pageview&_s=1&dl=http://www.everclips.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1916x902&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=394821786&cid=773942889.1474669675&tid=UA-74694740-2&_r=1&z=1049102214 173.194.113.206
hxxp://www.everclips.net/style.css 69.88.149.139
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=1328718889&t=pageview&_s=1&dl=http://www.sneezespoliticizing.pw/index5.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1916x902&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1820530431&cid=275100794.1474669669&tid=UA-74694740-5&_r=1&z=1493545654 173.194.113.206
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://www.everclips.net/img/bgg.png 69.88.149.139
hxxp://www.everclips.net/img/logo.png 69.88.149.139


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.everclips.net/page-4.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 06:33:49 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Sat, 26 Aug 2017 06:33:49 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /analytics.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.sneezespoliticizing.pw/index5.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 23 Sep 2016 20:31:55 GMT
Expires: Fri, 23 Sep 2016 22:31:55 GMT
Last-Modified: Mon, 15 Aug 2016 04:25:11 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 11590
Age: 6948
Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~([email protected]
..........<[email protected]..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<[email protected].?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R [email protected]...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>

GET /r/collect?v=1&_v=j46&a=1328718889&t=pageview&_s=1&dl=http://VVV.sneezespoliticizing.pw/index5.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1916x902&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1820530431&cid=275100794.1474669669&tid=UA-74694740-5&_r=1&z=1493545654 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.sneezespoliticizing.pw/index5.php?id=13AxV6qwI0DELysbPzvn&date=2016-09-10&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Fri, 23 Sep 2016 22:27:44 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Fri, 23 Sep 2016 22:27:44 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;....


GET /r/collect?v=1&_v=j46&a=49617149&t=pageview&_s=1&dl=http://VVV.everclips.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1916x902&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=394821786&cid=773942889.1474669675&tid=UA-74694740-2&_r=1&z=1049102214 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Fri, 23 Sep 2016 22:27:49 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Fri, 23 Sep 2016 22:27:49 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..



GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 06:33:47 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Sat, 24 Sep 2016 06:33:47 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 06:33:46 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Sat, 26 Aug 2017 06:33:46 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



beckinsale.exe_308:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf7.tmp\ExecCmd.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf7.tmp\ExecCmd.dll
"%Program Files%\hydrophobic\scavenges.exe"
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf7.tmp
nsf7.tmp
rogram Files\hydrophobic\scavenges.exe"
q scavenges.exe" | %SystemRoot%\System32\find /I "scavenges.exe"
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf7.tmp
"%Program Files%\cultivators\beckinsale.exe"
%Program Files%\cultivators
beckinsale.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\cultivators\beckinsale.exe
Software\Microsoft\Windows\CurrentVersion\Run
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
ators\beckinsale.exe"
phobic\scavenges.exe"






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    taskkill.exe:1296
    taskkill.exe:668
    47222.exe:484
    7841335.exe:1448
    tasklist.exe:1128
    tasklist.exe:508
    tasklist.exe:1188
    tasklist.exe:560
    tasklist.exe:528
    tasklist.exe:888
    tasklist.exe:456
    tasklist.exe:1768
    tasklist.exe:500
    tasklist.exe:476
    tasklist.exe:1108
    tasklist.exe:1496
    tasklist.exe:1036
    tasklist.exe:1928
    tasklist.exe:1756
    tasklist.exe:504
    tasklist.exe:256
    tasklist.exe:492
    tasklist.exe:1312
    %original file name%.exe:2024
    beckinsale.exe:308
    find.exe:1712
    find.exe:996
    find.exe:1084
    find.exe:752
    find.exe:292
    find.exe:452
    find.exe:1048
    find.exe:212
    find.exe:656
    find.exe:1744
    find.exe:592
    find.exe:352
    find.exe:544
    find.exe:1008
    find.exe:252
    find.exe:648
    find.exe:1760
    find.exe:256
    find.exe:812
    find.exe:1764
    

    2. 

  2. Delete the original Application file.
    3. 

  3. Delete or disinfect the following files created/modified by the Application:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\crossdomain[2].xml (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CAOTE15Q.gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[1].xml (617 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\CAQNWTQV.xml (756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CAQ3WXYV.xml (722 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CAFJ4KGE.xml (848 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\bgg[1].png (198 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sneezespoliticizing[2].txt (346 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CAMJM7AF.xml (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[2].xml (634 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CAUFUD56.xml (856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\CA0XSNW5.xml (812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[2].xml (705 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[1].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[4].xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\1[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1082 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\player1[1].swf (11393 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (15228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\itd[1].htm (1118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CALVL4K4.xml (771 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CAU4KCGG.xml (760 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\crossdomain[3].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[3].xml (596 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\wau-widget[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CA2FS5Y3.xml (760 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CAC1YL8R.xml (710 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1068 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jwplayer1[1].js (73901 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[6].xml (701 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\logo[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\ova-jw[1].swf (18321 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@everclips[1].txt (179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\page-4[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CA52W54W.xml (807 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\CA5SNBXC.xml (714 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\page-4[1].htm (709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\counter[2].js (1353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[7].xml (592 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\everclips.net\com.jeroenwijering.sxx (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\counter[1].js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[4].xml (689 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CA2VQRYT.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[2].xml (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\logo[1].png (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\CA4XM74P.xml (766 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\crossdomain[2].xml (130 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\count[1].htm (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\noad[1].xml (73 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#everclips.net\settings.sxx (202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[5].xml (630 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\CA8F23EV.xml (756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\player1[1].swf (8845 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\style[1].css (736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\syncnoad[3].xml (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[6].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\CAVQDK5D.xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[4].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[5].xml (762 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[1].xml (695 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\style[2].css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CATLWWU9.xml (726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[1].xml (804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[2].xml (708 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\analytics[1].js (353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[7].xml (633 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[5].xml (800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\index5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[7].xml (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\page-4[1].html (709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[4].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[5].xml (691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CAUVWX23.xml (775 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\func[1].js (3 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sneezespoliticizing[1].txt (197 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\syncnoad[3].xml (652 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@everclips[2].txt (310 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\CA51ZV9K.xml (808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\syncnoad[3].xml (575 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (297 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\syncnoad[6].xml (613 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy5.tmp\SimpleFC.dll (5289 bytes)
    %Program Files%\cultivators\beckinsale.exe (1030 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\7841335.exe (3090 bytes)
    %Program Files%\hydrophobic\settings.dll (10159 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\hamad.lnk (505 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\47222.exe (1094 bytes)
    %WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %System%\drivers\etc\hosts (123 bytes)
    %WinDir%\settings.dll (10159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\ShellLink.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\AccessControl.dll (13 bytes)
    %Program Files%\hydrophobic\scavenges.exe (5020 bytes)
    %WinDir%\scavenges.exe (5020 bytes)
    %Program Files%\hydrophobic\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp\ExecCmd.dll (4 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "laplante" = "%Program Files%\hydrophobic\scavenges.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "cheapening" = "%Program Files%\hydrophobic\scavenges.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "twitch" = "%Program Files%\hydrophobic\scavenges.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "embellished" = "%Program Files%\hydrophobic\scavenges.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "recoveries" = "%Program Files%\hydrophobic\scavenges.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "beckinsale" = "%Program Files%\cultivators\beckinsale.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now