Trojan-Dropper.Small_681d839a35

by malwarelabrobot on March 23rd, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Trojan-Dropper.Small!IK (Emsisoft)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 681d839a35c8ed276b3a855f83208542
SHA1: c5ca43921ab16b73ac60da9ac7b0d605b04b5554
SHA256: 1c0f5f729e12d6d72a0e8ed3a12592286ad677fe4c49b77e6f988ca27e509105
SSDeep: 12288:4ZCAbIe6evbqHkVTDiUSjOX/AWEbYcTwqjQNkmYU:dET6ObqE91eFjQi
Size: 745472 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-16 07:31:14
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

srchass.exe:456
%original file name%.exe:344
%original file name%.exe:1860
adobe.exe:1524

The Trojan-Dropper injects its code into the following process(es):

srchass.exe:1744
srchass.exe:2004
adobe.exe:1548

File activity

The process srchass.exe:1744 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11298[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[1].txt (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11297[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_4676b7504cee13b773a13c70827e7e6b[1].htm (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1] (1898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[1].txt (988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[2] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\st[2] (1862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\jquery[1].js (34989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[2].txt (1160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[2].txt (504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\p2.adhitzads[1] (841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1].htm (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[9].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_4676b7504cee13b773a13c70827e7e6b[1].html (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[2].com (542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[1] (1600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\CZ77JqUMP3[1].htm (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\16463376[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[1].html&M=5&r=0 (910 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\hottvgame[1].xml (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\index.dat (22128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_22d2c032873bd164a539f92b194a84e9[1].html (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[2].html&M=5&r=0 (935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\html5[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[10].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\adretargeting[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\CA8127G5.htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[6].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[1].com/&M=3&r=0 (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\family-anger-erupts-as-malaysia-jet-search-enters-12th-day[1].htm (3317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[3].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[2].txt (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[2].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[2].html&M=5&r=0 (935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\style[1].css (2939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\kompyang-shrimp-mushrooms[1] (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[2].com/&M=3&r=0 (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[3].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[2] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_59a683db56b35772216d07cabed45b9c[1].html (127 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[4].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\serv[1].htm (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\532e2ba977519369971961dzhakkas[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\tag[1].js (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[1] (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[1].htm (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[1].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\imp[1].html&M=5&r=0 (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[3].html&M=5&r=0 (910 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\ttj[2].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\kompyang-shrimp-mushrooms[1].htm (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\serv[1].htm (944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\st[1] (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[1].com (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CZ77JqUMP3[1] (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[1] (802 bytes)
%WinDir%\Debug\UserMode\userenv.log (6164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CAKPO1SZ.htm (1513 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[2].css (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_59a683db56b35772216d07cabed45b9c[1].html (127 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[3].com/&M=3&r=0 (585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[2].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\300x250[1].htm (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\hottvgame[1].htm (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\CAW1M1HU.htm (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\st[1] (1891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[8].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\532e2ba977519369971961dzhakkas[1].com6855 (1007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[3].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_22d2c032873bd164a539f92b194a84e9[1].html (167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\show_i[1].htm (2199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\hottvgame[1] (662 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11298[1] (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[2] (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[8].htm (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\[email protected][2].txt (12068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_22d2c032873bd164a539f92b194a84e9[1].htm (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[2] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[1].txt (281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[9].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[1].txt (2917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@zhakkas[1].txt (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[7].htm (742 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\style[1].css (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[2].txt (2720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[3].com (541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[5].htm (753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[1] (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_59a683db56b35772216d07cabed45b9c[1].htm (598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\jquery-migrate.min[1].js (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[2] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[1].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_58bb79633f2239a8625ce2ef473585d5[1].htm (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CA8D6JGH.htm (768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[1] (802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\[email protected][1].txt (12446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\st[1] (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\300x250[1].php (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[1].html&M=5&r=0 (921 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\serv[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\show_i[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11298[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\serv[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11297[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_22d2c032873bd164a539f92b194a84e9[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\tt[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_4676b7504cee13b773a13c70827e7e6b[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_22d2c032873bd164a539f92b194a84e9[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11298[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[2] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CZ77JqUMP3[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_22d2c032873bd164a539f92b194a84e9[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\hottvgame[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CAKPO1SZ.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_59a683db56b35772216d07cabed45b9c[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_4676b7504cee13b773a13c70827e7e6b[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_59a683db56b35772216d07cabed45b9c[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CA8D6JGH.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\tt[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_58bb79633f2239a8625ce2ef473585d5[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\CAW1M1HU.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tt[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\seg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\serv[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_59a683db56b35772216d07cabed45b9c[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\300x250[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\adretargeting[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[1].txt (0 bytes)

The process srchass.exe:2004 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\style[1].css (806 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\url[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tongji[1].js (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sound_high[1].gif (356 bytes)
%System%\CatRoot2\dberr.txt (481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (327 bytes)
%Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\bd.dat (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\splogo[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (201 bytes)
%Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\product.dat (1090 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\alexa[1].png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\tcfg.dat (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5300 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@linezing[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\mini[1].js (5 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@spiritsoft[1].txt (185 bytes)

The process %original file name%.exe:344 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe (3728 bytes)
%System%\drivers\etc\hosts (605 bytes)

The process %original file name%.exe:1860 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\adobe.exe (5441 bytes)

The process adobe.exe:1524 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe (5441 bytes)
%System%\drivers\etc\hosts (605 bytes)

The Trojan-Dropper deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe (0 bytes)

The process adobe.exe:1548 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (42 bytes)

Registry activity

The process srchass.exe:1744 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "srchass.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1363225983"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 BC 23 49 FF D3 58 F4 61 3C 9C 06 06 E8 15 35"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process srchass.exe:456 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 AD CC BF B1 69 99 13 D7 4A 42 1E F6 6C E1 76"

The process srchass.exe:2004 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "srchass.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1363225983"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A A1 58 92 E9 1C FC 4B 8C AC 53 01 A5 4B 26 A9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"srchass.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe:*:Enabled:精灵软件"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"urlspace" = "%Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe -h"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:344 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 F5 0B D1 2B A3 71 96 73 84 F6 A4 B3 E5 7A AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"srchass.exe" = "????"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon" = "%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1860 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 24 DE 54 B5 A0 2B 49 2F C9 20 20 82 C6 42 B6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"adobe.exe" = "Smadav Antivirus Lokal Indonesia"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process adobe.exe:1524 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 C7 51 40 28 3F AE 0F 2F 0A 1A B9 2F 03 FB A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon" = "%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe"

The Trojan-Dropper modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan-Dropper modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process adobe.exe:1548 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA B9 CE AA A7 6A 05 72 F5 55 55 C5 AC E4 D3 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\adobe.exe"

Network activity (URLs)

URL IP
hxxp://urlspirit.spiritsoft.cn/urlcore/olcfgs.dat?q=41 121.10.112.147
hxxp://urlspirit.spiritsoft.cn/urlcore/svcreq7d475002.xml
hxxp://urlspirit.spiritsoft.cn/v4/url.html?v=4.0.2.1-1110
hxxp://urlspirit.spiritsoft.cn/v4/css/style.css
hxxp://urlspirit.spiritsoft.cn/urlcore/svcreq7d47531f.css
hxxp://urlspirit.spiritsoft.cn/v4/js/mini.js
hxxp://urlspirit.spiritsoft.cn/v4/images/sound_high.gif
hxxp://urlspirit.spiritsoft.cn/v4/images/splogo.png
hxxp://taurus.danuoyi.tbcache.com/813389/tongji.js
hxxp://urlspirit.spiritsoft.cn/v4/images/alexa.png
hxxp://dt.tongji.linezing.com/tongji.do?unit_id=813389&uv_id=29377704731066601466&uv_new=1&cna=&cg=&mid=&mmland=&ade=&adtm=&sttm=&cpa=&ss_id=2402429800&ss_no=0&ec=1&ref=&url=http://info.spiritsoft.cn/v4/url.html?v=4.0.2.1-1110&title=%u6D41%u91CF%u7CBE%u7075&charset=utf-8&domain=spiritsoft.cn&hashval=1366&filtered=0&app=Microsoft Internet Explorer&agent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)&color=32-bit&screen=1024x768&lg=en-us&je=1&fv=6.0&st=1395531884&vc=8dc6ec2d&ut=0&url_id=0&cnu=0.5260178415434142 42.156.167.82
hxxp://c.split.cnzz.com/stat.php?id=1189654&web_id=1189654
hxxp://z13.cnzz.com/stat.htm?id=1189654&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=101033554-1395534758-&showp=1024x768&st=0&sin=&t=undefinedundefinedundefinedundefined&rnd=311646931
hxxp://c.split.cnzz.com/core.php?web_id=1189654&t=z
hxxp://goo.gl/B2XCel 173.194.43.41
hxxp://hottvgame.com/ 173.201.247.1
hxxp://hottvgame.com/wp-content/themes/adsimple/style.css
hxxp://googlecode.l.googleusercontent.com/svn/trunk/html5.js
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=165973923
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=iframe&ad_size=728x90&section=5130196&pub_url=hottvgame.com
hxxp://ib.anycast.adnxs.com/tt?id=1956116&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://ib.anycast.adnxs.com/tt?id=1956118&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=iframe&ad_size=160x600&section=5130196&pub_url=hottvgame.com
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=iframe&ad_size=300x250&section=5130196&pub_url=hottvgame.com
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=1956118&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=1956116&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://zhakkas.com/ads/show.php?z=26&pl=289&j=1&code=1395517506231 108.161.136.184
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=728x90&u=hottvgame.com&s=5130196&T=3&_salt=0&B=10&H=http://hottvgame.com/&M=3&r=0
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=160x600&u=hottvgame.com&s=5130196&T=3&_salt=0&B=10&H=http://hottvgame.com/&M=3&r=0
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&u=hottvgame.com&s=5130196&T=3&_salt=0&B=10&H=http://hottvgame.com/&M=3&r=0
hxxp://ds-any-world.ngd.ysm.yahoodns.net/get-user-id?ver=2&s=5130196&ts=1395534760&sig=372faee14baf322c
hxxp://zhakkas.com/ads/show_i.php?b=18144613
hxxp://ib.anycast.adnxs.com/tt?id=1956120&cb=${CACHEBUSTER}&referrer=hottvgame.com&pubclick=${CLICK_URL}
hxxp://pcookie.split.cnzz.com/app.gif?&cna=nn6iCV7zsTECAc43V1KXf4n8
hxxp://zhakkas.com/ads/show_i.php?a=1&x=TVRNNU5UVXpORGMyTUMweE9EUXVNVEEzTGpNNExqTTQ=&z=26&c=1&pl=289&plurl=&target=_blank
hxxp://ib.anycast.adnxs.com/seg?add=357274&t=2
hxxp://ib.anycast.adnxs.com/seg?add=357264&t=2
hxxp://ib.anycast.adnxs.com/ttj?id=2338468
hxxp://ib.anycast.adnxs.com/ttj?id=2282214&cb=1395534760&pubclickenc=[INSERT_CLICK_TAG]
hxxp://js.users.51.la/16463376.js 222.187.221.28
hxxp://zhakkas.com/adserver/www/delivery/ajs.php?zoneid=7&target=_blank&cb=2356904958&charset=utf-8&loc=http://zhakkas.com/ads/show_i.php?a=1&x=TVRNNU5UVXpORGMyTUMweE9EUXVNVEEzTGpNNExqTTQ=&z=26&c=1&pl=289&plurl=&target=_blank&referer=http://zhakkas.com/ads/show_i.php?b=18144613
hxxp://creafi.adspirit.de/adretargeting.php?value=Adspirit_socialmedia_onview
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://hottvgame.com/&id=2338468
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://hottvgame.com/&id=2282214&cb=1395534760&pubclickenc=[INSERT_CLICK_TAG]
hxxp://zhakkas.com/adserver/www/delivery/lg.php?bannerid=1&campaignid=1&zoneid=7&loc=1&referer=http://zhakkas.com/ads/show_i.php?a=1&x=TVRNNU5UVXpORGMyTUMweE9EUXVNVEEzTGpNNExqTTQ=&z=26&c=1&pl=289&plurl=&target=_blank&cb=0f8ab668f9
hxxp://adhitzads.com/26582 68.233.234.217
hxxp://p2.adhitzads.com/?z=26582&p=2389295945&l=http://zhakkas.com/ads/show_i.php?b=18144613&r=http://hottvgame.com/&c=1 68.233.234.214
hxxp://comewsee.com/
hxxp://p2.adhitzads.com/532e2ba977519369971961dzhakkas.com6855
hxxp://cpmtree.com/serv/tag.js
hxxp://cpmtree.com/serving/serv.aspx?affid=2015&W=728
hxxp://comewsee.com/wp-content/themes/curved-air/iestyle.css
hxxp://comewsee.com/wp-includes/js/jquery/jquery.js?ver=1.10.2
hxxp://comewsee.com/wp-content/themes/cur/style.css
hxxp://ib.anycast.adnxs.com/tt?id=2180899&referrer=[REFERRER_URL]
hxxp://comewsee.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
hxxp://comewsee.com/wp-content/themes/curved-air/tab.js
hxxp://ib.anycast.adnxs.com/ttj?id=2259390&size=728x90&promo_sizes=300x50,320x50,468x60,216x36&promo_alignment=center
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://www.comewsee.com/&id=2259390&size=728x90&promo_sizes=300x50,320x50,468x60,216x36&promo_alignment=center
hxxp://cpmtree.com/serving/serv.aspx?affid=2015&W=300
hxxp://ib.anycast.adnxs.com/ttj?id=2259389&size=300x250&promo_sizes=250x250,300x600,300x50,200x200,180x150,216x36&promo_alignment=center
hxxp://cpmtree.com/serving/serv.aspx?affid=2015&W=160
hxxp://comewsee.com/uncategorized/family-anger-erupts-as-malaysia-jet-search-enters-12th-day/
hxxp://ib.anycast.adnxs.com/ttj?id=2368657
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://www.comewsee.com/uncategorized/family-anger-erupts-as-malaysia-jet-search-enters-12th-day/&id=2368657
hxxp://hottvgame.com/?feed=rss2
hxxp://wikicashways.info/ 184.168.221.31
hxxp://a1778.g.akamai.net/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html
hxxp://a1778.g.akamai.net/html/437c26_4676b7504cee13b773a13c70827e7e6b.html
hxxp://a1778.g.akamai.net.0.1.cn.akamaitech.net/html/437c26_59a683db56b35772216d07cabed45b9c.html
hxxp://a1778.g.akamai.net.0.1.cn.akamaitech.net/html/437c26_22d2c032873bd164a539f92b194a84e9.html
hxxp://a1778.g.akamai.net.0.1.cn.akamaitech.net/html/437c26_58bb79633f2239a8625ce2ef473585d5.html
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=ad&ad_size=300x250&section=4745819&pub_url=${PUB_URL}
hxxp://ib.anycast.adnxs.com/ttj?id=2055267
hxxp://ib.anycast.adnxs.com/ttj?id=1494744&pubclick=[INSERT_CLICK_TAG]
hxxp://ads.yashi.com/11298 208.43.240.158
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=300x250&s=4745819&_salt=0&B=10&H=&u=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html&M=5&r=0
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=2055267
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=1494744&pubclick=[INSERT_CLICK_TAG]
hxxp://ads.yashi.com/tag.js
hxxp://ib.anycast.adnxs.com/tt?id=2030925&cb={CACHEBUSTER}&referrer={REFERRER_URL}&pubclick={CLICK_URL}
hxxp://ib.anycast.adnxs.com/ttj?id=2055268
hxxp://ads.yashi.com/11299
hxxp://ds-any-world.ngd.ysm.yahoodns.net/iframe3?Id8LG1tqSAA8uoIBAAAAABprcwAAAAAAAgAAAAIAAAAAAP8AAAAHFS4RcAAAAAAA.C6LAAAAAACBuo0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADL6xgAAAAAAAIAAwAAgD8AuB6F61G4nj-4HoXrUbieP7gehetRuK4.uB6F61G4rj-amZmZmZm5P5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARBB3DwWJFib3ajlr1hE9sdbbIT9pcuFgAAAAAA==,,http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html,B=10&H=&M=5&Z=300x250&_salt=0&r=0&s=4745819,b50c2d16-b222-11e3-be13-f388cf8792b6,1395534788735
hxxp://ib.anycast.adnxs.com/ttj?id=1494750&pubclick=[INSERT_CLICK_TAG]
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=2055268
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=ad&ad_size=728x90&section=4745819&pub_url=${PUB_URL}
hxxp://ib.anycast.adnxs.com/tt?id=2030926&cb={CACHEBUSTER}&referrer={REFERRER_URL}&pubclick={CLICK_URL}
hxxp://ads.yashi.com/11297
hxxp://ib.anycast.adnxs.com/ttj?id=2055251
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=728x90&s=4745819&_salt=0&X=25344572&B=10&H=&u=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html&M=5&r=0
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=1494750&pubclick=[INSERT_CLICK_TAG]
hxxp://ib.anycast.adnxs.com/tt?id=2030924&cb={CACHEBUSTER}&referrer={REFERRER_URL}&pubclick={CLICK_URL}
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=2055251
hxxp://ib.anycast.adnxs.com/ttj?id=1494707&pubclick=[INSERT_CLICK_TAG]
hxxp://prworldnews.com/pre2/300x250.php
hxxp://ds-any-world.ngd.ysm.yahoodns.net/iframe3?Id8LG1tqSAClLIEBAAAAAPNUcwAAAAAAAgAAAAYAAAAAAP8AAAAHFS4RcAAAAAAAGJyNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADL6xgAAAAAAAIAAoYXJz8AXynLEMe6iD-LbOf7qfGSP18pyxDHupg.i2zn-6nxoj8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARRB3D8pzQPU6M8qZdh1aiWCnvBaM3t8qAAAAAA==,,http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html,B=10&H=&M=5&X=25344572&Z=728x90&_salt=0&r=0&s=4745819,b53b0406-b222-11e3-8a26-eb40398b6116,1395534789042
hxxp://ds-any-world.ngd.ysm.yahoodns.net/st?ad_type=ad&ad_size=160x600&section=4745819&pub_url=${PUB_URL}
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4.html&id=1494707&pubclick=[INSERT_CLICK_TAG]
hxxp://ib.anycast.adnxs.com/ttj?id=2385573&cb=1395534789&pubclick=hxxp://ads.yahoo.com/clk?3,eJytS8tugzAQ.JrcEMJeY7tCPTgNUEdA04Y-OFVgHCCC0AZaQr6-oET5go5WM7M7swgcirnmwAGInTOqwUGEaGWnuxRsw3IcBwBhiwKz7wyZ88BH.fdWPNSBdJdixiZ6VYO4oJgpufgNn.nR25IXdY399RiJf8EqoKfi6qUQbfKxPnPR.dYpc5-Xt5ovUYjlEK0EDt7lGO5lH8ZeHY4WSWI53d6qKTs.xWUV7d1TVNw-7w2j7PuvBYgF9qZRZXrIa31s2oOFETKH6mSqtjF.uuOuqnU3L1Ot7Jt6EgJMYfpJKKMZsy2itEaQMQYpAsUsjplmmmbmXP8D1LNumQ==,
hxxp://ds-any-world.ngd.ysm.yahoodns.net/imp?Z=160x600&s=4745819&_salt=0&X=25344572,25242789&B=10&H=&u=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html&M=5&r=0
hxxp://ib.anycast.adnxs.com/ttj?id=2406638&cb=[CACHEBUSTER]
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html&id=2385573&cb=1395534789&pubclick=hxxp://ads.yahoo.com/clk?3,eJytS8tugzAQ.JrcEMJeY7tCPTgNUEdA04Y-OFVgHCCC0AZaQr6-oET5go5WM7M7swgcirnmwAGInTOqwUGEaGWnuxRsw3IcBwBhiwKz7wyZ88BH.fdWPNSBdJdixiZ6VYO4oJgpufgNn.nR25IXdY399RiJf8EqoKfi6qUQbfKxPnPR.dYpc5-Xt5ovUYjlEK0EDt7lGO5lH8ZeHY4WSWI53d6qKTs.xWUV7d1TVNw-7w2j7PuvBYgF9qZRZXrIa31s2oOFETKH6mSqtjF.uuOuqnU3L1Ot7Jt6EgJMYfpJKKMZsy2itEaQMQYpAsUsjplmmmbmXP8D1LNumQ==,
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdref=http://ads.yahoo.com/iframe3?Id8LG1tqSAA8uoIBAAAAABprcwAAAAAAAgAAAAIAAAAAAP8AAAAHFS4RcAAAAAAA.C6LAAAAAACBuo0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADL6xgAAAAAAAIAAwAAgD8AuB6F61G4nj-4HoXrUbieP7gehetRuK4.uB6F61G4rj-amZmZmZm5P5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARBB3DwWJFib3ajlr1hE9sdbbIT9pcuFgAAAAAA==,,http%3A%2F%2Fchandlermon0211.wix.com.usrfiles.com%2Fhtml%2F437c26_4676b7504cee13b773a13c70827e7e6b.html,B%3D10%26H%3D%26M%3D5%26Z%3D300x250%26_salt%3D0%26r%3D0%26s%3D4745819,b50c2d16-b222-11e3-be13-f388cf8792b6,1395534788735&id=2406638&cb=[CACHEBUSTER]
hxxp://ds-any-world.ngd.ysm.yahoodns.net/iframe3?Id8LG1tqSAA8uoIBAAAAABprcwAAAAAAAAAAAAIAAAAAAAEAAQAHFS4RcAAAAAAA.C6LAAAAAACBuo0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADL6xgAAAAAAAIAAwAAgD8AuB6F61G4nj-4HoXrUbieP7gehetRuK4.uB6F61G4rj-amZmZmZm5P5qZmZmZmbk.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVRB3DxxJ9vduSqYB68pWsiQNEiWGSjveAAAAAA==,,http://chandlermon0211.wix.com.usrfiles.com/html/437c26_4676b7504cee13b773a13c70827e7e6b.html,B=10&H=&M=5&Z=300x250&_salt=0&r=0&s=4745819,bf47170a-b222-11e3-99c3-5b3dddd86d42,1395534805898
info.spiritsoft.cn 121.10.112.147
web2.51.la 117.21.224.31
ads.clovenetwork.com 68.67.152.166
cnzz.mmstat.com 42.121.149.42
chandlermon0211.wix.com.usrfiles.com 23.0.165.32
pcookie.cnzz.com 42.121.149.41
js.tongji.linezing.com 195.27.31.240
ib.adnxs.com 68.67.152.163
c.cnzz.com 42.156.140.11
s11.cnzz.com 1.99.192.16
rtb.creafi-online-media.com 62.75.176.185
static.wix.com 198.144.115.96
hzs11.cnzz.com 42.156.140.26
anx.batanga.net 68.67.152.95
www.comewsee.com 192.186.202.166
ads.reduxmediagroup.com 68.67.152.89
html5shiv.googlecode.com 64.233.171.82
ads.fidelity-media.com 68.67.152.128
s1.spiritsoft.cn 122.110.61.222
ads.yahoo.com 98.139.225.42
www.cpmtree.com 64.150.189.45
www.prworldnews.com 69.50.218.110
t.co Unresolvable


HOSTS file anomalies

The Trojan-Dropper modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 647 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.virustotal.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.avira.com
127.0.0.1 www.avast.com
127.0.0.1 www.symantec.com
127.0.0.1 www.clamwin.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.comodo.com
127.0.0.1 www.norton.com
127.0.0.1 www.avg.com
127.0.0.1 www.novirusthanks.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 www.viruschief.com
127.0.0.1 www.fortiguard.com
127.0.0.1 www.bitdefender.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.facebook.com
127.0.0.1 www.youtube.com
127.0.0.1 www.smadav.com
127.0.0.1 www.google.com
127.0.0.1 www.bing.com
127.0.0.1 www.smadav.net
127.0.0.1 http://youtube.com


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    srchass.exe:456
    %original file name%.exe:344
    %original file name%.exe:1860
    adobe.exe:1524

  2. Delete the original Trojan-Dropper file.
  3. Delete or disinfect the following files created/modified by the Trojan-Dropper:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11298[1] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[1].txt (140 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11297[1] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_4676b7504cee13b773a13c70827e7e6b[1].htm (798 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1] (1898 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[1].txt (988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[2] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\st[2] (1862 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\jquery[1].js (34989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@yahoo[2].txt (1160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[2].txt (504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\p2.adhitzads[1] (841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\kompyang-shrimp-mushrooms[1].htm (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[9].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_4676b7504cee13b773a13c70827e7e6b[1].html (338 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[2].com (542 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[1] (1600 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\CZ77JqUMP3[1].htm (280 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\16463376[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[1].html&M=5&r=0 (910 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\hottvgame[1].xml (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\index.dat (22128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_22d2c032873bd164a539f92b194a84e9[1].html (167 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[2].html&M=5&r=0 (935 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\html5[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[10].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\adretargeting[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\CA8127G5.htm (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[6].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[1].com/&M=3&r=0 (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\family-anger-erupts-as-malaysia-jet-search-enters-12th-day[1].htm (3317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[3].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@hottvgame[2].txt (292 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[2].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[2].html&M=5&r=0 (935 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\style[1].css (2939 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\kompyang-shrimp-mushrooms[1] (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[2].com/&M=3&r=0 (670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[3].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[2] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_59a683db56b35772216d07cabed45b9c[1].html (127 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\ttj[4].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\serv[1].htm (802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\532e2ba977519369971961dzhakkas[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\tag[1].js (312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[1] (802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[1].htm (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[1].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\imp[1].html&M=5&r=0 (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[3].html&M=5&r=0 (910 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\ttj[2].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\kompyang-shrimp-mushrooms[1].htm (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\serv[1].htm (944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\st[1] (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[1].com (561 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CZ77JqUMP3[1] (197 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11298[1] (802 bytes)
    %WinDir%\Debug\UserMode\userenv.log (6164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CAKPO1SZ.htm (1513 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[2].css (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_59a683db56b35772216d07cabed45b9c[1].html (127 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\imp[3].com/&M=3&r=0 (585 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\tag[2].js (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\300x250[1].htm (376 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_58bb79633f2239a8625ce2ef473585d5[1].html (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\hottvgame[1].htm (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\CAW1M1HU.htm (793 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\st[1] (1891 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[8].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\532e2ba977519369971961dzhakkas[1].com6855 (1007 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[3].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\437c26_22d2c032873bd164a539f92b194a84e9[1].html (167 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\show_i[1].htm (2199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\hottvgame[1] (662 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11298[1] (802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[8].htm (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\[email protected][2].txt (12068 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\437c26_22d2c032873bd164a539f92b194a84e9[1].htm (818 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\11297[2] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_2a7d7dbdf7ea44c0c1a2b0d82707efc4[1].htm (958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@creafi-online-media[1].txt (281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\ttj[9].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[1].txt (2917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@zhakkas[1].txt (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[7].htm (742 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\style[1].css (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Current_User@adnxs[2].txt (2720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\st[3].com (541 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\ttj[5].htm (753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\3WW53BJ0\437c26_59a683db56b35772216d07cabed45b9c[1].htm (598 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\jquery-migrate.min[1].js (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\11299[2] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\style[1].css (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\8Z2KGY4H\437c26_58bb79633f2239a8625ce2ef473585d5[1].htm (446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\CA8D6JGH.htm (768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\11299[1] (802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\[email protected][1].txt (12446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\st[1] (323 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\2NMVCTOZ\300x250[1].php (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\taskcore-iecache-0\Content.IE5\4DABM5A5\imp[1].html&M=5&r=0 (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\style[1].css (806 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\url[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\stat[1].php (1121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tongji[1].js (1969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\sound_high[1].gif (356 bytes)
    %System%\CatRoot2\dberr.txt (481 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (327 bytes)
    %Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\bd.dat (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\splogo[1].png (1 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (201 bytes)
    %Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\product.dat (1090 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\core[1].php (800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\alexa[1].png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Spiritsoft\urlspirit\tcfg.dat (1 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5300 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@linezing[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\mini[1].js (5 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@spiritsoft[1].txt (185 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe (3728 bytes)
    %System%\drivers\etc\hosts (605 bytes)
    %Documents and Settings%\%current user%\Application Data\adobe.exe (5441 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "urlspace" = "%Documents and Settings%\%current user%\Local Settings\Temp\srchass.exe -h"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "winlogon" = "%Documents and Settings%\%current user%\Application Data\Microsoft\System\Services\winlogon.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "%Documents and Settings%\%current user%\Application Data\adobe.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now