Trojan-PSW.Win32.Fareit_1424df189c

by malwarelabrobot on December 23rd, 2013 in Malware Descriptions.

Trojan.Win32.Cutwail.cex (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 1424df189cf82cd21e6929eefb0da760
SHA1: b6074ec4d83da36da521931c917fbe844c3ed511
SHA256: 2c49b300b7b6a69f897f1b0bbc0ae894035c4367aa6149a894687da203b2f53a
SSDeep: 768:iIdb VltyLTE9gDNgpvfxyRpigLVhKtXaXo4CK9:iIsRcIeDNgLyKgLVhKtl4b9
Size: 38400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2008-11-02 19:13:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056

The Trojan-PSW injects its code into the following process(es):

%original file name%.exe:1572

File activity

The process wuauclt.exe:344 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan-PSW deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process %original file name%.exe:1572 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\jyrvicewyxmu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\urantiaproject[1].htm (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\403[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sdlp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\suspendedpage[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@starmedia[1].txt (223 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (235 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\solutioncorp[1].htm (4184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\shipeliteexpress[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (227 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ctr4process[1].txt (230 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\coketh[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (20720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (239 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (0 bytes)

The process jusched.exe:1056 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

Registry activity

The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1572 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DD 07 0C 00 00 00 16 00 08 00 0B 00 2B 00 6A 03"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"jyrvicewyxmuzap" = "C2 9A 72 4A 22 F9 D1 A9 F4 CC A4 7C 54 2C 04 DB"

"AppManagement" = "23 FA D2 AA 82 5A 32 7D 55 2D 05 DC B4 8C 64 3C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 88 78 14 FC 13 C1 23 DD 77 1C 75 6F 73 B2 79"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"jyrvicewyxmu" = "%Documents and Settings%\%current user%\jyrvicewyxmu.exe"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://upsilon89.com/ 151.236.48.69
hxxp://myfilecenter.com/ 66.33.213.228
hxxp://mattiussiecologia.com/ 95.110.200.253
hxxp://cabooseonline.com/ 192.138.20.228
hxxp://totalearthcare.com.au/ 108.162.193.154
hxxp://agence-des-druides.com/ 213.186.33.3
hxxp://saios.net/ 157.7.184.19
hxxp://mandi-man.com/ 210.172.144.61
hxxp://denville.ca/ 204.11.237.35
hxxp://shs-sales.co.uk/ 193.36.43.104
hxxp://solutioncorp.com/ 209.208.32.245
hxxp://brookfarm.com.au/ 116.251.204.207
hxxp://nuritech.com/ 222.239.78.139
hxxp://combine.or.id/ 202.162.33.14
hxxp://servico-ind.com/ 85.159.56.120
hxxp://xing-group.com/ 59.106.165.171
hxxp://trinity-works.com/ 219.94.206.70
hxxp://servico-ind.com/index.asp
hxxp://vandeks.com/ 144.76.86.115
hxxp://skaner.com.pl/ 109.234.111.40
hxxp://teasing-video.com/ 99.192.154.182
hxxp://churchsupplies.net/ 66.232.99.164
hxxp://naijagurus.com/ 192.64.112.193
hxxp://areafor.com/ 185.2.130.31
hxxp://sortedorganizing.com/ 74.220.199.6
hxxp://digpro.se/ 89.221.250.12
hxxp://cbsprinting.com.au/ 141.101.116.74
hxxp://sspackaginggroup.com/ 182.50.130.36
hxxp://cath4choice.org/ 76.12.228.8
hxxp://urantiaproject.com/ 69.94.124.47
hxxp://glmghotels.com/ 141.101.116.108
hxxp://y8k6h.x.incapdns.net/
hxxp://optiver.com.au/ 217.195.114.124
hxxp://cksglobal.net/ 185.21.133.34
hxxp://aciuba.com.br/ 186.249.220.203
hxxp://wkhk.net/ 203.189.104.242
hxxp://www.optiver.com/sydney/ 217.195.124.19
hxxp://starmedia.ca/ 141.101.125.75
hxxp://agrarno.ru/ 178.63.17.213
hxxp://bigtopmultimedia.com/ 108.162.198.246
hxxp://plus.ba/ 141.101.116.246
hxxp://altonhousehotel.com/ 108.162.205.109
hxxp://lognetic.com/ 78.47.37.140
hxxp://geodecisions.com/ 216.174.25.93
hxxp://penavision.co.in/ 174.136.57.160
hxxp://stop-ddos.me/ 195.22.26.252
hxxp://merceorti.com/ 80.93.92.146
hxxp://christybarry.com/ 66.49.139.143
hxxp://christybarry.com/cgi-sys/suspendedpage.cgi
hxxp://tessera.co.jp/ 210.150.6.88
hxxp://sdlp.ie/ 141.101.117.223
hxxp://goodvaluecenter.com/ 108.162.201.140
hxxp://buzzkillmedia.com/ 173.201.140.128
hxxp://asterisk.com.sg/ 211.25.3.196
hxxp://hostphd.com.br/ 192.196.156.73
hxxp://beechwoodmetalworks.com/ 69.163.135.152
hxxp://ctr4process.org/ 108.162.204.164
hxxp://acicinvestor.ca/ 207.150.203.36
hxxp://s2s.fr/ 195.64.165.29
hxxp://asj.co.jp/ 219.118.206.4
hxxp://istanbultarim.com.tr/ 108.162.198.72
hxxp://fleshercorp.com/ 64.111.24.104
hxxp://rea-soft.ru/ 78.47.135.34
hxxp://ctr4process.org/403.shtml
hxxp://tvndra.net/ 91.216.141.46
hxxp://ryumachi-jp.com/ 111.68.174.253
hxxp://toddpipe.com/ 173.247.243.173
hxxp://shakeyspizza.ph/ 66.135.32.56
hxxp://marcusgrimes.co.uk/ 109.74.242.160
hxxp://sun-ele.co.jp/ 210.169.184.168
hxxp://unslp.edu.bo/ 50.28.58.0
hxxp://coketh.com/ 59.106.13.131
hxxp://sarpy.com/ 66.37.225.130
hxxp://youjoomla.com/ 69.65.11.200
hxxp://victoria.com.pl/ 89.161.158.128
hxxp://robertmcintyre.com.au/ 199.73.58.66
hxxp://nasz-sklep.pl/ 91.192.164.134
hxxp://vanguardpkg.com/ 50.62.115.1
hxxp://authentica-travel.com/ 68.168.112.98
hxxp://shipeliteexpress.com/ 67.59.133.211
hxxp://avant-ime.com/ 188.121.45.218
hxxp://empordalia.com/ 5.56.61.199
hxxp://racknstackwarehouse.com.au/ 141.101.117.200
hxxp://appelfarm.org/ 108.162.205.115
hxxp://tutuji-saitama.com/ 157.7.160.37
hxxp://link-list-uk.com/ 91.109.14.224
hxxp://sztartufi.com/ 95.110.192.171
hxxp://theprintinghouseltd.co.uk/ 46.20.228.113
hxxp://unitedearthgroup.com/ 213.171.195.105
hxxp://mastechn.com/ 64.207.148.243
hxxp://automa.it/ 95.110.195.52
hxxp://enzoyrodrigo.com.br/ 216.245.218.146
hxxp://etcycles.com/ 68.171.36.109
hxxp://hinnenwiese.de/ 85.13.135.246
hxxp://isle-karnataka.org/ 209.99.40.223
hxxp://careerstodaycanada.com/ 76.77.71.5
hxxp://ezmedi.com/ 218.150.78.243
hxxp://calvarycemeterydayton.org/ 198.1.91.2
hxxp://csmbc.org/ 149.47.157.224
hxxp://caeweb.com/ 204.152.118.133
hxxp://lexjuridica.com/ 176.28.103.205
hxxp://rt-printing.com/ 69.94.108.207
hxxp://cromwellharbor.com/ 173.45.246.222
hxxp://cfgreaterjackson.org/ 12.108.68.136
hxxp://trivax.com/ 216.172.104.2
hxxp://arpeges.org/ 88.190.216.198
hxxp://coe.pku.edu.cn/ 162.105.5.245
hxxp://constancehotels.com/ 46.21.202.14
hxxp://e-ciencia.com/ 46.105.32.97
hxxp://syntrinsic.com/ 69.16.192.61
hxxp://easytrip.net/ 216.154.212.124
hxxp://ask-romein.com/ 185.30.205.148
hxxp://dataweave.com.au/ 208.113.174.41
hxxp://moshk.com/ 46.165.224.57
hxxp://vivawebinternet.com.br/ 208.113.185.210
hxxp://5-market.com/ 210.172.144.179
hxxp://mojos.com/ 216.171.235.189
hxxp://mtrx.net/ 72.55.184.109
hxxp://mediadevelopment.com/ 66.35.84.54
hxxp://omikrondokk.hu/ 81.0.69.163
hxxp://lavozdelared.net/ 217.160.7.132
hxxp://dicre.com/ 203.189.104.227
hxxp://gocommunications.ch/ 91.193.21.190
hxxp://cabv.com/ 46.105.111.215
hxxp://imperiumhomes.com/ 200.58.114.10
hxxp://392430.com/ 219.94.128.96
hxxp://solutiodesign.com/ 64.14.68.156
hxxp://petairusa.com/ 85.234.137.80
hxxp://dialadinner.com.hk/ 122.128.107.29
hxxp://slow-db.com/ 59.106.166.251
hxxp://atlantis-shisui.com/ 210.172.144.246
hxxp://cvswl.org/ 216.35.196.47
hxxp://bangertcomputer.com/ 64.13.232.135
hxxp://aedsrl.it/ 85.94.217.210
hxxp://bedfordlaw.com/ 69.27.119.9
hxxp://ans-service.com/ 67.227.252.139
hxxp://3moulins.com/ 80.74.64.7
hxxp://olganon.org/ 198.143.166.17
hxxp://roselani.com/ 72.52.242.220
hxxp://mail.kanglin.com.tw/ 211.75.193.131
hxxp://toyotafound.or.jp/ 202.218.52.67
hxxp://alpes-campings.com/ 94.247.180.34
hxxp://atlasztravel.hu/ 195.70.57.6
hxxp://putujemouevropu.org/ 46.22.145.53
hxxp://jidoucenter.com/ 211.133.134.82
hxxp://poyrazoto.com.tr/ 37.230.104.123
hxxp://ramybrook.com/ 208.86.153.246
hxxp://searrp.org/ 103.6.196.150
hxxp://palmbeachbeaute.com/ 108.174.158.213
hxxp://camphillscotland.org.uk/ 62.255.174.64
hxxp://thlabel.com/ 114.80.156.67
hxxp://capacitacionypnd.com/ 69.64.81.51
hxxp://aschroofing.com/ 184.168.46.66
hxxp://slakes.net/ 72.29.68.107
hxxp://bradleybray.com.au/ 203.143.82.28
hxxp://reflex.com.pl/ 62.129.214.85
hxxp://watermaticcoolers.com/ 67.227.138.16
hxxp://kitchencollage.com/ 67.225.214.101
hxxp://schuster-treppen.de/ 212.227.54.147
hxxp://worldtourism.com.au/ 203.144.4.66
hxxp://maybellecarter.com/ 198.20.250.199
hxxp://cimtech.ca/ 168.144.87.138
hxxp://saweightlosscenter.com/ 50.28.84.225
hxxp://mjfdesigns.com/ 94.23.11.23
hxxp://hotelkunlun.com/ 119.31.233.123
hxxp://acuprint.com/ 216.35.197.49
hxxp://aandporchids.com/ 216.30.187.127
hxxp://koeppl.com/ 178.77.96.167
hxxp://rokayfloral.com/ 67.212.167.194
hxxp://technicorp.co.cr/ 67.210.101.185
hxxp://earthworks-j.com/ 211.1.224.76
hxxp://rabinco.com.my/ 202.75.53.90
hxxp://iberclean.com/ 198.58.86.155
hxxp://saudireadymix.com.sa/ 216.55.98.216
hxxp://invertek.co.uk/ 109.228.11.78
hxxp://minority-inc.com/ 180.222.182.167
hxxp://norm-fasteners.com.tr/ 78.129.226.93
hxxp://peralesaguiar.com.ar/ 200.58.107.237
hxxp://exo2.co.uk/ 87.117.239.204
hxxp://internationalcabinets.com.au/ 66.244.147.199
hxxp://rentinmarin.com/ 199.59.58.68
hxxp://uwlowcountry.org/ 69.64.77.63
hxxp://dpmsystems.com/ 67.225.236.114
hxxp://insulationaustralia.com.au/ 118.127.40.56
hxxp://uhren-schmuckhaus-moeckel.de/ 83.169.16.130
hxxp://easy-networx.de/ 217.91.166.9
hxxp://chicanofederation.org/ 66.240.194.76
hxxp://imsa.com.ar/ 5.9.198.70
hxxp://solustan.com/ 64.13.192.118
hxxp://agro-trans.biz/ 217.96.23.27
hxxp://luksus.net.pl/ 195.238.166.18
hxxp://monsoybenet.com/ 85.214.148.76
hxxp://provang.com/ 204.27.61.50
hxxp://gvcustomsoftware.com.au/ 111.223.234.21
hxxp://telemkting.com/ 184.107.156.250
hxxp://isisgroup.co.uk/ 80.88.198.8
hxxp://adaptworkforce.com/ 217.19.254.22
hxxp://businessengineers.de/ 217.110.123.146
hxxp://admik.ru/ 46.4.196.154
hxxp://autocidade.com.br/ 67.19.82.226
hxxp://alshares.com/ 37.58.82.167
hxxp://thevelvetstore.com/ 74.121.236.92
hxxp://diving-bg.com/ 91.196.124.63
hxxp://tinnitus.se/ 89.221.250.20
hxxp://rokyu.net/ 49.212.34.96
hxxp://newfocas.co.uk/ 46.20.227.248
hxxp://ohnosha.co.jp/ 203.145.245.160
hxxp://progir.com/ 81.25.121.212
hxxp://cpi.com.ar/ 69.25.136.17
hxxp://waco-cccc.com/ 68.171.34.203
hxxp://inglett-stubbs.com/ 70.32.68.171
hxxp://sankalpplacement.com/ 216.55.136.132
hxxp://ekahosting.com/ 72.44.94.117
hxxp://marinescape.co.nz/ 119.47.118.89
hxxp://mc-integ.co.uk/ 149.255.63.116
hxxp://afsservice.com/ 216.55.143.63
hxxp://rdidiamonds.com/ 67.151.215.130
hxxp://ipoaonline.org/ 70.32.68.135
hxxp://littleblue.com/ 92.48.127.198
hxxp://computerlogicdirect.com/ 208.78.155.38
hxxp://plubiz.com/ 91.121.36.93
hxxp://oremc.com/ 137.118.32.114
hxxp://rmslive.com/ 217.114.175.80
hxxp://ibntel.com/ 68.178.158.24
hxxp://roulottesdecampagne.com/ 178.33.106.197
hxxp://sps-jia.cz/ 195.113.221.6
hxxp://snowboardweb.net/ 210.172.144.27
hxxp://dtc-telecom.co.uk/ 37.61.234.11
hxxp://musawa.ps/ 174.46.134.54
hxxp://marcanthony.com/ 199.103.61.58
hxxp://pluto.com.au/ 27.131.73.214
hxxp://unitrix.sk/ 37.9.170.179
hxxp://narsaria.com/ 174.142.222.216
hxxp://korsil.ru/ 77.246.146.106
hxxp://ray-jp.com/ 219.94.203.112
hxxp://gazdic.com/ 209.41.133.210
hxxp://zanyhost.com/ 108.60.130.154
hxxp://dominos.co.id/ 202.169.44.158
hxxp://goodwins-removals.com/ 84.39.115.126
hxxp://3int.net/ 149.126.96.164
hxxp://tacsa.ws/ 64.150.187.245
hxxp://aozoramame.com/ 211.1.227.93
hxxp://mortgageleads.com/ 184.105.209.117
hxxp://247petreturn.com/ 67.211.47.40
hxxp://safedoormatic.com/ 202.91.240.67
hxxp://casino-top.net/ 94.23.75.101
hxxp://tomgegax.com/ 69.163.184.244
hxxp://fsesudmuntenia.ro/ 128.140.230.196
hxxp://efoa.org/ 94.107.192.101
hxxp://sagsheriff.com/ 198.7.59.141
hxxp://carteluz.com.ar/ 200.58.120.9
hxxp://the-marketing-company.at/ 78.138.92.184
hxxp://lelund.com/ 65.60.53.221
hxxp://locbem.com.br/ 199.48.164.230
hxxp://nnppd.com/ 64.177.91.97
hxxp://neaco.co.uk/ 62.255.174.104
hxxp://werta.net/ 87.120.40.16
hxxp://magnatekenterprises.com/ 75.119.192.177
hxxp://hwplan.org/ 216.26.168.132
hxxp://ashleyquinncpas.com/ 206.51.225.190
maki-hs.com 203.137.80.208
counsellingpsychotherapytoronto.com 173.236.125.2
alt1.aspmx.l.google.com 216.239.34.10
authoritative.net 66.33.213.228
ns10.worldnic.com 206.188.199.44
kurecci.or.jp 119.245.143.88
dns.other-world.com 204.11.64.5
in1.smtp.messagingengine.com 66.111.4.71
www.traderush.com 199.83.132.93
bluecolash.com 213.239.215.247
s-style.co.jp 209.238.128.37
www.myfilecenter.com 66.33.213.228
ibcd.com.br 192.168.0.1
pekachemie.com 213.217.60.186
limaingenieriayconstruccion.com 192.254.143.157
vitalur.by 178.159.246.76
mxs.mail.ru 94.100.176.20
www.avant-ime.com 188.121.45.218
norakuroya.com 175.45.136.72
alt4.gmail-smtp-in.l.google.com 74.125.136.26
audio-direkt.net 127.0.0.1
www.servico-ind.com 85.159.56.120
natvideo.com 208.122.223.237
doggybag.org 62.193.211.35
atanor.ru 82.138.1.142
allaroundbouncing.com 66.241.231.114
gmail-smtp-in.l.google.com 74.125.142.26
ecotechsystem.com 93.93.200.130
hpp-services.com 127.0.0.1
born-club.com 37.140.192.111
aethora.com 67.207.143.253
www.trinity-works.com 219.94.206.70
craigrichards.com 67.228.168.156
iwantsex.org 178.32.60.125
nataliecurtiss.com 192.168.100.1
konishi-hp.com 122.219.254.148
ns-fra.proofpoint.com 62.209.50.50
tenpole.com 127.0.0.1
pro-networks.co.uk 109.73.165.20
mxa-00105401.gslb.pphosted.com 208.84.67.208
vivare.nl 89.105.202.47
gjk.com.pl 148.81.111.98
ns87.hostia.name 213.155.29.186
www.cbsprinting.com.au 141.101.116.74
www.solutioncorp.com 209.208.32.245
www.beechwoodmetalworks.com 69.163.135.152
tokushima-med.jrc.or.jp 180.37.239.56
www.ctr4process.org 108.162.203.164
theartofhair.com 0.0.0.0
agrohorizonte.com.ar 201.253.108.68
www.wkhk.net 203.189.104.242
mx.directgroup.org 83.220.44.51
bredainternet.nl 127.0.0.1
blagotvoritel.org 87.120.6.182
www.saios.net 157.7.184.19
iaiglobal.or.id 49.50.8.93
fineartsassociation.org 70.33.214.138
mail7.digitalwaves.co.nz 127.0.0.1
iwamoto-hiroyoshi.com 210.172.144.61
aspmx4.googlemail.com 173.194.78.26
smtp.live.com 65.55.162.200
www.vanguardpkg.com 50.62.115.1
bospianoservice.nl 195.211.73.89
trenpalau.com Unresolvable
aspmx3googlemail.com Unresolvable
pointopines.com Unresolvable
nichedictionary.com Unresolvable
aspmx2.googlemail.com Unresolvable
aspmx.l.google.com Unresolvable
meubles-jacquelin.com Unresolvable
meridies.org Unresolvable
manuyantralaya.com Unresolvable
alt2.aspmx.l.google.com Unresolvable
toutenmeuse.com Unresolvable
hoyuu.com Unresolvable
aspmx5.googlemail.com Unresolvable
hifuken.com Unresolvable
mxb-00105401.gslb.pphosted.com Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wuauclt.exe:344

  2. Delete the original Trojan-PSW file.
  3. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\teasing-video[1].htm (1542 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\vandeks[1].htm (257 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sydney[1].htm (357 bytes)
    %Documents and Settings%\%current user%\jyrvicewyxmu.exe (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\urantiaproject[1].htm (756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\hostphd.com[1].htm (24 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1085 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\theprintinghouseltd.co[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\empordalia[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\trinity-works[1].htm (16 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (241 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\403[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sdlp[1].txt (214 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (251 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\suspendedpage[1].htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\unitedearthgroup[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@starmedia[1].txt (223 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\sortedorganizing[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\aciuba.com[1].htm (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sun-ele.co[1].htm (12 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (225 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (235 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\solutioncorp[1].htm (4184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\robertmcintyre.com[1].htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHCTSNI3\cath4choice[1].htm (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IFWNIZW9\shipeliteexpress[1].htm (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\combine.or[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (227 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ctr4process[1].txt (230 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (214 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\coketh[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\shs-sales.co[1].htm (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\sarpy[1].htm (20 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\cksglobal[1].htm (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2J4LCDS9\enzoyrodrigo.com[1].htm (586 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (20720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\lexjuridica[1].htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\index[1].htm (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZWRQVUZ\wkhk[1].htm (1832 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "jyrvicewyxmu" = "%Documents and Settings%\%current user%\jyrvicewyxmu.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now