Trojan-PSW.Win32.Fareit_2bad0ff098

by malwarelabrobot on December 18th, 2013 in Malware Descriptions.

Trojan.Win32.Cutwail.cfc (Kaspersky), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 2bad0ff09870ff5f36b7e36bc4e3f01f
SHA1: c10d32a3fbfb5c87d02bf4ab9a723fff62111b2b
SHA256: c4ca4e69090043e88342521ac6a13f2a67c3c18872a8270cfd21e99c2caabf27
SSDeep: 768:RPrJP6jDA9Vv N0xbn4t7p6usoF36XEOR0Of:RVPCDAm0xb27pFs0KXEOR0Of
Size: 38400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SummerSoft
Created at: 2008-12-09 23:07:24
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):
No processes have been created.
The Trojan-PSW injects its code into the following process(es):

%original file name%.exe:1808

File activity

The process %original file name%.exe:1808 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@stepnet[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (27 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\sydney[1].htm (357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (225 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (13 bytes)
%Documents and Settings%\%current user%\cafxascijanu.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\wkhk[1].htm (1832 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (217 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msasys[1].txt (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\mibsga[1].htm (1100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\eygwindows.co[1].htm (1755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ixtractor[1].htm (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (19756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (30 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\teasing-video[1].htm (1055 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (16 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\racknstackwarehouse.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1808 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DD 07 0C 00 02 00 11 00 03 00 2E 00 0E 00 FF 01"

"AppManagement" = "B5 1A 65 3D 15 EC C4 9C 74 4C 97 6F 47 1F F6 CE"
"cafxascijanuzap" = "6E 46 1E F5 CD A5 7D 55 A0 78 50 28 00 D7 AF 87"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 1F 4C 0D 1B 30 9A 3A D0 09 F6 1E 01 1F 10 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cafxascijanu" = "%Documents and Settings%\%current user%\cafxascijanu.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://72.3.244.228/
hxxp://216.243.236.35/
hxxp://213.152.198.61/
hxxp://49.50.8.93/v02/
hxxp://65.181.70.3/
hxxp://217.27.254.150/
hxxp://5.9.94.34/
hxxp://182.48.49.195/
hxxp://209.160.23.206/
hxxp://173.248.156.34/
hxxp://60.191.129.142/
hxxp://198.171.234.61/
hxxp://193.104.35.207/
hxxp://platinumregistration.com/ 12.151.60.70
hxxp://canadienhorse.com/ 69.27.120.7
hxxp://signsbyyou.com/ 205.186.187.221
hxxp://virginiabeachhistory.org/ 216.117.143.48
hxxp://cadrexport.com/ 91.121.48.156
hxxp://192.220.97.141/
hxxp://99.192.139.59/
hxxp://amemarukun.com/ 122.152.128.132
hxxp://premiumfudge.com/ 69.5.0.127
hxxp://solartendas.com.br/ 187.108.194.152
hxxp://206.161.193.98/
hxxp://findersfayre.com/ 208.76.82.37
hxxp://chesterfieldchamber.com/ 50.62.148.216
hxxp://194.242.113.40/
hxxp://creativegraphicsindia.com/ 207.58.179.13
hxxp://cassidy.com/ 205.186.187.174
hxxp://lancohills.com/ 182.18.152.227
hxxp://cj-irinaka.com/ 210.172.144.247
hxxp://112.78.116.219/
hxxp://shokusen.co.jp/ 210.129.90.13
hxxp://aitom.cz/ 81.0.240.93
hxxp://orrhockey.com/ 209.196.155.206
hxxp://metalsaw.com/ 69.63.155.52
hxxp://computerlogicdirect.com/ 208.78.155.38
hxxp://198.171.14.144/
hxxp://dscbarcelona.com/ 82.98.164.2
hxxp://lindseycompany.com/ 38.113.1.157
hxxp://62.121.144.116/
hxxp://chasemeadow.com/ 217.199.187.62
hxxp://miniform.ru/ 31.31.207.7
hxxp://111.89.207.71/
hxxp://81.31.101.2/
hxxp://dronasoft.com/ 72.251.193.170
hxxp://bigmuddyumc.org/ 205.186.133.109
hxxp://210.188.201.42/
hxxp://hstechno.com/ 211.202.2.112
hxxp://borneodinawan.com/ 209.160.23.206
hxxp://imara-ing.com/ 213.195.69.220
hxxp://psiweb.org/ 82.165.41.45
hxxp://66.109.27.28/
hxxp://hamon.com/ 188.93.155.11
hxxp://backyardtirefire.com/ 199.59.157.102
hxxp://194.126.200.44/
hxxp://email.visionary.com/
hxxp://210.172.144.61/
hxxp://rogerturcotte.com/ 69.84.147.18
hxxp://takeuchinouen.com/ 210.172.144.21
hxxp://talkwireless.com/ 69.49.46.248
hxxp://209.238.103.16/
hxxp://67.210.119.235/
hxxp://euroherbal.com/ 212.166.68.8
hxxp://thepandapartnership.com/ 195.171.95.162
hxxp://prognos.com/ 80.74.154.246
hxxp://selc.com.au/ 150.60.10.97
hxxp://87.233.19.215/
hxxp://pegasogiochi.com/ 217.72.102.113
hxxp://213.230.215.202/
hxxp://darwin-tech.com/ 184.172.49.3
hxxp://94.23.212.160/
hxxp://theadlibgroup.com/ 69.90.163.140
hxxp://e-kanbe.com/ 202.122.142.40
hxxp://kbbrokerage.ca/ 208.92.232.210
hxxp://thekpmgroup.com/ 66.96.218.117
hxxp://e-genese.com/
hxxp://genquip.com.au/ 111.67.29.139
hxxp://cedartimbers.com/
hxxp://67.210.103.195/
hxxp://69.36.179.52/
hxxp://kalspo-japan.com/ 210.224.185.225
hxxp://ghostbusters.net/ 69.163.170.209
hxxp://79.96.73.253/
hxxp://80.51.22.5/
hxxp://69.56.229.158/
hxxp://85.214.100.84/
hxxp://72.249.28.100/
hxxp://83.65.246.237/
hxxp://holtans.no/ 212.33.133.94
hxxp://66.96.134.71/
hxxp://dineetje.nl/ 83.149.81.212
hxxp://businessassistance.com/ 173.237.185.32
hxxp://210.188.195.106/
hxxp://fphurley.co.uk/ 80.76.217.198
hxxp://ortodoncia.com.ec/ 199.231.93.57
hxxp://81.31.147.23/
hxxp://baggaley.co.uk/ 91.146.110.185
hxxp://webstroy.ru/ 83.222.3.128
hxxp://wetradenetwork.com/ 198.61.139.184
hxxp://103.9.168.166/
hxxp://uglassit.com/ 142.4.19.228
hxxp://archivists.com/ 202.181.99.40
hxxp://173.255.134.38/
hxxp://hotelmiamimilan.com/ 94.136.45.111
hxxp://gnetmail2.co.za/
hxxp://benefsnet.com/ 5.39.75.25
hxxp://worldcom.org/ 95.211.38.51
hxxp://tanjungbunga.com/ 144.76.202.231
hxxp://119.47.118.86/
hxxp://briangroce.com/ 207.198.118.49
hxxp://vsx-061.serverdedicati.it/
hxxp://networks2business.com/ 188.121.62.26
hxxp://realview.tv/ 217.69.43.28
hxxp://firstfreewichita.org/ 67.192.235.57
hxxp://middleage.org/ 208.112.45.106
hxxp://204.16.240.162/
hxxp://142.4.4.133/
hxxp://sargentsgardens.com/ 63.164.138.120
hxxp://146673-www3.conquerclub.com/
hxxp://vhosts11.aosoft.com/
hxxp://greatsea.com.sg/ 116.12.51.118
hxxp://borderloos.com/ 109.108.149.61
hxxp://aridor.net/ 193.238.208.73
hxxp://sterling-institute.com/
hxxp://jm-duterque.com/ 31.193.129.213
hxxp://ankauf-verkauf.de/ 46.4.72.218
hxxp://ostan.org/ 162.223.88.13
hxxp://kccop.org/ 128.121.194.248
hxxp://phc-pal.org/ 174.46.134.54
hxxp://kyokusen.com/ 210.172.144.246
hxxp://ns207670.ovh.net/
hxxp://66.29.156.131/
hxxp://lb07.virt.lolipop.jp/
hxxp://whatsyourangle.com/ 207.170.237.99
hxxp://208.70.244.160/
hxxp://66.181.240.100/
hxxp://darentasia.com/ 195.144.11.40
hxxp://acousticstage.org/ 211.132.107.2
hxxp://174.141.224.80/
hxxp://124.41.82.187/
hxxp://ivanica.net/ 149.255.58.41
hxxp://213.246.100.96/
hxxp://hlfiction.net/ 74.54.205.83
hxxp://96.234.178.45/
hxxp://smtp.nixe.biz/
hxxp://grand-prix-monaco.com/ 80.93.93.58
lopezshackleford.com 212.113.128.232
stropiyer.com 31.169.73.115
accentcare.com 207.58.165.220
gtouk.org.uk 82.147.20.69
jacksontrucks.com 71.40.14.189
centralofficesource.com 65.200.38.34
performancewearinc.com 64.118.84.6
cubedesigners.com 94.23.236.136
hkmagia.com 216.22.14.93
pm-yachts.cz 195.210.29.3
paginasamarillasec.com 67.228.13.106
fmyamato.co.jp 118.243.114.102
fishypussy.com 99.192.158.18
cleanroomindiabase.com 66.185.18.155
charlestonwirelessgroup.com 208.43.1.92
acpwc.com 64.207.189.226
spiroll.co.uk 69.73.162.83
villanievillani.it 62.149.196.186
isri-inc.com 210.171.136.45
davidrm.com 216.38.52.165
mdwyerlaw.com 69.16.250.12
citrox.co.uk 87.106.45.102
codupha.com.vn 210.245.121.60
invention13.net 173.192.57.176
likemybody.com 188.165.129.91
attikainternational.com 94.136.44.115
tabula.com 198.171.14.144
compplanning.com 198.46.91.115
acdcas.com 96.31.47.154
buffclothing.co.uk 94.136.45.223
happy-earth.com 210.172.144.61
iglesiasimoveis.com.br 75.119.213.58
foto-finito.com 210.172.144.248
onlinecomic.de 46.163.114.252
buildingdesignersaustralia.com.au 208.109.236.231
aquabelles.com 64.90.55.243
rishichem.com 74.50.110.226
libercourt.com 217.16.1.89
castlefieldgallery.co.uk 178.250.51.129
spacecommander.de 213.131.233.141
anadonaire.com 5.39.16.97
sbt.com.tr Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan-PSW file.
  3. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\theprintinghouseltd.co[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\enzoyrodrigo.com[1].htm (586 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@stepnet[1].txt (219 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ricated[1].htm (260 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\empordalia[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\easygen[1].htm (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\mojacar-vacaciones[1].htm (876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\cath4choice[1].htm (27 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (241 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (251 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\sydney[1].htm (357 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\shs-sales.co[1].htm (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\sun-ele.co[1].htm (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\aciuba.com[1].htm (73 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (210 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\brijindia[1].htm (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[1].htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\ginalimo[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\violadagamba[1].htm (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\le-mariage[1].htm (19 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (225 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\fraser-high.school[1].htm (759 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (793 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\easygen[1].htm (13 bytes)
    %Documents and Settings%\%current user%\cafxascijanu.exe (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\robertmcintyre.com[1].htm (14 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\wkhk[1].htm (1832 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\robertmcintyre.com[2].htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ryumachi-jp[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (217 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@msasys[1].txt (206 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\mibsga[1].htm (1100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\eygwindows.co[1].htm (1755 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\churchclothes[1].htm (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\frederickallergy[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\82J9UUUG\bigtopmultimedia[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUXABSD1\ixtractor[1].htm (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (19756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\kamaruka.vic.edu[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\redconeretreat[1].htm (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LK8VX2VE\sortedorganizing[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\teasing-video[1].htm (1055 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MVAP1HL5\trinity-works[1].htm (16 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "cafxascijanu" = "%Documents and Settings%\%current user%\cafxascijanu.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now