Trojan-PSW.Win32.Fareit_3a1d27c536
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Cutwail.a (v) (VIPRE), Trojan.Crypt_s!IK (Emsisoft), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 3a1d27c536a9f46c6540d797abe25231
SHA1: 97df9bfb9ce6ff703eaf9fa89864bbb6d85388c2
SHA256: 211b3027ec6634a07972a15cee6d34b522817fe5a71349349fa2d845cdb6530b
SSDeep: 768:x5bJzd3/KjeYqVYJOL CTTeR2/B35s/iSeZm:x5b/3ygCOqUTeRusQ4
Size: 40448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-02-08 07:40:59
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan-PSW. Trojan program intended for stealing users passwords.
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
No processes have been created.
The Trojan-PSW injects its code into the following process(es):
%original file name%.exe:496
File activity
The process %original file name%.exe:496 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EVSHK1IV\cantv[1].htm (26169 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXS3SNIP\rock[1].htm (22193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXS3SNIP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\xatsassidsyx.exe (40 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@opotonline[1].txt (193 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (230 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2V6J8FER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tylerknott[1].txt (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EVSHK1IV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ITI72F07\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2V6J8FER\eircom[1].htm (22649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ITI72F07\tushifire[1].htm (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ITI72F07\vampirefreaks[1].htm (54095 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@osu[1].txt (222 bytes)
Registry activity
The process %original file name%.exe:496 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DE 07 01 00 01 00 0D 00 05 00 10 00 06 00 04 00"
"AppManagement" = "FA D2 AA 82 5A 32 0A E1 B9 91 69 41 19 F0 C8 A0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 CC F5 3C 85 D6 0F B2 1D E6 58 07 9A 04 24 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"xatsassidsyxzap" = "B8 C2 40 4A A9 81 59 31 09 E0 B8 90 68 40 18 EF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"xatsassidsyx" = "%Documents and Settings%\%current user%\xatsassidsyx.exe"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://rucls.net/?ptrxcz_w3AHOVcjqx4BIPWcjry5CJPWdksz6C |  50.63.97.1 |
| hxxp://eircom.net/ |  86.43.38.8 |
| hxxp://bassettfurniture.com/?ptrxcz_x4BIPVcjry5CJQXelsz6DKRYfmu17E | 216.54.174.228 |
| hxxp://terra.com.br/ |  200.154.56.80 |
| hxxp://spin.com/?ptrxcz_Zhpv3AHNUbiqx3AHOVciqx4BHOVcjr | 54.241.17.74 |
| hxxp://alumni.ubc.ca/ |  142.103.166.167 |
| hxxp://jrihealth.org/?ptrxcz_Vcjrx4BIPWdkry5CJQXdksz6DKQXel | 208.73.210.29 |
| hxxp://thetourbus.com/ | 208.113.218.103 |
| hxxp://skynet.be/?ptrxcz_lu18ELSZfmu18ELSZfmu17ELSYfmu0 |  195.238.10.70 |
| hxxp://accessus.net/?ptrxcz_07ELSYfmu07ELRYfmt07EKRYflt06D | 209.145.128.4 |
| hxxp://tiscali.it/ |  213.205.32.10 |
| hxxp://nfp.com/?ptrxcz_qx5BIPWcjry4BIOVcjqx4BHOVciqx4 | 66.193.217.167 |
| hxxp://chello.nl/?ptrxcz_NVbiqx4BHOVciqx4BHOVciqx4AHOVb |  213.46.242.72 |
| hxxp://migente.com/ | 70.42.66.18 |
| hxxp://skynet.be/ | |
| hxxp://sify.com/ |  202.144.65.205 |
| hxxp://alice-dsl.de/?ptrxcz_08EMSZgov18FMSZgou18FMSZgou18F |  85.183.254.1 |
| hxxp://penn.com/?ptrxcz_7ELSZfmu17ELSYfmu07ELRYflt07DK | 207.69.200.191 |
| hxxp://hawaii.rr.com/?ptrxcz_DLRYfmu18FLSZgov18FMTagov29GMT | 24.165.45.220 |
| hxxp://nfp.com/ | |
| hxxp://ministryofsound.net/?ptrxcz_AHNUbiqw9GNTahpw29GNUahpw29GNU |  212.53.89.138 |
| hxxp://terra.cl/?ptrxcz_MUahpw3AHNUbipw3AGNUbhpw39GNUb | 208.70.188.79 |
| hxxp://tylerknott.com/?ptrxcz_Xelt07EKRYflt07EKRYflksz6DJQXe | 66.6.44.4 |
| hxxp://newparkdf.com/?ptrxcz_JQXelt06DKRYelt07EKRYfmt07ELSY | 204.44.157.41 |
| hxxp://aol.com/ | 64.12.79.57 |
| hxxp://avinalarf.co.uk/?ptrxcz_lt07ELSYfmu17ELSZfmu17ELSZfmu1 | 108.162.197.62 |
| hxxp://clear.net.nz/?ptrxcz_2AHOVciqx4AHOVciqx4AHOVbiqx4AH |  203.97.37.85 |
| hxxp://jotmail.com/ | 65.55.39.12 |
| hxxp://csrlink.net/?ptrxcz_qy5CJPWdksy5CJQWdksy5CJQXdksz6 | 207.69.200.194 |
| hxxp://asianavenue.com/?ptrxcz_Vdjry5CJQXdksz5CJQWdksz5CJQWdk | 70.42.66.60 |
| hxxp://usfilter.com/?ptrxcz_RYflt17ELSZfmu17ELSZfmu18ELSZg | 72.22.18.241 |
| hxxp://iupui.edu/ | 129.79.78.166 |
| hxxp://terra.es/?ptrxcz_w4BIPWcjrx4BIOVcjqx4BHOVciqx4A | 208.84.244.10 |
| hxxp://csrlink.net/?ptrxcz_Wdksz6DKQXeltz6DKQXeltz6DKQXel | |
| hxxp://primus.com.au/?ptrxcz_5CKRXeltz7ELSYfmu07ELRYfmu07EK |  203.134.30.5 |
| hxxp://rock.com/ | 168.143.19.128 |
| hxxp://yahoo.gr/?ptrxcz_fmu18FMTZgov29FMTahov29GNTahpw |  87.248.120.148 |
| hxxp://pt.lu/?ptrxcz_fq1BLWgr1BLVgr1BLVfr1BLVfr1BLV |  195.46.252.19 |
| hxxp://planet.nl/?ptrxcz_JQXelsz6DKRXel6Ubhpw39GNUbhoGN | 213.75.28.140 |
| hxxp://otakumail.com/?ptrxcz_LSZgmu18FMSZgou18FLSZgmu18FLSZ | 50.22.218.215 |
| hxxp://nfp.com/?ptrxcz_PWdkry5CIPWdjry5CIPWdjry5BIPWd | |
| hxxp://merck.com/ | 155.91.16.2 |
| hxxp://free.fr/ |  212.27.48.10 |
| hxxp://v6v4.portal-standard.aol.akadns.net/ | |
| hxxp://sympatico.ca/ | 206.47.72.104 |
| hxxp://earthlink.net/ | 209.86.93.201 |
| hxxp://vampirefreaks.com/?ptrxcz_fmu18FMSZgou18FLSZgmu18ELSZfmu | 38.106.205.131 |
| hxxp://lyuchta.org/ | 50.116.32.177 |
| hxxp://tushifire.com/ | 5.9.61.148 |
| hxxp://opotonline.net/?ptrxcz_z6DKRYfmt07ELRYfmt07ELRYfmt07E | 176.74.176.179 |
| hxxp://planttel.net/?ptrxcz_iqw3AHNUbipw3AHNUbipw3AHNUbipw | 209.164.229.134 |
| hxxp://free.fr/?ptrxcz_Xelt07ELSYfmu17ELSYfmu17ELSYfm | |
| hxxp://worldonline.co.uk/ | 212.74.99.30 |
| hxxp://cascademarble.com/ | 184.168.221.19 |
| hxxp://osu.edu/ | 140.254.112.210 |
| hxxp://myway.com/?ptrxcz_8FMTagov29FMTagov28FMTZgov18FM | 74.113.233.77 |
| hxxp://ninemsn.com.au/?ptrxcz_mu18ELSZgmu18ELSZgmu18ELSZgmu1 | 202.58.48.123 |
| hxxp://pru-nw.com/ | 69.25.128.172 |
| hxxp://jubii.dk/ |  77.66.22.12 |
| hxxp://tigers-net.com/?ptrxcz_5CJQXdksz5CJQWdksy5CJPWdkry5BI |  210.171.0.80 |
| hxxp://hawaii.rr.com/ | |
| hxxp://colorado.edu/ | 128.138.129.98 |
| hxxp://univision.com/?ptrxcz_dksz6DJQXelsz6DKQXeltz6DKRYelt | 64.14.58.80 |
| hxxp://asia.com/ | 72.55.150.59 |
| hxxp://bumbleandbumble.com/?ptrxcz_BIPWcjry4BIPVcjrx4BIOVcjqx4BHO | 170.224.105.243 |
| hxxp://redlands.edu/ | 206.208.133.173 |
| hxxp://comcast.net/ | 162.150.0.50 |
| hxxp://asianavenue.com/ | |
| hxxp://gmx.de/?ptrxcz_iqx4AHOVbiqx3AHOUbiqw3AHNUbipw | 213.165.65.50 |
| hxxp://iies.es/ | 213.251.158.197 |
| hxxp://surewest.net/?ptrxcz_18ELSZfmu18ELSZfmu18ELSZfmu17E | 64.8.70.120 |
| hxxp://x-men.com/ | 72.32.138.96 |
| hxxp://sandiegoinsider.com/?ptrxcz_t07ELSZgmu17ELSYfmu07ELRYfmt07 | 68.1.17.9 |
| hxxp://ministryofsound.net/?ptrxcz_fmu18FMbpw39GNUbhpw3AHNUbiqw3A | |
| hxxp://jrihealth.org/ | |
| hxxp://planet.nl/?ptrxcz_x4BIOVcjrx4BIOVcjqx4BHOVciqx4A | |
| hxxp://chello.nl/ | |
| hxxp://springsips.com/?ptrxcz_qy5CIPWdkry5CIPWdjry5BIPWcjry4 | 216.17.135.208 |
| hxxp://accessus.net/ | |
| hxxp://the-beach.net/ | 64.8.70.102 |
| hxxp://cantv.net/ |  200.44.32.103 |
| hxxp://pandora.be/?ptrxcz_MTagov29GNTahpv29GMTahov29FMTZ | 195.130.131.38 |
| hxxp://univision.com/ | |
| hxxp://primus.com.au/?ptrxcz_NUbipw3AHOUbiqw3AHNUbipw3AGNUb | |
| hxxp://spin.com/?ptrxcz_qx4BHOVcjrx4BIPVcjry4BIPWcjry5 | |
| hxxp://aol.com/?ptrxcz_x4BHOVciqx4AHOVbiqx3AHOUbiqx3A | |
| hxxp://law.com/ | 204.14.32.84 |
| hxxp://music.com/?ptrxcz_mu17ELSZfmu17ELSZfmu17ELSYfmu1 | 192.225.208.10 |
| hxxp://cannylink.com/ | 206.217.196.90 |
| hxxp://the-beach.net/?ptrxcz_mu18FLSZgov18FMTZgov29FMTahov2 | |
| hxxp://terra.cl/ | |
| hxxp://usintouch.com/?ptrxcz_7ELSZgmu18FMSZgov29FMTahpv29GN | 70.34.34.93 |
| hxxp://bumbleandbumble.com/?ptrxcz_8FMTZgov28FMTZgov28FMTZgov28FM | |
| hxxp://nfp.com/?ptrxcz_CJQWdksy5CJQWdksy5CJPWdkry5CIP | |
| hxxp://number1.net/ | 208.73.211.169 |
| hxxp://optonline.net/ | 66.54.17.31 |
| hxxp://iies.es/?ptrxcz_emu18FLSZfmu18ELSZfmu17ELSYfmu | |
| hxxp://zeelandnet.nl/ | 62.238.255.67 |
| hxxp://cintas.com/ | 74.121.200.143 |
| hxxp://bol.com.br/ | 200.147.3.199 |
| hxxp://nifty.com/?ptrxcz_RYfmt07EKRYflmSZgou18FMSZgou18 | 210.131.4.217 |
| hxxp://uncc.edu/?ptrxcz_jsy6CJQXdksz6CJQXdksz5CJQWdksz | 152.15.219.131 |
| yatroo.com | 82.98.86.174 |
| uymail.com | 50.22.218.215 |
| brick.net | 209.145.128.4 |
| in1.smtp.messagingengine.com | 66.111.4.73 |
| dangerous-minds.com | 46.4.58.71 |
| madrid.com |  89.30.105.26 |
| primusonline.com.au | 211.27.226.8 |
| www.aol.com | 64.12.21.3 |
| telus.net | 67.205.66.14 |
| catech-systems.com | 216.251.32.98 |
| frisurf.no |  153.110.239.145 |
| bluewin.com | 195.186.196.90 |
| interia.pl |  217.74.65.23 |
| gravityboard.com | 199.91.125.78 |
| beeone.de | 193.227.203.172 |
| alice.it | 217.169.121.227 |
| idealcollectables.com | 208.106.129.24 |
| gmail-smtp-in.l.google.com | 74.125.142.27 |
| centrum.cz |  46.255.224.60 |
| alt4.gmail-smtp-in.l.google.com | 173.194.65.27 |
| amazon.com | 176.32.98.166 |
| waupacafoundry.com | 71.13.131.168 |
| karoo.co.uk | 87.102.50.138 |
| tds.net | 216.170.230.61 |
| ncable.net.au | 203.208.88.59 |
| msn.com | 65.55.206.228 |
| mxs.mail.ru |  94.100.176.20 |
| vip.hr |  212.91.113.39 |
| netscape.net | 205.188.100.58 |
| mailshell.com | 209.157.66.253 |
| lansdownecollege.com | 109.228.9.27 |
| indiatimes.com | 223.165.27.13 |
| air-internet.com | 67.202.147.232 |
| dragonmount.com |  190.93.250.176 |
| intelnet.net.gt |  200.6.192.206 |
| myspace.com | 216.178.46.224 |
| mchsi.com | 64.8.70.102 |
| comporium.net | 208.104.2.209 |
| bodybuilders.com | 206.207.84.93 |
| creighton.edu | 147.134.13.145 |
| american.edu | 147.9.1.186 |
| mail7.digitalwaves.co.nz |  127.0.0.1 |
| verizon.net | 206.46.232.39 |
| imaginet.com | 168.61.3.239 |
| gm.com | 82.98.83.149 |
| reihtec.com |  Unresolvable |
| vianet.com.mx | Unresolvable |
| musician.org | Unresolvable |
| honey-do-this.com | Unresolvable |
| pink.livedoor.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EVSHK1IV\cantv[1].htm (26169 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXS3SNIP\rock[1].htm (22193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXS3SNIP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\xatsassidsyx.exe (40 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@opotonline[1].txt (193 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (230 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2V6J8FER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tylerknott[1].txt (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EVSHK1IV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ITI72F07\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yahoo[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2V6J8FER\eircom[1].htm (22649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ITI72F07\tushifire[1].htm (264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ITI72F07\vampirefreaks[1].htm (54095 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@osu[1].txt (222 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"xatsassidsyx" = "%Documents and Settings%\%current user%\xatsassidsyx.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
