Trojan-PSW.Win32.Fareit_98844d0d8b

by malwarelabrobot on December 24th, 2013 in Malware Descriptions.

Gen:Variant.Graftor.125024 (BitDefender), Trojan.Win32.Cutwail.cfo (Kaspersky), BackDoor.Bulknet.1299 (DrWeb), Gen:Variant.Graftor.125024 (B) (Emsisoft), PWSZbot-FOF!98844D0D8B28 (McAfee), WS.Reputation.1 (Symantec), Trojan-Downloader.Win32.Cutwail (Ikarus), Gen:Variant.Graftor.125024 (FSecure), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Technical Details

Removal Recommendations

MD5: 98844d0d8b28ef5bd97bd82b0eaf5b82
SHA1: f3e3dd628670a808e1383e819f907c7844ce7aa4
SHA256: 059dd442f33feba010ea994a5418b61430c85cf7f7fa39f9e5c71c3888b81be1
SSDeep: 1536:iPMZBEr5QREE7lzaOtId9PHs65Jp Pst7J:i0ZBsih7gbd9PVJoEx
Size: 85504 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-28 15:44:57
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):
No processes have been created.
The Trojan-PSW injects its code into the following process(es):

%original file name%.exe:1548

File activity

The process %original file name%.exe:1548 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (251 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\timeturkey[1].htm (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\rovoneli[1].htm (261 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (273 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atr-technologies[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (235 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (239 bytes)
%Documents and Settings%\%current user%\vinukykeapud.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bocr[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[2].txt (239 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safetyconnection[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\home[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\redconeretreat[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lockerlookz[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\kamaruka.vic.edu[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\eleterno[1].htm (17 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (235 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (297 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[2].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\suspendedpage[1].htm (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pcpeds[1].txt (219 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[1].txt (160 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (152 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (22552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[2].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\momonophoto[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\urantiaproject[1].htm (756 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\churchclothes[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\timeturkey[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\rovoneli[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bocr[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safetyconnection[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\home[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\redconeretreat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lockerlookz[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\kamaruka.vic.edu[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\eleterno[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\slcago[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sarpy[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\momonophoto[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1548 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"vinukykeapudzap" = "7B 53 2B 03 DA B2 8A 62 3A 12 E9 C1 99 71 49 94"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"2312304364" = "DD 07 0C 00 01 00 17 00 03 00 35 00 28 00 92 02"

"AppManagement" = "A7 7F 57 2F 07 DE B6 8E 66 3E 16 ED C5 11 E8 C0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 4D 85 99 91 E7 C6 77 40 8F D8 54 EA 33 18 BD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vinukykeapud" = "%Documents and Settings%\%current user%\vinukykeapud.exe"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL	IP
hxxp://bocr.cz/	217.198.115.41
hxxp://sigmametalsinc.com/	208.113.149.173
hxxp://timeturkey.com/	89.19.17.218
hxxp://rovoneli.com/	144.76.86.115
hxxp://hostphd.com.br/	192.196.156.73
hxxp://eyggroup.com/	85.233.160.22
hxxp://wlf.louisiana.gov/	184.106.119.164
hxxp://bocr.cz/bocr
hxxp://urantiaproject.com/	69.94.124.47
hxxp://cath4choice.org/	76.12.228.8
hxxp://eygwindows.co.uk/
hxxp://sullyfrance.com/	216.8.179.23
hxxp://www.sigmaaero.com/	208.113.225.142
hxxp://bocr.cz/bocr/
hxxp://d4drmedia.com/	208.70.247.105
hxxp://mail57.us2.mcsv.net/	173.231.139.57
hxxp://141.101.116.118/
hxxp://fraser-high.school.nz/	210.48.67.144
hxxp://mojacar-vacaciones.com/	12.158.190.246
hxxp://re-wakefield.co.uk/	141.101.117.86
hxxp://mailchimp.com/about/mcsv/	50.22.201.236
hxxp://safetyconnection.ca/	209.222.48.210
hxxp://79.98.23.30/
hxxp://miltinio-teatras.lt/	92.61.39.244
hxxp://padstow.com/	62.233.107.131
hxxp://bethisraelcenter.org/	204.213.246.4
hxxp://geodecisions.com/	216.174.25.93
hxxp://iaiglobal.or.id/	49.50.8.93
hxxp://capitalcitytuxedo.com/	67.223.102.236
hxxp://redconeretreat.com/	173.204.163.136
hxxp://csmbc.org/	149.47.157.224
hxxp://slcago.org/	97.74.80.192
hxxp://kafrit.com/	62.219.2.230
hxxp://coopsupermarkt.nl/	213.247.43.95
hxxp://momonophoto.com/	203.189.105.136
hxxp://199.83.132.93/
hxxp://guberman.com.br/	186.202.149.17
hxxp://bigjohnsbeefjerky.com/	190.93.241.165
hxxp://totalearthcare.com.au/	108.162.192.154
hxxp://e-kagami.com/	54.249.238.243
hxxp://buzzkillmedia.com/	173.201.140.128
hxxp://christybarry.com/	66.49.139.143
hxxp://christybarry.com/cgi-sys/suspendedpage.cgi
hxxp://50.97.221.19/
hxxp://gablemarine.com/	141.101.126.46
hxxp://brookfarm.com.au/	116.251.204.207
hxxp://188.93.212.32/
hxxp://goodvaluecenter.com/	108.162.202.140
hxxp://sztartufi.com/	95.110.192.171
hxxp://leadershipforum.us/	66.39.30.185
hxxp://95.110.200.253/
hxxp://rodeoshow.com.au/	103.28.250.103
hxxp://t7k6a.x.incapdns.net/
hxxp://chscreative.com/	95.85.15.57
hxxp://racknstackwarehouse.com.au/	141.101.116.200
hxxp://boundbydesign.com/	97.74.55.128
hxxp://perc.ca/	69.89.31.118
hxxp://nanfangcw.com/	119.145.168.16
hxxp://upsilon89.com/	151.236.48.69
hxxp://fabianonline.de/	88.198.7.211
hxxp://iaiglobal.or.id/v02
hxxp://schiedel.it/	217.145.99.26
hxxp://lindsaymuskies.com/	70.86.133.242
hxxp://areafor.com/	185.2.130.31
hxxp://goodtimestove.com/	108.175.156.203
hxxp://ziuabarbatului.ro/	194.50.126.226
hxxp://trilatino.org/	65.254.248.203
hxxp://automa.it/	95.110.195.52
hxxp://newstarit.com/	74.86.195.192
hxxp://kamaruka.vic.edu.au/	112.140.176.61
hxxp://alain-cristina.fr/	213.186.33.19
hxxp://astechindo.com/	119.235.30.117
hxxp://sarpy.com/	66.37.225.130
hxxp://gemeauxrecords.com/	122.152.128.150
hxxp://beautifulworksforyou.com/	64.207.145.142
hxxp://geothermusa.com/	50.62.125.1
hxxp://mirasmart.com/	198.46.141.242
hxxp://nc-engineering.com/	5.159.228.49
hxxp://eleterno.com/	184.168.233.1
hxxp://sicklescorp.com/	207.58.128.176
hxxp://movielodge.com/	146.82.204.123
hxxp://nuritech.com/	222.239.78.139
hxxp://cen-wealth.com/	184.172.26.250
hxxp://zdnic.com/	46.4.30.139
hxxp://churchsupplies.net/	66.232.99.164
hxxp://digitalshell.net/	174.36.6.111
hxxp://cieam.com.br/	184.107.204.130
hxxp://sortedorganizing.com/	74.220.199.6
hxxp://simmons-huynh.org/	50.62.41.212
hxxp://iaiglobal.or.id/v02/
hxxp://alemnet.org/	81.92.217.235
hxxp://dogchat.co.uk/	205.196.222.203
hxxp://yniteh.ru/	82.146.40.77
hxxp://q-productions.com/	216.117.177.69
hxxp://autoakcesoria.com.pl/	212.85.97.185
hxxp://clarendonmarketing.com/	62.128.202.97
hxxp://wykrywacze.com.pl/	194.169.227.15
hxxp://gameznstuff.com/	74.125.224.41
hxxp://huyserasphalt.com/	69.163.228.228
hxxp://eaam.org/	85.25.146.108
hxxp://bghydro.com/	71.92.77.190
hxxp://consolerepairguy.com/	156.34.233.155
hxxp://gruponexus.com.ar/	75.98.175.50
hxxp://typowerspring.com/	202.39.245.6
hxxp://courthousetravelclinic.com/	50.63.139.195
hxxp://korea-engine.com/	222.122.86.253
hxxp://realtors.co.il/	198.64.249.178
hxxp://cidvale.com.br/	187.33.34.70
hxxp://amcenter.ru/	188.94.91.44
hxxp://gesyuku.net/	157.7.184.19
hxxp://rdiamondgroup.com/	66.119.165.58
hxxp://tubaloo.net/	204.232.156.35
hxxp://pengadindy.com/	199.230.52.72
hxxp://unityfdn.org/	208.85.226.200
hxxp://kationo.com/	49.50.8.69
hxxp://sepalumic.com/	188.165.218.66
hxxp://fas-assur.com/	213.186.33.87
hxxp://accountancywales.com/	141.101.116.184
hxxp://tenak.org/	192.254.194.147
hxxp://tomballbible.org/	205.186.175.198
hxxp://marbet.com/	176.9.141.61
hxxp://centinelafeed.com/	66.96.131.51
hxxp://fano.net/	95.110.204.251
hxxp://activeday.com/	50.28.22.229
hxxp://soilsystem.com/	210.172.144.23
hxxp://eastwesteye.com/	216.104.33.234
hxxp://forodeopinion.org/	46.105.127.76
hxxp://autoesteller.com/	198.136.63.96
hxxp://hotelportonmedellin.com/	74.55.240.194
hxxp://ogunquitbeach.com/	64.226.226.116
hxxp://digitalsmarthomes.com/	69.90.223.224
hxxp://kendo24.com/	212.218.192.17
hxxp://lisavillar.com/	209.59.167.128
hxxp://manuelandsonscarpetcleaning.net/	173.192.168.242
hxxp://fabrizio.net/	216.120.237.103
hxxp://ontimegamefeeders.com/	142.4.22.195
hxxp://accommodationinvenice.com/	62.149.227.232
hxxp://connection507.com/	209.105.229.60
hxxp://fondoarco.it/	79.125.13.0
hxxp://simdog.net/	174.132.133.82
hxxp://webvenues.com/	198.66.255.180
hxxp://dynatec-vp.com/	211.13.204.3
hxxp://turbo-separator.ch/	80.74.145.50
hxxp://fotofilmes.com.br/	69.175.99.162
hxxp://ercotravels.com/	198.154.226.124
hxxp://jjrjr.com/	74.208.164.214
hxxp://ertebatsanat.com/	91.98.29.146
hxxp://styloshoes.com/	185.28.36.38
hxxp://cobrasystems.com/	184.168.151.229
hxxp://hugheschem.com/	203.122.59.43
hxxp://thelogoloft.com/	76.12.80.107
hxxp://clarkebasementsystems.com/	50.56.161.202
hxxp://fuentenebro.com.es/	212.142.132.70
hxxp://colourtex.co.in/	174.132.183.227
hxxp://netalive.org/	217.150.250.111
hxxp://stimpson.com/	205.186.179.197
hxxp://zocher.us/	64.111.127.245
hxxp://iftcargas.com.br/	108.167.175.110
hxxp://nsjnail.com/	202.143.64.38
hxxp://mundysflorist.com/	213.229.121.172
hxxp://chapsrus.com/	199.36.105.162
hxxp://thecamelnet.com/	149.47.141.168
hxxp://rmmfg.com/	162.144.56.223
hxxp://myjeweller.com.au/	128.242.87.51
hxxp://coopcoach.ch/	85.237.85.61
hxxp://stomaster.com/	161.58.72.151
hxxp://tokushukai.com/	133.242.9.199
hxxp://leesos.com/	218.38.12.35
hxxp://nbgeneralsoft.ro/	86.123.3.190
hxxp://chakuonya.com/	49.212.88.87
hxxp://jps-salledebain.net/	95.128.74.58
hxxp://sadotrans.com/	188.132.194.16
hxxp://klasiquegoldens.com/	216.172.104.4
hxxp://recoding.net/	46.38.175.198
hxxp://absolutaire.com/	50.28.60.108
hxxp://oasis-land.com/	91.232.125.10
hxxp://kselsig.com/	192.232.209.199
hxxp://3dwebstudio.com.br/	199.201.89.27
hxxp://oprs.org/	198.1.79.36
hxxp://gruponunez.com/	77.240.127.10
hxxp://palomoyporras.com/	184.106.58.109
hxxp://igpromocions.com/	164.138.208.139
hxxp://temple-sinai.net/	192.232.204.85
hxxp://ccvaughan.com/	50.22.242.35
hxxp://jackshainman.com/	198.1.82.122
hxxp://j-english.net/	112.78.112.106
hxxp://ultrapowder.com/	210.166.220.107
hxxp://pedrottivini.com/	62.149.204.115
hxxp://lockportpark.org/	184.168.193.48
hxxp://indygojunction.com/	70.32.105.174
hxxp://ndi.net.pl/	193.105.32.5
hxxp://zappa.com.mx/	208.76.82.133
hxxp://metaxasarch.com/	198.58.124.131
hxxp://icomco.com/	67.228.43.208
hxxp://deryaltd.com.tr/	188.132.205.141
hxxp://blossomvalleybiblechurch.com/	64.14.78.35
hxxp://irvink.com/	175.107.131.177
hxxp://azcec.org/	67.205.39.250
hxxp://brahouse.ro/	80.86.106.123
hxxp://futureligonier.org/	137.118.32.81
hxxp://customsignstore.com/	80.249.161.149
hxxp://m-sj.or.jp/	210.155.248.145
hxxp://gerryraymonda.com/	174.37.200.162
hxxp://ntfire.net/	64.77.84.66
hxxp://mcloone.com/	50.57.40.42
hxxp://oaklandholidayparade.com/	66.71.249.202
hxxp://aestheticsoft.com/	86.57.246.177
hxxp://airfloatsys.com/	50.56.193.181
hxxp://badwinkel.be/	195.81.125.36
hxxp://wisperisp.com/	38.114.71.98
hxxp://hosttayim.com/	188.138.72.198
hxxp://premierhotels.co.za/	216.70.99.175
hxxp://auxsoinsdespetits.com/	209.41.133.210
hxxp://photographe-31.com/	213.186.33.3
hxxp://flower-gekijo.com/	210.172.144.245
hxxp://opportunity-inc.com/	208.122.226.210
hxxp://cabcollege.org/	108.162.198.181
hxxp://mojaxxllinia.com/	91.185.200.6
hxxp://nutri-tech.com.au/	174.120.144.74
hxxp://opale-net.net/	216.130.181.140
hxxp://niigata-koi.com/	210.172.144.242
hxxp://standrewspres.com/	67.210.102.9
hxxp://tornayabogados.com/	85.238.2.245
hxxp://internetway.net/	178.16.164.211
hxxp://mprojp.com/	210.172.144.248
hxxp://autoglass-takatsuki.com/	210.188.195.101
hxxp://mickeyshorr.com/	198.20.224.224
hxxp://southlinksgolf.com/	174.120.70.214
hxxp://koka-kanko.org/	202.229.27.125
hxxp://power-oldie.com/	78.47.90.12
hxxp://cdpublications.com/	209.213.117.205
hxxp://lordhaldonhotel.co.uk/	192.155.90.223
hxxp://nagoya67.com/	122.152.128.166
hxxp://garyfoundation.com/	198.154.194.17
realtechre.com	127.0.0.1
ebda.org.pl	81.2.201.235
xmassalt.com	210.172.144.179
daytonaffair.org	74.218.130.98
fatvirgin.com	216.108.226.14
gracechicago.com	127.0.0.1
sasquatch.com	184.173.67.65
in1.smtp.messagingengine.com	66.111.4.72
umutgumrukleme.com	85.17.253.48
galloplast.com	46.16.58.6
callaisofs.com	209.124.203.131
greencroft.org	209.235.193.33
cadeclinic.com	203.98.74.146
k-ryokuen.com	219.101.65.6
vitalur.by	178.159.246.76
www.rodeoshow.com.au	199.83.128.103
mxs.mail.ru	94.100.176.20
tenpole.com	127.0.0.1
konishi-hp.com	122.219.254.148
www.momonophoto.com	203.189.105.136
eomc.net	213.208.149.2
blumencorso.com	83.65.246.206
timbertrading.it	81.31.155.45
gmail-smtp-in.l.google.com	74.125.142.27
milnsbridge.com.au	198.58.126.237
hayan-design.com	222.122.39.96
biotek.com	72.3.161.227
alt4.gmail-smtp-in.l.google.com	74.125.136.27
elvial.gr	178.238.227.82
aethora.com	67.207.143.253
madih.info	72.29.82.72
adult-vids.com	66.230.173.51
redeinformatica.net	217.160.206.205
nataliecurtiss.com	192.168.100.1
xing-group.com	59.106.165.171
tollefsondesign.com	192.168.0.1
foamearphonecover.com	94.136.36.27
chunkymuscle.com	37.130.231.239
nasuken.com	59.106.165.171
www.bigjohnsbeefjerky.com	190.93.241.165
goldhostusa.com	142.4.20.117
welcomingcenter.org	166.78.162.166
saber-scorpion.com	216.55.168.44
concls.com	66.193.46.49
genmar.gen.tr	127.0.0.1
www.iaiglobal.or.id	49.50.8.93
cambridgeny.net	66.35.48.26
marineware.com	66.96.147.120
accel.lt	127.0.0.1
qualitypunch.com	173.201.189.225
rmpdesign.com	79.170.192.247
mail7.digitalwaves.co.nz	127.0.0.1
reflite.com	210.248.135.16
alcapelhost.com	173.224.120.224
accu-swift.com	184.107.166.98
goodhill.com.kh	119.82.249.9
www.eygwindows.co.uk	173.0.131.15
yourorlandogetaway.com	Unresolvable
manuyantralaya.com	Unresolvable
hifuken.com	Unresolvable

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan-PSW file.
Delete or disinfect the following files created/modified by the Trojan-PSW:

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (251 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\churchclothes[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\timeturkey[1].htm (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\rovoneli[1].htm (261 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (273 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atr-technologies[1].txt (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (235 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (239 bytes)
%Documents and Settings%\%current user%\vinukykeapud.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bocr[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[2].txt (239 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mojacar-vacaciones[1].htm (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safetyconnection[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\empordalia[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\home[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\redconeretreat[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lockerlookz[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sarpy[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cath4choice[1].htm (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\kamaruka.vic.edu[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@plus[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\eleterno[1].htm (17 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (235 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (297 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[2].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\suspendedpage[1].htm (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\teasing-video[1].htm (1542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pcpeds[1].txt (219 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@geothermusa[1].txt (160 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (152 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (268 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[1].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\enzoyrodrigo.com[1].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ulcndsu[1].txt (221 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (22552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sortedorganizing[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shs-sales.co[2].htm (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\momonophoto[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@agence-des-druides[2].txt (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\urantiaproject[1].htm (756 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vinukykeapud" = "%Documents and Settings%\%current user%\vinukykeapud.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan-PSW.Win32.Fareit_98844d0d8b

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan-PSW.Win32.Fareit_98844d0d8b

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet