Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Adtool.MyWebSearch Analysis Report
Threat Submitted On: 10 Nov 2008
Threat Analysed On: 11 Nov 2008
Threat Updated On: 11 Sept 2009
Type : Adtool
Symptoms of broker
  • Runs in stealth mode and records passwords as and when entered on a system
  • May also imitate the login prompt, asking the user to provide their password
Information
Alias : [Not Available]
Md5 Hash : [c87fedddc1e6e88b84ba4b4836dc8fe1]
File Size : (292352 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: ntos.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1d50c7f1120e4d634bf3a4a228e74f86 ( bytes)
782f6b927861657fbbae481d4033ca3f ( bytes)
7d83d5cbc36b8989ab0034d6a84c9b84 ( bytes)
85cd698bdd4f1bc9909d9e078eedebf0 ( bytes)
a80169c4bf3c8d60f107c8b9058816f9 ( bytes)
c87fedddc1e6e88b84ba4b4836dc8fe1 ( bytes)
d4192a4cf99d76d856389fb372a6d4c4 ( bytes)
File: audio.dll
Path : %windir%\system32\wsnpoem

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
069a1c05420cd60de742e093b8f021dd ( bytes)
116b0578aa3f58501abe68ad85383c60 ( bytes)
3f5fb4a0b3847428411674a78722c5fc ( bytes)
696dd1c2e2b69d46b748ac2a8b8e9e2f ( bytes)
9c392e29f0de4eb7d4edbf2258ce62b2 ( bytes)
9f243d23ab3aab6eb9546167e8899387 ( bytes)
bd750e7c2cdac7e5aff3ae4cfe8a7d84 ( bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1d50c7f1120e4d634bf3a4a228e74f86 ( 263680 bytes)
782f6b927861657fbbae481d4033ca3f ( 795648 bytes)
7d83d5cbc36b8989ab0034d6a84c9b84 ( 551424 bytes)
85cd698bdd4f1bc9909d9e078eedebf0 ( 150016 bytes)
a80169c4bf3c8d60f107c8b9058816f9 ( 243712 bytes)
c87fedddc1e6e88b84ba4b4836dc8fe1 ( 292352 bytes)
d4192a4cf99d76d856389fb372a6d4c4 ( 54272 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
uid = "c10-35-4_00010f2d"
|__ Value Added :
uid = "c10-42-1_00011008"
Creates the following child process(s) on execution:

\??\%windir%\system32\winlogon.exe

%windir%\system32\svchost.exe

services.exe

%windir%\system32\lsass.exe

Creates the Following MUTEX(s) on user's System:-
__system__91c38905__
__system__23d80f10__
__system__64ad0625__
__system__7f4523e5__
raspbfile
0000000000000000000000041
0ca02d2001c93713000001741
0e6c52fa01c93713000001e81
0e783ebc01c93713000001f41
0eeaaf9c01c93713000002c01
__system__45a2f601__
0e783ebc01c93713000001f42
Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : %windir%\system32\ntos.exe

NOTE:

1. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
2. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.