Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Adtool.MyWebSearch Analysis Report
Threat Submitted On: 10 Nov 2008
Threat Analysed On: 11 Nov 2008
Threat Updated On: 11 Sept 2009
Type : Adtool
Symptoms of forbot
  • Performs malicious activities.
  • Fetches the user’s sensitive information.
  • Enables the attacker to control the system remotely.
Information
Alias : [Not Available]
Md5 Hash : [182f2be45e36bc4f9da2fefbde9594ce]
File Size : [Not Available]

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: uninst.exe
Path : %programfiles%\avi player

Md5Hash :0079d466377f9a88c273ccd36a2d4d46 ( 198880 bytes)
File: version.dat
Path : %programfiles%\avi player

Md5Hash :abce4da4b8b78883b08b8a50c9c1b634 ( 190 bytes)
File: azureus-installer.exe
Path : %programfiles%\azureus installer

Md5Hash :7f13d209412ff54fe9a8bee74ccb1fe8 ( 346112 bytes)
File: uninst.exe
Path : %programfiles%\azureus installer

Md5Hash :9664acc8acac9de33a5e0b1666c4c6fd ( 39290 bytes)
File: version.dat
Path : %programfiles%\azureus installer

Md5Hash :693e8c64934ab848e8f84c4686cd44ca ( 190 bytes)
File: cd-extractor.exe
Path : %programfiles%\mp3 cd extractor

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
01d5bee1d54cb91ce180948efede528f ( 437248 bytes)
533862fff6dcc95396b2200928abe23a ( 401408 bytes)
File: cdrip.dll
Path : %programfiles%\mp3 cd extractor

Md5Hash :e929cdfbdde6dd986596e9f4f9733294 ( 47616 bytes)
File: uninst.exe
Path : %programfiles%\mp3 cd extractor

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
7ef2969a0847d6cad0e201965c613de3 ( 50228 bytes)
8fbaea96acfd16b4a443f8e75491d1f6 ( 44941 bytes)
File: version.dat
Path : %programfiles%\mp3 cd extractor

Md5Hash :5a52516eedc109ce5af5a7ecd8fa6cad ( 170 bytes)
File: wnaspi32.dll
Path : %programfiles%\mp3 cd extractor

Md5Hash :efa8d1581864bc30953094896389bcf0 ( 71680 bytes)
File: smartftpclient.exe
Path : %programfiles%\smart ftp client

Md5Hash :4db923f4454ad0869c6827a562e72533 ( 416256 bytes)
File: uninst.exe
Path : %programfiles%\smart ftp client

Md5Hash :5e39ab437230ad9d14992728b4140163 ( 135054 bytes)
File: [RandomName].exe
Path : %workingdir%

Md5Hash :b8329f32492cb2330260b7cf1d853e51 ( 2816 bytes)
File: iisdb.ldb
Path : %workingdir%

Md5Hash :( bytes)
File: msdirect.sys
Path : %workingdir%

Md5Hash :b8329f32492cb2330260b7cf1d853e51 ( 2816 bytes)
File: dotcon.exe
Path : %systemdrive%\winnt\system32

Md5Hash :e912769d25d338f74dbf8a771d8673e4 ( 27136 bytes)
File: dotnet.exe
Path : %systemdrive%\winnt\system32

Md5Hash :e1e2285e3d03ea581a01b06ed5c409c2 ( 37888 bytes)
File: mp3 cd extractor.lnk
Path : %userprofile%\start menu\programs\mp3 cd extractor

Md5Hash :a6a5a9fc530415acc3d23372f31c6834 ( 819 bytes)
File: smart ftp client.lnk
Path : %userprofile%\start menu\programs\smart ftp client

Md5Hash :dbcf2b38a94dbbabe9882de24677239f ( 829 bytes)
File: 372lhelp.exe
Path : %windir%\system32

Md5Hash :9e04321b6732af3312581d7eb3953903 ( 40960 bytes)
File: 386.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
38947937fce981a3e3e2652c5ff2f0fd ( 942080 bytes)
44c0e53a292cd7ec6bc07729935f7d25 ( 942082 bytes)
File: avp.dat
Path : %windir%\system32

Md5Hash :8e37118124afe762dbc62f6fe018421e ( 36 bytes)
File: azi.dat
Path : %windir%\system32

Md5Hash :eaadf00fd6b8eeb6f1f0391cedc320e4 ( 36 bytes)
File: mce.dat
Path : %windir%\system32

Md5Hash :f995478349c745784b13049ca1b02ee9 ( 36 bytes)
File: navtask.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
748ae725542524398ccf83192811ee9a ( 199238 bytes)
fc92fceea2edabce814750cfcb59ee76 ( 199240 bytes)
File: servicelog.exe
Path : %windir%\system32

Md5Hash :a23f9767994e819ee08586b9726678a4 ( 107325 bytes)
File: sfc.dat
Path : %windir%\system32

Md5Hash :d275fd4dc9cc17c72a98dc7517fdb13c ( 36 bytes)
File: smsc.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
182f2be45e36bc4f9da2fefbde9594ce ( 303104 bytes)
247ac651a77aa22dfbb7df223e03aca4 ( 123184 bytes)
3c8426d9f98c7c89cad5607bd438c5f6 ( 303105 bytes)
4f49e892780006739f468c46036f40ca ( 351602 bytes)
513caeeed3ece6e7deebc4a456abbe61 ( 351600 bytes)
5cc438ca76fe43f03254b590deb990ac ( 123168 bytes)
5deefd4fa738dfb60fb21e0388e3a393 ( 123170 bytes)
5f05b6f716deed77143291bc03b92977 ( 123170 bytes)
7a1b6b2ebeffb12e502a7cec63d3fe35 ( 123168 bytes)
a1e4a71c79ea61e9cee40819d4e166e4 ( 331173 bytes)
d75dcf97542e8f12c6a7511600f206a7 ( 303106 bytes)
File: svchosting.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0874d03c04dff35238aab347cff95657 ( 107776 bytes)
0ad49e4709b6e63adef129483c9003dc ( 107778 bytes)
22d351c88da7b035b8d42f939210e8e0 ( 135168 bytes)
3cc1edccf490bd2e0dcb6c3f6f739c22 ( 107792 bytes)
64119d3917022e72c8a8aacecebe72b5 ( 135168 bytes)
6c7f3667f1baaee5c1f3bb982e491369 ( 91136 bytes)
a728039cdba9152281bc30ca095161bf ( 135168 bytes)
File: systems.exe
Path : %windir%\system32

Md5Hash :d2af00a8783d40c5bdf1dce297523008 ( 132096 bytes)
File: tmp.dat
Path : %windir%\system32

Md5Hash :712bacf2273c60600843a6b846a8e8c8 ( 46 bytes)
File: vcfgload.exe
Path : %windir%\system32

Md5Hash :e87655012bf5808be24b28314b47cab5 ( 117584 bytes)
File: windowsupdate.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
827c486388fe79ab0ef0a32bfbab17d0 ( 102400 bytes)
fed49ed752f254d7753a4f7a688962dc ( 102400 bytes)
File: winmonz32.exe
Path : %windir%\system32

Md5Hash :8ec9d2e7e93f7dd9cf1df3366045356f ( 277504 bytes)
File: winmsg32.exe
Path : %windir%\system32

Md5Hash :41cae29fd1f76edd8c31ebead5b65658 ( 64642 bytes)
File: winssv.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
2988b48d80184f1bbdb6d700de36c3ef ( 135170 bytes)
b7c37538e63cf9430e3b2859560837a4 ( 135168 bytes)
File: wvxnlk.fsl
Path : %windir%\system32

Md5Hash :2956f1ac1674283176845c4f61e031c1 ( 96904 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0874d03c04dff35238aab347cff95657 ( bytes)
0ad49e4709b6e63adef129483c9003dc ( bytes)
0ad85c96ed58506de2a78ed0b4d1c7ea ( 115441 bytes)
1153a27b7f2273224defdc01745e4909 ( 614545 bytes)
12ad4e18819de90b42c7e0514f82b483 ( 614543 bytes)
14735914498dba731bba90ca1bd7f68e ( 680051 bytes)
182f2be45e36bc4f9da2fefbde9594ce ( bytes)
186990200cf20f37a75c2dcf89d3229f ( 32256 bytes)
1a98c8a48126af6c23c327cf389f6ed0 ( 832906 bytes)
1fe0cf86a7603f152b495011c83983b0 ( bytes)
22d351c88da7b035b8d42f939210e8e0 ( bytes)
23e62b384b94a7b95aee7e3d1c411aac ( 35840 bytes)
28435a7fb06658a0ea619a779e1e0b8a ( 35840 bytes)
2988b48d80184f1bbdb6d700de36c3ef ( bytes)
322f4020c4db59cc270d797a592a7e82 ( 947610 bytes)
38947937fce981a3e3e2652c5ff2f0fd ( bytes)
3c8426d9f98c7c89cad5607bd438c5f6 ( 303105 bytes)
3cc1edccf490bd2e0dcb6c3f6f739c22 ( bytes)
3df79ca84b612ccd3dd142545590e790 ( 88045 bytes)
3f8612e99e5925c5bd8852deb5a67c62 ( 2816 bytes)
40a34f4f9efd146a63347f751c56b64d ( 540770 bytes)
41cae29fd1f76edd8c31ebead5b65658 ( bytes)
44c0e53a292cd7ec6bc07729935f7d25 ( bytes)
4adfbe0425d4e10c7f40f3eb79d9fdab ( 240569 bytes)
4f49e892780006739f468c46036f40ca ( bytes)
513caeeed3ece6e7deebc4a456abbe61 ( bytes)
53d930455521886f60925c9272201fba ( 24064 bytes)
5cc438ca76fe43f03254b590deb990ac ( 123168 bytes)
5deefd4fa738dfb60fb21e0388e3a393 ( bytes)
5f05b6f716deed77143291bc03b92977 ( bytes)
64119d3917022e72c8a8aacecebe72b5 ( bytes)
6b16cb3dd2db2dddb435478c0dff0bad ( 872964 bytes)
6c7f3667f1baaee5c1f3bb982e491369 ( bytes)
7481c590c530d6fff0da985fefbcd81c ( 31253 bytes)
748ae725542524398ccf83192811ee9a ( 199238 bytes)
75f56debecd0206117aa58eb6df83c07 ( 127692 bytes)
7f2bbcf539927f08db5b0b7413404da0 ( 33953 bytes)
82274d3d2cc4ce131efa20eb424f9e7a ( 38914 bytes)
82740fe35b28ce9843754632c773d985 ( 127688 bytes)
827c486388fe79ab0ef0a32bfbab17d0 ( bytes)
86fc177b659818225bdc77e83df4d341 ( 851643 bytes)
8ec9d2e7e93f7dd9cf1df3366045356f ( 277504 bytes)
932cbaa55829a2ade5e005ae5aa5a367 ( 33949 bytes)
9336e9d3e58a51a52d9be9de404fdfb2 ( 563598 bytes)
93ad82495c98ebfe9649557b4ceb2a85 ( 88047 bytes)
97f45b13692038477e06eeeaa2b0ffd1 ( 134656 bytes)
99ff0b674c48645112db6a187ca25095 ( 115443 bytes)
9e04321b6732af3312581d7eb3953903 ( 40960 bytes)
a1e4a71c79ea61e9cee40819d4e166e4 ( bytes)
a23f9767994e819ee08586b9726678a4 ( bytes)
a728039cdba9152281bc30ca095161bf ( bytes)
a987abc8307bffd9e6f6ba2091cfdaa6 ( 700531 bytes)
acb1f7b8ec8b70fb22bfa276440bef5d ( 42016 bytes)
b140e007ea60b36bb705f0acc63e45d9 ( 57344 bytes)
b7c37538e63cf9430e3b2859560837a4 ( bytes)
bf7551fb3269932261e434ccadcf0210 ( 33792 bytes)
c0d40319793a871c0e6903550182a641 ( 88043 bytes)
c919786344264ae19bbe4e687ec6c602 ( 24576 bytes)
ca0e82758fd21aff2e8d0b93c27455c4 ( 24576 bytes)
cb4e97c1de2776839e782ec7f2689802 ( 338432 bytes)
cb9db59f1e5e46f666c6a27d70b84b71 ( 700533 bytes)
d2af00a8783d40c5bdf1dce297523008 ( bytes)
d75dcf97542e8f12c6a7511600f206a7 ( bytes)
db4bb9c
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : lame_enc.dll
Path : %programfiles%\mp3 cd extractor

Md5Hash :d42bc80159cc84cabe5c3c9908a616e0 ( 86528 bytes)
File : 53e71.imi
Path : %windir%\system32

Md5Hash :cfcd208495d565ef66e7dff9f98764da ( 1 bytes)
File : wpcap.dll
Path : %windir%\system32

Md5Hash :4e53975c4c998ae4dfd1625cd6e31767 ( 91136 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
avi player = ""%programfiles%\avi player\aviplayer.exe" hmw"
|__ Value Added :
azureus installer = ""%programfiles%\azureus installer\azureus-installer.exe" hmw"
|__ Value Added :
explorez = "smsc.exe"
|__ Value Added :
mp3 cd extractor = "%programfiles%\mp3 cd extractor\cd-extractor.exe"
|__ Value Added :
NAVtask = "NAVtask.exe"
|__ Value Added :
NvCplScan = "winmsg32.exe"
|__ Value Added :
smart ftp client = ""%programfiles%\smart ftp client\smartftpclient.exe" hmw"
|__ Value Added :
system service = "systems.exe"
|__ Value Added :
USB Device = "servicelog.exe"
|__ Value Added :
video configuration loader = "vcfgload.exe"
|__ Value Added :
Win32 SSL Driver = "winssv.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "svchosting.exe"
|__ Value Added :
Win32 USB2.0 Driver = "386.exe"
|__ Value Added :
explorez = "smsc.exe"
|__ Value Added :
NvCplScan = "winmsg32.exe"
|__ Value Added :
system service = "systems.exe"
|__ Value Added :
USB Device = "servicelog.exe"
|__ Value Added :
video configuration loader = "vcfgload.exe"
|__ Value Added :
Win32 SSL Driver = "winssv.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "svchosting.exe"
|__ Value Added :
Win32 USB2.0 Driver = "386.exe"
|__ Value Added :
otobkf = "[reg_multi_sz, value: "otobkf", size: 8 bytes]"
|__ Value Added :
explorez = "smsc.exe"
|__ Value Added :
NAVtask = "NAVtask.exe"
|__ Value Added :
NvCplScan = "winmsg32.exe"
|__ Value Added :
r = ""%SYSTEMDRIVE%\data\acb1f7b8ec8b70fb22bfa276440bef5d.exe""
|__ Value Added :
RunDLL32 = "winmonz32.exe"
|__ Value Added :
system service = "systems.exe"
|__ Value Added :
USB Device = "servicelog.exe"
|__ Value Added :
video configuration loader = "vcfgload.exe"
|__ Value Added :
Win32 SSL Driver = "winssv.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "svchosting.exe"
|__ Value Added :
Win32 USB2.0 Driver = "386.exe"
|__ Value Added :
explorez = "smsc.exe"
|__ Value Added :
NvCplScan = "winmsg32.exe"
|__ Value Added :
system service = "systems.exe"
|__ Value Added :
USB Device = "servicelog.exe"
|__ Value Added :
video configuration loader = "vcfgload.exe"
|__ Value Added :
Win32 SSL Driver = "winssv.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "svchosting.exe"
|__ Value Added :
Win32 USB2.0 Driver = "386.exe"
|__ Value Added :
NAVtask = "NAVtask.exe"
|__ Value Added :
NvCplScan = "winmsg32.exe"
|__ Value Added :
RunDLL32 = "winmonz32.exe"
|__ Value Added :
system service = "systems.exe"
|__ Value Added :
USB Device = "servicelog.exe"
|__ Value Added :
video configuration loader = "vcfgload.exe"
|__ Value Added :
Win32 SSL Driver = "winssv.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "smsc.exe"
|__ Value Added :
win32 usb2 driver = "svchosting.exe"
|__ Value Added :
Win32 USB2.0 Driver = "386.exe"
Creates the following child process(s) on execution:

%windir%\system32\smsc.exe -bai %workingdir%\[random name].exe

services.exe

%windir%\system32\smsc.exe -netsvcs

%windir%\system32\cmd.exe /c net share c$ /delete /y

%windir%\system32\net.exe net share c$ /delete /y

net1 share c$ /delete /y

%windir%\system32\cmd.exe /c net share d$ /delete /y

%windir%\system32\net.exe net share d$ /delete /y

net1 share d$ /delete /y

%windir%\system32\cmd.exe /c net share ipc$ /delete /y

%windir%\system32\net.exe net share ipc$ /delete /y

net1 share ipc$ /delete /y

%windir%\system32\cmd.exe /c net share admin$ /delete /y

%windir%\system32\net.exe net share admin$ /delete /y

net1 share admin$ /delete /y

Tries To Connect to The Following Urls:-
Http_Version :http/1.0
202.56.128.56/
Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : %windir%\system32\smsc.exe

NOTE:

1. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
3. %workingdir% Refers to the current directory in which user is working.
4. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
5. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
6. %windir% Refers to the windows root folder. By default it is 'C:\Windows'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.