Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Adtool.MyWebSearch Analysis Report
Threat Submitted On: 10 Nov 2008
Threat Analysed On: 11 Nov 2008
Threat Updated On: 11 Sept 2009
Type : Adtool
Symptoms of jaan
  • Performs malicious activities.
  • Fetches the user’s sensitive information.
  • Enables the attacker to control the system remotely.
Information
Alias : [Not Available]
Md5 Hash : [cabfb7ef63ee0068db6678afb2a3f548]
File Size : (245760 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: [RandomName].exe
Path : %workingdir%

Md5Hash :18d2e20600a151d63b27e7a834aef47b ( 20480 bytes)
File: [RandomName].exe_
Path : %workingdir%

Md5Hash :50d321527fd92e3b70d71d5097bf2398 ( bytes)
File: temptmp.exe
Path : %systemdrive%\docume~1\antisp~1.c10\locals~1

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
2d7ddaed784528595263c68be9e5af42 ( 64632 bytes)
a4fbea72a15c7beba9fc586b86466102 ( 48559 bytes)
ca44b0c830fb429971124af94f922caa ( 28712 bytes)
cbd601f6d7b6cab93770ed02c6c7d010 ( 8192 bytes)
eb1602c9f2f2841179159b560d6d3714 ( 91705 bytes)
File: temptmp.exe
Path : %systemdrive%\docume~1\antisp~1\locals~1

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0a639925b6fd46832e4cffeb28c435c8 ( 32637 bytes)
1eb9b45d66a18d4fb04510ebde218d79 ( 70907 bytes)
2b4c7410c1485b4980d4c56f8d7a83e8 ( 10240 bytes)
30baba4e1a4e9952a700bf790ab4870c ( 64453 bytes)
38bce2fa258cd9e75234491fe0aa47f5 ( 86779 bytes)
3a44905c3309ce4c918f26c6d962fb56 ( 55629 bytes)
3e13573db774f279cae11b7f85e0924d ( 55629 bytes)
3f3603e52b0e61fd35b625fba6130229 ( 70907 bytes)
421950614aa9ec69f69b43cef870dd75 ( 55679 bytes)
49bd903c899041f31a18a4723afccf45 ( 8192 bytes)
4a61f06328934debfa3a73fd97a1ff67 ( 177152 bytes)
4c5314a5e05b17193e18d2f506967e83 ( 70907 bytes)
535a49af07fcde493c53bbd8edbb1df7 ( 64632 bytes)
542072fb1d03816f4d8af806e09dcb34 ( 34717 bytes)
59ce41586e3d136b87a56da01896520a ( 51330 bytes)
60a26cb396addb1dde98375cef2abace ( 64632 bytes)
655f107961bba2c8e7722525c7bf4798 ( 39536 bytes)
6be7fd0ca845a46a0433b3b9b4c3d4f3 ( 6144 bytes)
6d4878d7b27bf1911ad91e4a4f31710a ( 70144 bytes)
776a5c99a9d7480f550b588078aa8e35 ( 64632 bytes)
79e2a0926c4ec0fbe142788e97c3a76b ( 32637 bytes)
880f43e69abf08d75f241a691308e5bb ( 70907 bytes)
88b7e287f105483475c021ecbd9bb3cd ( 57764 bytes)
8b1790af30e4dcf46da2c492732f5b34 ( 64632 bytes)
8e3eec768df7a3093943d1bc5d0f9bc1 ( 33387 bytes)
95eeb04caa33138c5780e8fb6b753132 ( 114390 bytes)
a8bd346b92be1e9d512162082517794c ( 765290 bytes)
ac2c440a850c1ba66a446c76e52b984d ( 48559 bytes)
b2dae45ce31306b062eb4499c39aa35c ( 7680 bytes)
b6a1412d059145aa042c4c458b754a80 ( 29149 bytes)
c09ae53166c5a741d00cc2192318cff8 ( 32880 bytes)
c42253760ac620e224af6ffb6b81c457 ( 89791 bytes)
cbd601f6d7b6cab93770ed02c6c7d010 ( 8192 bytes)
d42ccd9808200b12df99d30b08600189 ( 35798 bytes)
db37807d0fee738fccecef564397c074 ( 104787 bytes)
e18dd851589ee9133d08d8b380119d5a ( 41637 bytes)
e2bd589f918b48f26d9570696cfc2bd9 ( 35798 bytes)
File: server.exe
Path : %temp%

Md5Hash :22e970810f555d5e1b36b327fb547b54 ( 60288 bytes)
File: tmp.exe
Path : %temp%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0908adf7931dfa6f109657bd0b275f5a ( 642560 bytes)
274fcaaeb991fce8fb6a01ac98a0129d ( 8192 bytes)
409787722370762eb7cf6b338453ec90 ( 393146 bytes)
4dafc678632b4ab77c613f14754f3111 ( 7680 bytes)
af306bd34a53fa9c9dac55c48679c506 ( 6656 bytes)
e3122278581bbdb654dff55b662c149f ( 71680 bytes)
fd7ea7e92f6bcc40acdfb3d8b8921026 ( 9216 bytes)
File: addon.dat
Path : %userprofile%\application data

Md5Hash :91ef2fae958027e8389183f5b51beaa2 ( 22040 bytes)
File: addons.dat
Path : %userprofile%\application data

Md5Hash :1531f87d29ca40980bdc30426eb9aacc ( 23890 bytes)
File: server.exe
Path : %userprofile%\application data

Md5Hash :46b732c4079d409842c6f6da4abeec1b ( 55839 bytes)
File: afire.dll
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0afdc3cff537f2d463f92dd3218229c1 ( 188416 bytes)
55174aac4cbf79d37bb7409c20537ad1 ( 188416 bytes)
7b2b4912d69f4394d8a7b4b9ddf5901c ( 188416 bytes)
aee0c551e8624ebd7ef6d46ca08bcd1b ( 188416 bytes)
d18a62ab04b571aef03cf66673b4601c ( 188416 bytes)
e408ee2c6efa93ccd3683e52ad58bd1c ( 155648 bytes)
File: afprj.dll
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
2ce76ea76df32922e7c450b8bf83151f ( 245760 bytes)
4cef4b3d5b0d14d5e9932fcbd7e63d81 ( 245760 bytes)
b39c15f9edcd11cede066149f25cd9e9 ( 208896 bytes)
b9bdc13429a20acd8fcc17678e095071 ( 245762 bytes)
bf6f11b585472dc381a28f0afda8f29d ( 245760 bytes)
ca7492a2d0238475cbc97fd37d11d3b1 ( 245760 bytes)
cabfb7ef63ee0068db6678afb2a3f548 ( 245760 bytes)
File: jpgutils.dll
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
18ce197aca74f6eea5978391cbb33eaa ( 926 bytes)
2439a8ee25de489e8aebab49ae189605 ( 1345 bytes)
File: kernelpr.dll
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
62c69944889578161dd54bb698d93a53 ( 200704 bytes)
fecaaaef15e219e1a4af5230a31c68f3 ( 200704 bytes)
File: myproc.dll
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
60415f8ce9c97ad46e8effa54d0032b4 ( 155648 bytes)
90c55716dde6df60d5cfb7e6edd129fd ( 155648 bytes)
File: services.exe
Path : %windir%\pchealth

Md5Hash :469b9f2dc3250a142a60db98eb2622eb ( 24576 bytes)
File: services.exe
Path : %windir%\security

Md5Hash :37114e78b147abdbcc5838bb1260bb57 ( 20480 bytes)
File: services.exe
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
18d2e20600a151d63b27e7a834aef47b ( 20480 bytes)
2251159be16f36366c8debdbb9365046 ( 20480 bytes)
4bd62f530318bb7ad8d3e68c7275ae04 ( 20480 bytes)
File: setupconfig.dat
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
09c33f3a07002d69bb1429d6a457571e ( 15 bytes)
190bd7bbbcf942f5e437ac787a0eb8c3 ( 14 bytes)
7bbb0c2da21aa299df4989cc9ce6ec09 ( 14 bytes)
9e8e2d187f9ab681b7e6de3d6b1e510f ( 14 bytes)
a71d73e11d5486ed00a85009cabc3d10 ( 14 bytes)
File: server.exe
Path : %windir%\system32\bifrost

Md5Hash :59ce41586e3d136b87a56da01896520a ( 51330 bytes)
File: dxnote32.exe
Path : %windir%\system32

Md5Hash :0908adf7931dfa6f109657bd0b275f5a ( 642560 bytes)
File: evenr.exe
Path : %windir%\system32

Md5Hash :8e3eec768df7a3093943d1bc5d0f9bc1 ( 33387 bytes)
File: server.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
c09ae53166c5a741d00cc2192318cff8 ( 32880 bytes)
c42253760ac620e224af6ffb6b81c457 ( 89791 bytes)
File: system32plugin1.dat
Path : %windir%

Md5Hash :8489586198c5619d29bb803ea87119be ( 51733 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
012589f0dd27a37c4fdbec61b3243702 ( 24576 bytes)
01e349168ae78b2d2f4cfee31d8cbe05 ( bytes)
050689322e9042b347bed88f292fa432 ( 94723 bytes)
0652e34d0d199ec98784c26ad63c2149 ( 192417 bytes)
0674e59937b9588649245d5fd03a94c6 ( 34819 bytes)
06a589c9e04d418fd48f633f63d1fded ( 89211 bytes)
0afdc3cff537f2d463f92dd3218229c1 ( 188416 bytes)
0c0233b9f2363aa033317ec11181f10c ( 111358 bytes)
0cf716435ecdcd2db0d6f6c79e5c1b67 ( 32259 bytes)
0d552ccabad556114ccafcf2f6877cac ( 116284 bytes)
10d2a9bf5edb4a524b722cbad2f6b725 ( 80208 bytes)
117ace940df014e52905912beaa973f7 ( 57966 bytes)
14987e0e3bc7af14e3c58c132030028f ( 24576 bytes)
15a1c506df5f63fa09e394bdb0326bc3 ( 24576 bytes)
164e018db5257c11cc08a8f0c123b326 ( 24576 bytes)
1650b053b209209693f3fdba0a36e005 ( 55680 bytes)
1e2a52c1bab214e40cacf6348cd8b514 ( 28672 bytes)
24a743229292aa82c26ec98d30febe27 ( 24576 bytes)
24f2b1379c804e9cbdda2883188b7896 ( 96259 bytes)
27eba085e073421dab7634c5b801dc9d ( 53728 bytes)
2b22626480dde8705b845fbd436caab4 ( 24576 bytes)
2ce76ea76df32922e7c450b8bf83151f ( 245760 bytes)
2df5102810a1a88f26bcd98dc6d05476 ( 114098 bytes)
2e81be032433cca952c0b609772ec20b ( 24576 bytes)
2fc36a582b680d4a7a0ad28cc90ebd92 ( 20480 bytes)
305c7cbe7f2de81c8434af91d2a6a6fd ( 64512 bytes)
31030d179848ae4ac26cdf994b4a48d8 ( 32259 bytes)
32645e15c8a0d91a76c7ff67db63f4b2 ( 36864 bytes)
3657f16ec204231962334e98b81bea12 ( 89211 bytes)
374b849b1a260705e210c17e37f3e6c0 ( bytes)
37f687725718787cb3b1b1b32e8bd014 ( 82343 bytes)
3fdd5398bf078ea883a6d6507670dad3 ( 30723 bytes)
4286845f38dce33adea09d3435fe33dd ( 24576 bytes)
42bbc0d73a5ae046ec58a099106dd01b ( 53291 bytes)
4444488ad7423a187e023422c4dd4dcc ( 24576 bytes)
46df8f9ff5d388415b94ffb15a3452a1 ( 57459 bytes)
49f080ae5ba7adc743fe097b965ff6cb ( 188418 bytes)
4bd62f530318bb7ad8d3e68c7275ae04 ( 20480 bytes)
4cef4b3d5b0d14d5e9932fcbd7e63d81 ( 245760 bytes)
4f16ca13e6974677b6ee594b012fed63 ( 59296 bytes)
50d321527fd92e3b70d71d5097bf2398 ( 721368 bytes)
521ecefeaeca8fb183f096ac24a48dde ( 95486 bytes)
5563d7983f29ac0602c52834cc706c31 ( 59296 bytes)
566097cf5c51ae09bc1c724ba9b8e2f3 ( 89211 bytes)
5ef31aae200ccb66c3d81b13b96cb149 ( 417725 bytes)
62c69944889578161dd54bb698d93a53 ( 200704 bytes)
6675d18c2ed0810e24ba2b0e5b68ad9e ( 59709 bytes)
683a6358e0812a22bc9356a104355d3e ( 57216 bytes)
6ac4799d0041bbddfa8ea34b4c9bc3a1 ( 24576 bytes)
6dd6d8585bc4886495ce738439f68d73 ( 24576 bytes)
713d1de3e80f3b61d72a1dd5dd99ce59 ( 24576 bytes)
743a5aa0ff1857f3ff513f78d800ca7e ( 129366 bytes)
74c3ccf65d6e7c476502c7938448c0aa ( 1212105 bytes)
7619b6233e3b6ca6e13f5ec704344f75 ( 82343 bytes)
7b2b4912d69f4394d8a7b4b9ddf5901c ( 188416 bytes)
7c3bb1c0d80e625de8b4b85ea7f7788d ( 24576 bytes)
7e924b24fa159eef3ef4d18ae9b8c9c0 ( 59296 bytes)
84f1cf10e238dde26689500e8a733be9 ( 667139 bytes)
8609bd0b183d21001dd8a446cb69f529 ( 43008 bytes)
8d24f31975193d32a6678daa337c21a5 ( 24576 bytes)
8ea040bc128224d1700bec261e914600 ( 24576 bytes)
936c2
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
startkey = "%windir%\server.exe"
|__ Value Added :
startkey = "%windir%\system32\server.exe"
|__ Value Added :
dxnote32 = "%windir%\system32\dxnote32.exe"
|__ Value Added :
generic host process = "%windir%\system32\svchost.exe"
|__ Value Added :
jjjjjjjj = "%SYSTEMDRIVE%\docume~1\antisp~1\locals~1\temptmp.exe"
|__ Value Added :
msn = "%TEMP%\tmp.exe"
|__ Value Added :
msnplus.exe = "%SYSTEMDRIVE%\docume~1\antisp~1.c10\locals~1\temptmp.exe"
|__ Value Added :
services = "%windir%\security\services.exe"
|__ Value Added :
services = "%windir%\services.exe"
|__ Value Added :
services = "%windir%\services.exe"
|__ Value Added :
smsm = "%TEMP%\tmp.exe"
|__ Value Added :
ss = "%SYSTEMDRIVE%\docume~1\antisp~1.c10\locals~1\temptmp.exe"
|__ Value Added :
startkey = "%windir%\server.exe"
Creates the following child process(s) on execution:

%windir%\services.exe

services.exe

Creates the Following MUTEX(s) on user's System:-
raspbfile
Tries To Connect to The Following Urls:-
Http_Version :http/1.1
71.191.147.168/gokhan_bg/jpgutils.dll
Http_Version :http/1.1
208.100.5.242/gokhan/ip.txt
Tries To Connect's to the following IP Address(s) through UDP(User DataGram Protocal) :-

127.0.0.1

NOTE:

2. %workingdir% Refers to the current directory in which user is working.
3. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
4. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
5. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
6. %windir% Refers to the windows root folder. By default it is 'C:\Windows'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.