Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Adtool.MyWebSearch Analysis Report
Threat Submitted On: 10 Nov 2008
Threat Analysed On: 11 Nov 2008
Threat Updated On: 11 Sept 2009
Type : Adtool
Symptoms of antinny
  • Replicates itself and spreads to the other computers of the network.
  • Installed by executing the scripts from infected e-mail attachments or messages.
Information
Alias : [Not Available]
Md5 Hash : [Not Available]
File Size : [ Not Available ]

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: dw204ce0.exe
Path : %programfiles%\common files\microsoft shared\dw

Md5Hash :84f4c6f578332f1da6a550407a52a20c ( 651264 bytes)
File: dir2file_login.exe
Path : %programfiles%\dir2file

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
5d1d2d161a9ad47e7482a4ccb5497acc ( 630786 bytes)
dfdeacfaa8a2e3188ba428fa5c4dec76 ( 357378 bytes)
File: spoolsv.exe
Path : %programfiles%\dir2file

Md5Hash :ab667e0c4587d837b850ee3714656e86 ( 776194 bytes)
File: svchost.exe
Path : %programfiles%\dir2file

Md5Hash :446295302d0fcab5a420edcf6819cec6 ( 184834 bytes)
File: inctrl5_config.exe
Path : %programfiles%\inctrl5

Md5Hash :d97f9f515728f9d6ef8eabeda3bb1f08 ( 524291 bytes)
File: messenger_config.exe
Path : %programfiles%\messenger

Md5Hash :1c2cbd1b7184d38fca3f230b4ab9abaa ( 669696 bytes)
File: messenger_env.exe
Path : %programfiles%\messenger

Md5Hash :7c075285d44bcc17cd7ade4bc9191431 ( 391680 bytes)
File: messenger_login.exe
Path : %programfiles%\messenger

Md5Hash :2cd4b9c628506d32ff17e5973275a42b ( 390658 bytes)
File: messenger_setup.exe
Path : %programfiles%\messenger

Md5Hash :5277b024c67c2702655195828a1ef840 ( 357376 bytes)
File: messengercfg.exe
Path : %programfiles%\messenger

Md5Hash :0dc2d9648dcc60ac7059c8626e4c8fd4 ( 630784 bytes)
File: svchost.exe
Path : %programfiles%\messenger

Md5Hash :b97ad440b4ae99342d97f7a349ef8804 ( 612354 bytes)
File: msn_config.exe
Path : %programfiles%\msn

Md5Hash :627fdda8c8c98569738f5778f7e2884e ( 390656 bytes)
File: msn_loader.exe
Path : %programfiles%\msn

Md5Hash :ed813b92408c72b2c1bf2d383eb270fe ( 360448 bytes)
File: msn_setup.exe
Path : %programfiles%\msn

Md5Hash :05437edb1771a9a976068077f3abbe20 ( 357888 bytes)
File: msn_start.exe
Path : %programfiles%\msn

Md5Hash :2b75f3356c05d39af890ed9c1bdd6b84 ( 357378 bytes)
File: msnsetup.exe
Path : %programfiles%\msn

Md5Hash :23baf908b9ec0cfb5b04f816f32e1ef5 ( 391168 bytes)
File: netmeeting_env.exe
Path : %programfiles%\netmeeting

Md5Hash :051f0f4317adf1851c24a2ee1d31c4b2 ( 357378 bytes)
File: netmeetingenv.exe
Path : %programfiles%\netmeeting

Md5Hash :2de0dc7f60d101c718655ec28074b2b9 ( 393218 bytes)
File: explorer.exe
Path : %programfiles%\shadowstor

Md5Hash :7cbd20d0e084013aef7ab4e5e6fb1ad3 ( 393216 bytes)
File: xerox_loader.exe
Path : %programfiles%\xerox

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1d54c0d6ed50dd024965005f044dd38e ( 356866 bytes)
4f9f042a1b3370d33698880da754491f ( 391682 bytes)
e5cab800bfbaa5609235b7f0661ccf21 ( 367618 bytes)
File: ???æ?ø.scr
Path : %systemdrive%

Md5Hash :( bytes)
File: ?el.scr
Path : %systemdrive%

Md5Hash :( bytes)
File: 643.reg
Path : %systemdrive%

Md5Hash :c7088770c613bfa0152afd87b9a1f79e ( bytes)
File: 82.reg
Path : %systemdrive%

Md5Hash :c7088770c613bfa0152afd87b9a1f79e ( bytes)
File: file.bat
Path : %systemdrive%

Md5Hash :8853a28ef8e07d26b87075085ff6dc03 ( bytes)
File: temp1024.tmp
Path : %systemdrive%

Md5Hash :f17439c5bd04c20c3c3c399d3b1060f1 ( 52224 bytes)
File: temp1639.tmp
Path : %systemdrive%

Md5Hash :408b8e8c4c6b8e07b78169d80323bbc4 ( 30760 bytes)
File: temp1862.tmp
Path : %systemdrive%

Md5Hash :4b57b09a4faa60440cb3ec3174661c47 ( 34859 bytes)
File: temp1977.tmp
Path : %systemdrive%

Md5Hash :304f913976dff98e994608c645c75833 ( 29224 bytes)
File: temp2741.tmp
Path : %systemdrive%

Md5Hash :14dbd808f5e68bb3c545063411d707ad ( 28160 bytes)
File: temp2903.tmp
Path : %systemdrive%

Md5Hash :767d0a935c9f34d082ffb87f8cf499d3 ( 29224 bytes)
File: temp3198.tmp
Path : %systemdrive%

Md5Hash :1127fd0ec1bc44348dfa46c7f0c78199 ( 28270 bytes)
File: temp3549.tmp
Path : %systemdrive%

Md5Hash :a429ef13e87b7e708c012b4ba2a782b1 ( 28270 bytes)
File: temp3698.tmp
Path : %systemdrive%

Md5Hash :9e9bc43c3f5c2b67523ae338a3614f83 ( bytes)
File: temp3919.tmp
Path : %systemdrive%

Md5Hash :cd3459a97798bb2cc32fc9dcb9a2ac5b ( bytes)
File: temp394.tmp
Path : %systemdrive%

Md5Hash :617e43b70c62fce5f9a026eea2e733cb ( 28203 bytes)
File: temp4047.tmp
Path : %systemdrive%

Md5Hash :731a0388e37aff0563b20f0a034cdd4d ( 130670 bytes)
File: temp4147.tmp
Path : %systemdrive%

Md5Hash :8b55258f410359295a9e5e736c36f362 ( 1087594 bytes)
File: temp4195.tmp
Path : %systemdrive%

Md5Hash :b591f7888b86f58c0af5e56cc33d3eb4 ( 259184 bytes)
File: temp4331.tmp
Path : %systemdrive%

Md5Hash :712573c80eae3415c6bb58006892f4d6 ( bytes)
File: temp4749.tmp
Path : %systemdrive%

Md5Hash :5d47bfc28909dd07396b1e21322b4532 ( 28200 bytes)
File: temp4938.tmp
Path : %systemdrive%

Md5Hash :c662f4f8a26ad85090944b45c306ebb7 ( 28200 bytes)
File: temp4998.tmp
Path : %systemdrive%

Md5Hash :d8077bbd9fa7a84cf200e0df1ff5cd01 ( 39981 bytes)
File: temp5299.tmp
Path : %systemdrive%

Md5Hash :58557a341cc55adb88b5113e880df11b ( 28200 bytes)
File: temp63.tmp
Path : %systemdrive%

Md5Hash :9ac957a36df5ea1fb821ac10d02d47c8 ( 28203 bytes)
File: temp6308.tmp
Path : %systemdrive%

Md5Hash :9e81613cd318ef56447c5e56834d53c5 ( 28200 bytes)
File: temp6349.tmp
Path : %systemdrive%

Md5Hash :2372bd82cae20782cbaf8f396bc009c1 ( 3105349 bytes)
File: temp6504.tmp
Path : %systemdrive%

Md5Hash :04c515ed8b39d88f055ed5689f8295e1 ( 32809 bytes)
File: temp7020.tmp
Path : %systemdrive%

Md5Hash :8108419768d670e1ed0f1defbaefb0bb ( bytes)
File: temp7548.tmp
Path : %systemdrive%

Md5Hash :d5afb003eb20ed2d1ed3971db6cf0b8f ( 28199 bytes)
File: temp7672.tmp
Path : %systemdrive%

Md5Hash :a8532c91c6d8bb45b9ce069e367a5c1d ( bytes)
File: temp778.tmp
Path : %systemdrive%

Md5Hash :19ee38bfa66579dcc5db8b8b7b0318aa ( 33320 bytes)
File: temp7807.tmp
Path : %systemdrive%

Md5Hash :6dbce1f04245d422a269f7d306c51487 ( bytes)
File: temp7979.tmp
Path : %systemdrive%

Md5Hash :443060dc607fac9cdadd36ea503990f9 ( 28200 bytes)
File: temp8600.tmp
Path : %systemdrive%

Md5Hash :061934a84e643263693d909ea51c32b0 ( 28200 bytes)
File: temp8886.tmp
Path : %systemdrive%

Md5Hash :d853382db2f5a6d5e4565c14be36f28a ( 162856 bytes)
File: temp9358.tmp
Path : %systemdrive%

Md5Hash :794cc8e425b8d9b92bebea4144682f27 ( 620072 bytes)
File: temp9397.tmp
Path : %systemdrive%

Md5Hash :cc591d2d09a8842205d533d8e9ca591d ( 1982505 bytes)
File: temp941.tmp
Path : %systemdrive%

Md5Hash :508b9327f23f6ee61e24e7b542423b7d ( 238186 bytes)
File: temp9509.tmp
Path : %systemdrive%

Md5Hash :d3c2bc1ea2de01d78fe97b35fdf3d3af ( 35880 bytes)
File: temp9535.tmp
Path : %systemdrive%

Md5Hash :712bcf8e6680147260aa03c25c2ec68f ( 186986 bytes)
File: mstemp.exe
Path : %temp%

Md5Hash :bd50cf1e003ce3ef7e359dc7a7b18020 ( 316416 bytes)
File: svchost.exe
Path : %temp%

Md5Hash :4c920b673ed7da6b116a6664e2b56437 ( 1238530 bytes)
File: spoolsv.exe
Path : %userprofile%\start menu\programs\startup

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
6dbce1f04245d422a269f7d306c51487 ( 30762 bytes)
712573c80eae3415c6bb58006892f4d6 ( 28204 bytes)
a8532c91c6d8bb45b9ce069e367a5c1d ( 238635 bytes)
cd3459a97798bb2cc32fc9dcb9a2ac5b ( 30761 bytes)
File: svchost.exe
Path : %windir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
1b707b6061829b0dc76eb4052c8e1300 ( 30208 bytes)
8d8eb96f582c6242eb73f39580587185 ( 1326080 bytes)
File: svchost.exe
Path : %windir%\system32\drivers\etc

Md5Hash :e380d4dfb837b5e8373a70ccb6b6133d ( 844290 bytes)
File: inetcohl.dll
Path : %windir%\system32

Md5Hash :d927e101e2f2924993e2933e3e6fdb50 ( 184608 bytes)
File: msjter.exe
Path : %windir%\system32

Md5Hash :2a3a23fff87bda7b1c2a1b9bb61af125 ( 288256 bytes)
File: mspbde.exe
Path : %windir%\system32

Md5Hash :bdd4ea671917c48fdda6c4dbc571055e ( 233472 bytes)
File: msrd2x.exe
Path : %windir%\system32

Md5Hash :bdd4ea671917c48fdda6c4dbc571055e ( 233472 bytes)
File: msrecr.exe
Path : %windir%\system32

Md5Hash :2a3a23fff87bda7b1c2a1b9bb61af125 ( 288256 bytes)
File: w32secm.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
007031f8e3fc92ea3e7ff341e6b22458 ( 363156 bytes)
7da2b035785b29e8284e23ff809eea02 ( 317442 bytes)
bd50cf1e003ce3ef7e359dc7a7b18020 ( 316416 bytes)
File: winsm.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
04954360e2bbc87062dbb49a10174021 ( 959580 bytes)
15f0df55e87d1e2e0a44d26fd8bc1e73 ( 912386 bytes)
63a7ccacdf7171ae6267f3864cc2da65 ( 912384 bytes)
68b7e196fd10ad222ac87120551255a7 ( 959578 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
007031f8e3fc92ea3e7ff341e6b22458 ( 363156 bytes)
012e29a9fa3f6dc4d11b120e17b52bfe ( 28200 bytes)
0340156ea7a2b5235448ac5959f66a40 ( 382976 bytes)
049116a3298d718525d49c4fd84e4d4f ( 776196 bytes)
04954360e2bbc87062dbb49a10174021 ( 959580 bytes)
04c515ed8b39d88f055ed5689f8295e1 ( 32809 bytes)
04f8bcf1c1634da1d3d79ce6722caf75 ( 447734 bytes)
051f0f4317adf1851c24a2ee1d31c4b2 ( 357378 bytes)
05437edb1771a9a976068077f3abbe20 ( 357888 bytes)
061934a84e643263693d909ea51c32b0 ( 28200 bytes)
06d893c50cb70403bdc29ae0c1136c67 ( 288261 bytes)
09447c3a730835df8f45cc451cafa11a ( 3014656 bytes)
0c4a1e0d46e7d86f95bfabd68048df90 ( 1899168 bytes)
0dc2d9648dcc60ac7059c8626e4c8fd4 ( 630784 bytes)
1127fd0ec1bc44348dfa46c7f0c78199 ( 28270 bytes)
14dbd808f5e68bb3c545063411d707ad ( 28160 bytes)
15f0df55e87d1e2e0a44d26fd8bc1e73 ( 912386 bytes)
16acaba1d1246d329a2c9b268d36c6bd ( 28200 bytes)
19ee38bfa66579dcc5db8b8b7b0318aa ( 33320 bytes)
1c2cbd1b7184d38fca3f230b4ab9abaa ( 669696 bytes)
1ce346980a61f787980e1cde2df36963 ( 192514 bytes)
1d54c0d6ed50dd024965005f044dd38e ( 356866 bytes)
2372bd82cae20782cbaf8f396bc009c1 ( 3105349 bytes)
23baf908b9ec0cfb5b04f816f32e1ef5 ( 391168 bytes)
28081d264ec078fcbadb4578cc4d968a ( 296448 bytes)
2a502af9532af85e7f954d7023a6ad82 ( 28200 bytes)
2b75f3356c05d39af890ed9c1bdd6b84 ( 357378 bytes)
304f913976dff98e994608c645c75833 ( 29224 bytes)
37ef278a81a5944f369a6294bdd12ac9 ( 393809 bytes)
3c42a8438b23a8ac32938529820eb69e ( 497666 bytes)
3fd289ebbac1c9e75c3114aea10c5b7f ( 820079 bytes)
408b8e8c4c6b8e07b78169d80323bbc4 ( 30760 bytes)
443060dc607fac9cdadd36ea503990f9 ( 28200 bytes)
446295302d0fcab5a420edcf6819cec6 ( 184834 bytes)
468a1fe1f87606c92e6d363b6c83da5b ( 288260 bytes)
4aed9885db941a2cd237e2da8cca7e89 ( 109162 bytes)
4b57b09a4faa60440cb3ec3174661c47 ( 34859 bytes)
4c920b673ed7da6b116a6664e2b56437 ( 1238530 bytes)
4f686514f974b39c218a30bc9caae380 ( 383496 bytes)
4f9f042a1b3370d33698880da754491f ( 391682 bytes)
508b9327f23f6ee61e24e7b542423b7d ( 238186 bytes)
515030004b03c05634f3e8460216befb ( 651264 bytes)
5277b024c67c2702655195828a1ef840 ( 357376 bytes)
5820dea80633e67c6c7510abef433b9d ( 1238528 bytes)
58557a341cc55adb88b5113e880df11b ( 28200 bytes)
5cccf8ef1354505d81eb6c91206153e9 ( 28200 bytes)
5d1d2d161a9ad47e7482a4ccb5497acc ( 630786 bytes)
5d47bfc28909dd07396b1e21322b4532 ( 28200 bytes)
5e6b911c1ccbd1d89b79e478a4849e4a ( 394242 bytes)
617e43b70c62fce5f9a026eea2e733cb ( 28203 bytes)
6211827174a02e0184a2f1bbbadaf0ae ( 28200 bytes)
627fdda8c8c98569738f5778f7e2884e ( 390656 bytes)
63a7ccacdf7171ae6267f3864cc2da65 ( 912384 bytes)
68b7e196fd10ad222ac87120551255a7 ( 959578 bytes)
6dbce1f04245d422a269f7d306c51487 ( 30762 bytes)
6f2ba9a03b31ed4e74d9fb3e5833c7b7 ( 432128 bytes)
712573c80eae3415c6bb58006892f4d6 ( 28204 bytes)
712bcf8e6680147260aa03c25c2ec68f ( 186986 bytes)
731a0388e37aff0563b20f0a034cdd4d ( 130670 bytes)
73329ddf8fb686af354fd0a87fe547d4 ( 1783298 bytes)
767d0a935c9f3
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : ?g?.scr
Path : %systemdrive%

Md5Hash :( bytes)
File : svchost.exe
Path : %temp%

Md5Hash :5820dea80633e67c6c7510abef433b9d ( 1238528 bytes)
File : fusioncache.dat
Path : %userprofile%\local settings\application data

Md5Hash :95ec401795fa577def2499a4c6005ba7 ( 135 bytes)
File : unlha32.dll
Path : %windir%\system32

Md5Hash :201ba4ee05d62a617a52eb35e141c54c ( 259072 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
msjter = "%WINDIR%\system32\msjter.exe /w"
|__ Value Added :
mspbde = "%windir%\system32\mspbde.exe /w"
|__ Value Added :
msrd2x = "%windir%\system32\msrd2x.exe /w"
|__ Value Added :
msrecr = "%windir%\system32\msrecr.exe /w"
|__ Value Added :
msvcrt32 = "%windir%\system32\msvcrt32.exe /w"
|__ Value Added :
ara-key = ""%programfiles%\systweak\systweak726.exe" /startup"
|__ Value Added :
ara-key = "%programfiles%\common files\microsoft shared\dw\dw204ce0.exe -startup"
|__ Value Added :
dir2file login = ""%programfiles%\dir2file\dir2file_login.exe" /start"
|__ Value Added :
dir2file_login = ""%programfiles%\dir2file\dir2file_login.exe" /startup"
|__ Value Added :
explorer = ""%programfiles%\shadowstor\explorer.exe" /logon"
|__ Value Added :
inctrl5 config = ""%programfiles%\inctrl5\inctrl5_config.exe" /autorun"
|__ Value Added :
MESSENGER CONFIG = ""%PROGRAMFILES%\Messenger\messenger_config.exe" /autorun"
|__ Value Added :
messenger env = ""%PROGRAMFILES%\Messenger\messenger_env.exe" /logon"
|__ Value Added :
messenger login = ""%programfiles%\messenger\messenger_login.exe" /start"
|__ Value Added :
messenger_setup = ""%programfiles%\messenger\messenger_setup.exe" /startup"
|__ Value Added :
messengercfg = ""%programfiles%\messenger\messengercfg.exe" /logon"
|__ Value Added :
msjter = "%WINDIR%\system32\msjter.exe /w"
|__ Value Added :
msn config = ""%programfiles%\msn\msn_config.exe" /autorun"
|__ Value Added :
msn loader = ""%programfiles%\msn\msn_loader.exe" /logon"
|__ Value Added :
msn_setup = ""%PROGRAMFILES%\MSN\msn_setup.exe" /startup"
|__ Value Added :
msn_start = ""%programfiles%\msn\msn_start.exe" /startup"
|__ Value Added :
msnsetup = ""%programfiles%\msn\msnsetup.exe" /autorun"
|__ Value Added :
mspbde = "%windir%\system32\mspbde.exe /w"
|__ Value Added :
msrd2x = "%windir%\system32\msrd2x.exe /w"
|__ Value Added :
msrecr = "%windir%\system32\msrecr.exe /w"
|__ Value Added :
msvcrt32 = "%windir%\system32\msvcrt32.exe /w"
|__ Value Added :
netmeeting_env = ""%programfiles%\netmeeting\netmeeting_env.exe" /startup"
|__ Value Added :
netmeetingenv = ""%programfiles%\netmeeting\netmeetingenv.exe" /logon"
|__ Value Added :
shadowstor autorun = ""%programfiles%\shadowstor\shadowstor_autorun.exe" /autorun"
|__ Value Added :
shadowstor loader = ""%programfiles%\shadowstor\shadowstor_loader.exe" /start"
|__ Value Added :
shadowstor_config = ""%PROGRAMFILES%\ShadowStor\shadowstor_config.exe" /startup"
|__ Value Added :
shadowstor_loader = ""%programfiles%\shadowstor\shadowstor_loader.exe" /startup"
|__ Value Added :
spoolsv = ""%programfiles%\dir2file\spoolsv.exe" /logon"
|__ Value Added :
SPOOLSV = ""%PROGRAMFILES%\ShadowStor\spoolsv.exe" /autorun"
|__ Value Added :
svchost = ""%programfiles%\dir2file\svchost.exe" /autorun"
|__ Value Added :
svchost = ""%programfiles%\messenger\svchost.exe" /start"
|__ Value Added :
VJ838046M = "%WINDIR%\svchost.exe"
|__ Value Added :
windows security manager = "%windir%\system32\drivers\etc\svchost.exe -c -ax"
|__ Value Added :
xerox loader = ""%programfiles%\xerox\xerox_loader.exe" /start"
|__ Value Added :
xerox_loader = ""%programfiles%\xerox\xerox_loader.exe" /startup"

NOTE:

1. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
2. %systemdrive% Refers to the windows System drive folder. By default it is 'C:\'
3. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
4. %userprofile% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'
5. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
6. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.