Trojan-PSW.Win32.Fareit_1f077a3cb8

by malwarelabrobot on October 3rd, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Cutwail.a (v) (VIPRE), Trojan-Downloader.Win32.Cutwail!IK (Emsisoft), Trojan-PSW.Win32.Fareit.FD, TrojanPSWFareit.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 1f077a3cb8346c7e3e68bab926090e46
SHA1: 5003b95c99eeb847d07843d6821003febe249bf0
SHA256: 310cf05052a7ae11f758cb5bd3b16ae06ffcbc989dfd870f493cd62704505112
SSDeep: 768:2voWc2LXvjkD3ioonyZSWgclyXQhW54PtRvk8ULkvKJta7s:soE7MiNnyljlDI4FREAKJX
Size: 44544 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1998-01-01 11:56:33


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

ctfmon.exe:252

The Trojan-PSW injects its code into the following process(es):

1f077a3cb8346c7e3e68bab926090e46.exe:2592

File activity

The process 1f077a3cb8346c7e3e68bab926090e46.exe:2592 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\phototype_com[1].txt (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\thedonaldsongroup_com[1].htm (9 bytes)
%Documents and Settings%\%current user%\Cookies\AZCFRAJS.txt (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cgc-england_com[1].htm (29 bytes)
%Documents and Settings%\%current user%\qiniqvypsydo.exe (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\paulrenna_com[1].txt (1919 bytes)
%Documents and Settings%\%current user%\Cookies\RWQF6Z18.txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\1P05ZG3S.txt (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\bocr[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\photoclubs_com[1].htm (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\trenpalau_com[1].htm (5 bytes)
%Documents and Settings%\%current user%\Cookies\DOHWPVS7.txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\PE1NR6HV.txt (132 bytes)
%Documents and Settings%\%current user%\Cookies\KNB134XP.txt (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\m[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\manuyantralaya_com[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\fraser-high_school_nz[1].htm (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\kurecci_or_jp[1].htm (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cksglobal_net[1].htm (31 bytes)
%Documents and Settings%\%current user%\Cookies\9B62C01A.txt (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\starmedia_ca[1].htm (1636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\teasing-video_com[1].htm (1351 bytes)
%Documents and Settings%\%current user%\Cookies\WWL0DXXO.txt (83 bytes)
%Documents and Settings%\%current user%\Cookies\72IJH17T.txt (148 bytes)
%Documents and Settings%\%current user%\Cookies\EOA82CB4.txt (117 bytes)
%Documents and Settings%\%current user%\Cookies\QS4HN7HG.txt (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\precisionsolutionsky_com[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\T4N99EVB.txt (245 bytes)
%Documents and Settings%\%current user%\Cookies\Q6NODL5H.txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\rueggeberg_com[1].txt (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\GVYEZ9PX.txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\lockerlookz_com[1].htm (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\mandi-man_com[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\JBUJ08DV.txt (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\teknorhino_com[1].htm (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\eygwindows_co_uk[1].htm (98 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\enzoyrodrigo_com_br[1].htm (586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\solutioncorp_com[1].txt (1991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\DRHTA3LY.txt (124 bytes)
%Documents and Settings%\%current user%\Cookies\RRAIDHCI.txt (273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\automa_it[1].htm (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ubsades_com[1].htm (254 bytes)
%Documents and Settings%\%current user%\Cookies\GKW74YFO.txt (272 bytes)
%Documents and Settings%\%current user%\Cookies\VHUHTU75.txt (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\ginalimo_com[1].htm (15 bytes)
%Documents and Settings%\%current user%\Cookies\X9QVRCGE.txt (128 bytes)
%Documents and Settings%\%current user%\Cookies\KZ6PR58X.txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\suspendedpage[1].htm (3 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\KNB134XP.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\AZCFRAJS.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\WWL0DXXO.txt (0 bytes)

Registry activity

The process 1f077a3cb8346c7e3e68bab926090e46.exe:2592 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 30 53 26 BE 46 3D 04 7C 43 12 24 5E 61 A1 11"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"3092446134" = "DD 07 0A 00 03 00 02 00 05 00 12 00 13 00 51 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "96 FA D2 AA F5 CD A5 7D 55 A0 78 DC 28 8C 64 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"qiniqvypsydozap" = "75 4D 25 FC D4 AC F7 CF A7 7F 57 2F 7A 52 2A 02"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"qiniqvypsydo" = "%Documents and Settings%\%current user%\qiniqvypsydo.exe"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process ctfmon.exe:252 makes changes in a system registry.
The Trojan-PSW deletes the following value(s) in system registry:
The Trojan-PSW disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

URL IP
hxxp://thedonaldsongroup.com/ 64.120.153.69
hxxp://acmepacificrepairs.com/ 69.198.129.78
hxxp://buzzkillmedia.com/ 173.201.140.128
hxxp://doctsf.com/ 213.186.33.17
hxxp://cgc-england.com/ 81.88.57.68
hxxp://christybarry.com/ 66.49.139.143
hxxp://ginalimo.com/ 209.105.227.150
hxxp://solutioncorp.com/ 66.111.53.120
hxxp://stormwildlifeart.com/ 70.86.7.138
hxxp://asj.co.jp/ 219.118.206.4
hxxp://bigjohnsbeefjerky.com/ 190.93.241.165
hxxp://kagu-hokuren.com/ 60.43.132.135
hxxp://kurecci.or.jp/ 119.245.143.88
hxxp://christybarry.com/cgi-sys/suspendedpage.cgi
hxxp://neurotoxininstitute.com/ 190.93.243.134
hxxp://enzoyrodrigo.com.br/ 216.245.218.146
hxxp://sigmametalsinc.com/ 208.113.149.173
hxxp://rewardhits.com/ 66.45.248.130
hxxp://cabooseonline.com/ 192.138.20.228
hxxp://perc.ca/ 69.89.31.118
hxxp://gamblingonlinemagazine.com/ 198.1.90.242
hxxp://alternative-aquitaine.co.uk/ 108.162.201.52
hxxp://paulrenna.com/ 198.154.229.165
hxxp://appelfarm.org/ 108.162.205.115
hxxp://www.sigmaaero.com/ 208.113.225.142
hxxp://tessera.co.jp/ 202.212.212.209
hxxp://egao.net/ 121.83.133.146
hxxp://brookfarm.com.au/ 116.251.204.207
hxxp://merceorti.com/ 80.93.92.146
hxxp://eurasia.it/ 54.229.116.65
hxxp://rodeoshow.com.au/ 103.28.250.103
hxxp://churchsupplies.net/ 66.232.99.164
hxxp://graceweb.net/ 208.97.174.44
hxxp://precisionsolutionsky.com/ 64.34.163.206
hxxp://telenavis.com/ 80.245.173.163
hxxp://stecom.nl/ 193.23.143.117
hxxp://youjoomla.com/ 69.65.11.200
hxxp://avant-ime.com/ 188.121.45.218
hxxp://teasing-video.com/ 99.192.154.182
hxxp://chocolatecovers.com/ 141.101.123.98
hxxp://t7k6a.x.incapdns.net/
hxxp://padstow.com/ 62.233.107.131
hxxp://cf-protected-www.graceweb.net.cdn.cloudflare.net/
hxxp://d4drmedia.com/ 208.70.247.105
hxxp://photoclubs.com/ 209.50.251.101
hxxp://phototype.com/ 216.70.113.196
hxxp://rueggeberg.com/ 81.209.182.37
hxxp://4pipp.com/ 141.101.116.69
hxxp://nd-evenementiel.com/ 79.98.23.30
hxxp://minatech.net/ 202.181.97.93
hxxp://eleterno.com/ 82.98.86.162
hxxp://manuyantralaya.com/ 108.163.209.234
hxxp://malagacorp.com/ 199.204.137.151
hxxp://fraser-high.school.nz/ 210.48.67.144
hxxp://stepnet.de/ 91.250.116.6
hxxp://sspackaginggroup.com/ 182.50.130.117
hxxp://safetyconnection.ca/ 209.222.48.210
hxxp://ubsades.com/ 144.76.86.115
hxxp://bocr.cz/ 217.198.115.41
hxxp://courtney.ca/ 67.223.102.97
hxxp://cksglobal.net/ 46.249.205.175
hxxp://bocr.cz/bocr
hxxp://istanbultarim.com.tr/ 31.7.35.112
hxxp://theartofhair.com/ 198.57.254.76
hxxp://gcs-cpa.com/ 64.14.68.37
hxxp://bocr.cz/bocr/
hxxp://cf-protected-www.theartofhair.com.cdn.cloudflare.net/index.php?q=403.shtml
hxxp://totalearthcare.com.au/ 108.162.196.53
hxxp://mail57.us2.mcsv.net/ 173.231.139.57
hxxp://screaminpeach.com/ 108.162.203.235
hxxp://altonhousehotel.com/ 108.162.205.109
hxxp://mailchimp.com/about/mcsv/ 50.22.201.236
hxxp://upsilon89.com/ 151.236.48.69
hxxp://e-kagami.com/ 54.249.238.243
hxxp://sullyfrance.com/ 216.8.179.23
hxxp://racknstackwarehouse.com.au/ 141.101.116.200
hxxp://mastergrp-spb.ru/ 188.127.245.119
hxxp://arquiteturadigital.com/ 208.113.187.143
hxxp://mandi-man.com/ 210.172.144.61
hxxp://starmedia.ca/ 168.144.92.210
hxxp://selldoor.pl/ 212.85.112.239
hxxp://austriansurfing.at/ 85.13.136.86
hxxp://selldoor.pl/m/
hxxp://ziuabarbatului.ro/ 194.50.126.226
hxxp://acsmedioambiente.com/ 50.97.221.19
hxxp://trenpalau.com/ 217.149.11.231
hxxp://eyggroup.com/ 85.233.160.22
hxxp://eygwindows.co.uk/
hxxp://adultlivechat.us/ 74.119.145.130
hxxp://automa.it/ 62.149.203.92
meridies.org 127.0.0.1
tutuji-saitama.com 124.108.33.192
www.graceweb.net 108.162.196.90
gablemarine.com 141.101.126.46
brandone.us 103.9.101.61
xn--22c6bfh8abch1g1b0ap6a9vxa.com 192.254.222.46
brownlumber.net 70.34.140.71
avisay.com 127.0.0.1
in1.smtp.messagingengine.com 66.111.4.71
gulfcoen.net 209.67.228.186
lestersupstatesports.com 68.169.63.231
ecsnj.com 75.146.221.101
msasys.com 216.70.112.211
acerbinky.com 198.57.253.228
cbsprinting.com.au 141.101.116.74
ibcd.com.br 192.168.0.1
ydental.com 157.7.144.5
hair-hutte.com 210.172.144.24
crank-scrapers.com 64.119.182.121
www.rodeoshow.com.au 199.83.128.103
mxs.mail.ru 94.100.176.20
orion-networks.net 127.0.0.1
tenpole.com 127.0.0.1
www.screaminpeach.com 108.162.203.235
aerotech.com.hk 61.238.46.42
smtp.mail.yahoo.com 63.250.193.228
belmontflora.com 180.210.201.135
brookhousegas.co.uk 176.32.230.27
usgwarchives.net 67.205.102.15
vnhanoi.com 222.122.56.41
gmail-smtp-in.l.google.com 74.125.142.26
fractalcom.net 202.166.193.68
alt4.gmail-smtp-in.l.google.com 173.194.65.26
kellyspropertyservices.com 74.220.215.76
www.phototype.com 216.70.113.196
mucc.org 173.236.196.34
penavision.co.in 127.0.0.1
www.photoclubs.com 209.50.251.101
brhd.org 192.185.226.23
vpx.com 198.58.103.98
nataliecurtiss.com 192.168.100.1
www.avant-ime.com 188.121.45.218
soapandmore.com 67.228.196.94
hartleyfoundation.org 204.11.101.219
adfolsa.com.ec 74.220.215.55
fxd24.com 198.57.156.135
kondarihotel.com.au 66.147.244.82
szostka.com 127.0.0.1
cassdelivers.org 206.188.193.144
denville.ca 204.11.237.35
www.bigjohnsbeefjerky.com 190.93.241.165
tafinance.com 103.28.12.23
nc-concept.com 94.23.247.172
www.solutioncorp.com 66.111.53.120
csmbc.org 129.121.224.188
comfortinsulation.com 69.42.58.38
lockerlookz.com 50.63.84.77
al-mawared.com 209.50.248.224
www.theartofhair.com 108.162.199.64
kingscoteit.com 206.51.236.38
www.teknorhino.com 66.45.248.130
clovisportales.com 66.96.161.128
freepatentauction.com 213.186.33.4
geodecisions.com 216.174.25.93
katsumata-arch.com 210.188.201.168
mail7.digitalwaves.co.nz 127.0.0.1
free-service.de 176.28.53.122
darshanvatika.com 208.91.198.42
theautospas.com 70.32.102.108
www.eygwindows.co.uk 173.0.129.54
naijagurus.com Unresolvable
graintrain.coop Unresolvable
antakyaturu.com Unresolvable
meubles-jacquelin.com Unresolvable
x-cellcommunications.de Unresolvable


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original Trojan-PSW's process (How to End a Process With the Task Manager).
  2. Delete the original Trojan-PSW file.
  3. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\phototype_com[1].txt (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\thedonaldsongroup_com[1].htm (9 bytes)
    %Documents and Settings%\%current user%\Cookies\AZCFRAJS.txt (92 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cgc-england_com[1].htm (29 bytes)
    %Documents and Settings%\%current user%\qiniqvypsydo.exe (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\paulrenna_com[1].txt (1919 bytes)
    %Documents and Settings%\%current user%\Cookies\RWQF6Z18.txt (123 bytes)
    %Documents and Settings%\%current user%\Cookies\1P05ZG3S.txt (131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\bocr[1].htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\photoclubs_com[1].htm (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\trenpalau_com[1].htm (5 bytes)
    %Documents and Settings%\%current user%\Cookies\DOHWPVS7.txt (126 bytes)
    %Documents and Settings%\%current user%\Cookies\PE1NR6HV.txt (132 bytes)
    %Documents and Settings%\%current user%\Cookies\KNB134XP.txt (93 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\m[1].htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\manuyantralaya_com[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\fraser-high_school_nz[1].htm (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\kurecci_or_jp[1].htm (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cksglobal_net[1].htm (31 bytes)
    %Documents and Settings%\%current user%\Cookies\9B62C01A.txt (121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\starmedia_ca[1].htm (1636 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\teasing-video_com[1].htm (1351 bytes)
    %Documents and Settings%\%current user%\Cookies\WWL0DXXO.txt (83 bytes)
    %Documents and Settings%\%current user%\Cookies\72IJH17T.txt (148 bytes)
    %Documents and Settings%\%current user%\Cookies\EOA82CB4.txt (117 bytes)
    %Documents and Settings%\%current user%\Cookies\QS4HN7HG.txt (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\precisionsolutionsky_com[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\T4N99EVB.txt (245 bytes)
    %Documents and Settings%\%current user%\Cookies\Q6NODL5H.txt (118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\rueggeberg_com[1].txt (810 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\GVYEZ9PX.txt (122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\lockerlookz_com[1].htm (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\mandi-man_com[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Cookies\JBUJ08DV.txt (124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\teknorhino_com[1].htm (78 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\eygwindows_co_uk[1].htm (98 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\enzoyrodrigo_com_br[1].htm (586 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\solutioncorp_com[1].txt (1991 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\DRHTA3LY.txt (124 bytes)
    %Documents and Settings%\%current user%\Cookies\RRAIDHCI.txt (273 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\automa_it[1].htm (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ubsades_com[1].htm (254 bytes)
    %Documents and Settings%\%current user%\Cookies\GKW74YFO.txt (272 bytes)
    %Documents and Settings%\%current user%\Cookies\VHUHTU75.txt (123 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\ginalimo_com[1].htm (15 bytes)
    %Documents and Settings%\%current user%\Cookies\X9QVRCGE.txt (128 bytes)
    %Documents and Settings%\%current user%\Cookies\KZ6PR58X.txt (114 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\suspendedpage[1].htm (3 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "qiniqvypsydo" = "%Documents and Settings%\%current user%\qiniqvypsydo.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.