TROJ_EVADIPED.AM
PLATFORM:
Windows 2000, XP, Server 2003
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
It monitors specific URLs. If users access these monitored sites, they are redirected by this malware to specific malicious sites.
This Trojan may be dropped by other malware.
TECHNICAL DETAILS
File Size:
344,077 bytes
File Type:
DLL
Memory Resident:
No
Initial Samples Received Date:
05 Apr 2011
Payload:
Monitors Web browser, Connects to URLs/Ips
Arrival Details
This Trojan may be dropped by the following malware:
- TROJ_MONKIF.AE
Autostart Technique
This Trojan registers as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry keys:
HKEY_CLASSES_ROOT\main.BHO
HKEY_CLASSES_ROOT\main.BHO.1
HKEY_CLASSES_ROOT\AppID\main.DLL
HKEY_CLASSES_ROOT\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}
HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
HKEY_CLASSES_ROOT\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
HKEY_CLASSES_ROOT\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
It registers as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry entries:
HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\
InprocServer32
(Default) = {malware path and file name}
Other Details
This Trojan does the following:
- Monitors the Web browser of the affected system and open other Web pages when the following URLs are accessed:
- *.123inkjets.com
- *.2insure4less.com
- *.4checks.com
- *.4inkjets.com
- *.abebooks.com
- *.aced.com
- *.adultfriendfinder.com
- *.airfrance.com
- *.alt.com
- *.amigos.com
- *.art.com
- *.asiafriendfinder.com
- *.askpcexperts.com
- *.audible.com
- *.autopartswarehouse.com
- *.avenue.com
- *.avis.com
- *.avon.com
- *.bestwestern.com
- *.bigchurch.com
- *.bingoliner.com
- *.bodybuilding.com
- *.bondage.com
- *.brooksbrothers.com
- *.buckle.com
- *.budget.com
- *.bustedtees.com
- *.buy.com
- *.cafepress.com
- *.calendars.com
- *.cooking.com
- *.coupons.com
- *.creditreport.com
- *.date.com
- *.delivery.com
- *.dell.com
- *.dentalplans.com
- *.dine.com
- *.drugstore.com
- *.ea.com
- *.ebags.com
- *.ecampus.com
- *.efax.com
- *.eharmony.com
- *.elitemate.com
- *.emusic.com
- *.endless.com
- *.entertainment.com
- *.equifax.com
- *.expedia.com
- *.extendedstayhotels.com
- *.fansedge.com
- *.fathead.com
- *.filipinofriendfinder.com
- *.finishline.com
- *.footlocker.com
- *.franklincovey.com
- *.frenchfriendfinder.com
- *.friendfinder.com
- *.ftd.com
- *.ftpress.com
- *.fulltiltpoker.net
- *.furniture.com
- *.fye.com
- *.gamefly.com
- *.gamestop.com
- *.gap.com
- *.gayfriendfinder.com
- *.geeks.com
- *.germanfriendfinder.com
- *.gifttree.com
- *.golfsmith.com
- *.gradfinder.com
- *.guanxi.com
- *.herroom.com
- *.homestead.com
- *.hotels.com
- *.hottopic.com
- *.hrblock.com
- *.indianfriendfinder.com
- *.intuit.com
- *.italianfriendfinder.com
- *.jellybelly.com
- *.jewishfriendfinder.com
- *.jr.com
- *.kmart.com
- *.kodakgallery.com
- *.koreanfriendfinder.com
- *.lacrosse.com
- *.legalace.com
- *.lesbianpersonals.com
- *.lifelock.com
- *.livetv4me.com
- *.lnt.com
- *.macmall.com
- *.magazines.com
- *.magicjack.com
- *.match.com
- *.millionairemate.com
- *.mountaingear.com
- *.music123.com
- *.mycricket.com
- *.myelectronics-depot.net
- *.netflix.com
- *.nicecards.com
- *.officemax.com
- *.otel.com
- *.outpersonals.com
- *.overstock.com
- *.pacsun.com
- *.passion.com
- *.petco.com
- *.points.com
- *.priceline.com
- *.printmything.com
- *.proactiv.com
- *.realtytrac.com
- *.reefgear.com
- *.restaurant.com
- *.rushmypassport.com
- *.rushmytravelvisa.com
- *.savilerowco.com
- *.sears.com
- *.seniorfriendfinder.com
- *.shoebuy.com
- *.shoemall.com
- *.shoes.com
- *.shopnbc.com
- *.singlesnet.com
- *.skechers.com
- *.slim.com
- *.snapfish.com
- *.sportsinteraction.com
- *.t-mobile.com
- *.target.com
- *.thenorthface.com
- *.ticketsnow.com
- *.toms.com
- *.tracfone.com
- *.uniformcity.com
- *.virgin-atlantic.com
- *.vistaprint.com
- *.westmarine.com
- *.winhundred.com
- *.wweshop.com
- *.zoosk.com
- *100dayloans.com
- *24hourfitness.com
- *5dimes.com
- *a.websponsors.com
- *absolutepoker.com
- *acaiberryselect.com
- *ad.gpotato.com
- *adserve.brandgivewaycentre.com
- *adserve.brandsamplecenter.com
- *adserve.Urgent-Notification.com
- *adultfriendfinder.com
- *advanceautoparts.com
- *affiliate.acntracker.com
- *affiliate.fctracker.com
- *affiliate.gwmtracker.com
- *affiliate.ismtracker.com
- *affiliate.tpptracker.com
- *affiliates.2plus2media.com
- *affiliates.cpanation.com
- *affiliates.thecutekid.com
- *affiliates.webjamads.com
- *airfare.com
- *alibris.com
- *allposters.com
- *allstate.com
- *altawhite.com
- *ameriadvance.com
- *AmericaRX.com
- *amerimark.com
- *angieslist.com
- *anytimecostumes.com
- *api.gogetitdone.com
- *apps.facebook.com
- *arcade-hq*
- *arcadeoldies.com*
- *asseenonpc.directtrack.com
- *avis.com
- *barenecessities.com
- *barnesandnoble.com
- *basspro.com
- *bbcamericashop.com
- *bidrivals.directtrack.com
- *bigbrandrewards.com
- *bigcrumbs.com
- *bing.com/search*q=*
- *bodenusa.com
- *bodog.com
- *bodog.net
- *bonus.club28282.com
- *bonus.zingtones.tv
- *booksonline.com
- *bowflex.com
- *bowflexhomegyms.com
- *brigadeqm.com
- *buymebeauty.com
- *c2.flutteroo.com
- *callawaygolfpreowned.com
- *cameraboys.com
- *camerakings.com
- *campingworld.com
- *cash.60minutepayday.com
- *casinosplendido.com
- *cduniverse.com
- *cellphoneincentives.com
- *cheapflights.com
- *cheaptickets.com
- *chemistry.com
- *cigacease.com
- *circuitcity.com
- *click2go.org
- *clicks.emarketmakers.com
- *clubmed.us
- *compusa.com
- *condor.com
- *congalotto.com
- *consumergiftcards.com
- *consumerincentivepromotions.com
- *coolpremiums.com
- *copdsignup.copdconnect.com
- *costumediscounters.com
- *costumekingdom.com
- *cougarlife.com
- *dazzlewhite.com
- *dazzlewhitepro.com
- *delias.com
- *designhotels.com
- *diamond.com
- *dickssportinggoods.com
- *digestit.com
- *discountadvances.com
- *disneymovieclub.go.com
- *dl.freeze.com
- *dl.installiq.com
- *dnl.crawler.com
- *download.couponalert.com
- *download.dailybibleguide.com
- *download.dailydollarguide.com
- *download.guffins.com
- *download.ourbabymaker.com
- *download.televisionfanatic.com
- *download.weatherblink.com
- *doylescasino.com
- *dpcsignup.depressionconnect.com
- *drgsfreshpetfood.com
- *drugstore.com
- *DunhamsSports.com
- *e-cig.org
- *education.careers.org
- *eleadztracks.com
- *en.smartdate.com
- *espnshop.com
- *etoro.com
- *exclusiveclicks.com
- *exclusivegiftcards.com
- *extendedstayhotels.com
- *ezvehiclefinancing.com
- *fabric.com
- *fantapper.com
- *fastwirefunds.com
- *filmfanatic.mywebsearch.com
- *fingerhut.com
- *flightnetwork.com
- *footsmart.com
- *fragrance.com
- *fragrancenet.com
- *fredericks.com
- *free.astrology.com
- *friendschecker.com
- *fulltiltpoker.com
- *g.websponsors.com
- *galleries.securewebsiteaccess.com
- *gamecoins.com
- *gameconsolerewards.com
- *gamesneto.com
- *gamevance.com
- *gapc.go2jump.org
- *gaydvdempire.com
- *gevalia.com
- *giftcertificates.com
- *gnspf.com
- *gofreecredit.com
- *goldenlounge.com
- *goodsamclub.com
- *google.com/#hl*q=*
- *google.com/#sclient*q=*
- *google.com/search*q=*
- *grandchase.ntreev.net
- *greatdeals.idonowidont.com
- *gtahotels.com
- *harryanddavid.com
- *hayhouse.com
- *healthadvert.com
- *hearingaids.miracle-ear.com
- *hickoryfarms.com
- *holidayrecipebook.diabeticconnect.com
- *homeclick.com
- *hookedonphonics.com
- *hostelbookers.com
- *hotelopia.com
- *hotelplanner.com
- *hotelroom.com
- *hotelscombined.com
- *hotgiftzone.com
- *hotusa.com
- *hotwire.com
- *identityguard.com
- *ileadsoffers.com
- *ileadztracker.com
- *inkgrabber.com
- *insuranceapi.azoogleads.com
- *intercontinental.com
- *iphonesintocash.com
- *iq.hot4cell.net
- *iwager.com
- *jcwhitney.com
- *jennaclaire.com
- *jetblue.com
- *joesnewbalanceoutlet.com
- *join1.winhundred.com
- *joyourself.com
- *junonia.com
- *kardashiansmile.com
- *karmaloop.com
- *kazulah.smileycentral.com
- *kitsusaga.aeriagames.com
- *klm.com
- *landing.grabaroo.com
- *landing.singlesnet.com
- *lastminute.com
- *launch.roirocket.com
- *lecconnectllc.go2jump.org
- *lillianvernon.com
- *livejasmin.com
- *liveprivates.com
- *livesexasian.com
- *livingsocial.com
- *lizclaiborne.com
- *locale-redirect.html*
- *lsawards.com
- *ltlprints.com
- *luggagefactory.com
- *luggageonline.com
- *lwken.com
- *macys.com
- *maturescam.com
- *media303.com
- *medifast1.com
- *members.spiceornice.com
- *mercadolibre.com.mx
- *mhlnk.com
- *mirror.nbstatic.com
- *modells.com
- *moosejaw.com
- *motel6.com
- *motorcycle-superstore.com
- *musicspace.com
- *my.amazingfreerewards.com
- *mycams.com
- *myelectronicrewards.com
- *myfico.com
- *myluci.com
- *mynetfinder.com*
- *myrapidquote.com
- *myrewardsvault.com
- *mytrannycams.com
- *mywarrantyshop.com
- *mywebface.mywebsearch.com
- *nationalcarinsurancesite.com
- *nationallifeinsurancesite.com
- *network.kitaramarketplace.com
- *networksolutions.com
- *nextscholarapi.azoogleads.com
- *nflshop.com
- *nursesdirect.com
- *nutrisystem.com
- *offerbargain.com
- *offers.motime.com.br
- *officedepot.com
- *oldnavy.com
- *onlineshoes.com
- *orbitz.com
- *overnightprints.com
- *ow2.orderwave.com
- *pangya.ntreev.net
- *partners.bidrivals.com
- *partners.cotterweb.net
- *partners.journeypass.com
- *partners.nextadnetwork.com
- *partners.topadmarket.com
- *partners.valu-pass.com
- *partstrain.com
- *paydaymax.com
- *paydayone.com
- *perfectmatch.com
- *personalcashbailout.com
- *personalcreations.com
- *personalizationmall.com
- *petcarerx.com
- *phobos.apple.com*
- *playboystore.com
- *playsushi.com
- *pokeropolis.com
- *premiumproductsonline.com
- *premiumrewardclub.com
- *psprint.com
- *puma.com
- *purecleanse360.com
- *quickbooks.com
- *quicken.intuit.com
- *quikjmp*
- *quixsurf*
- *quoteit4me.com
- *quotes.newcarsplus.com
- *r.bargaincast.net
- *r.prize-rewards.net
- *redenvelope.com
- *reg.coolsavings.com
- *register.outspark.com
- *register.paltalk.com
- *registration1.mate1.com
- *rembright.com
- *rentalcars.com
- *retrogamer.iwon.com
- *reviews.angieslist.com
- *revitol.com
- *rewardedopinions.com
- *riu.com
- *sbfollow10.com
- *scratch2cash.com
- *scubastore.com
- *search.yahoo.com*p=*
- *secure.bidz.com
- *secure.creditsesame.com
- *secure.privatestudentloans.com
- *secure.renaissancehealthpublishing.com
- *seehere.com
- *sellmyhouse.zipbuyer.com
- *shaiya.aeriagames.com
- *shindigz.com
- *shop.nationalgeographic.com
- *shopforbridal.com
- *shopping.hp.com
- *shutterfly.com
- *shuttledirect.com
- *sierratradingpost.com
- *signup.arthritisconnect.com
- *singlesnetdating.com
- *skinbotanica.com
- *skincarerx.com
- *skis.com
- *sky-tours.com
- *skype.com
- *smartbargains.com
- *smartlifeinsurance.com
- *smartwhitesmile.com
- *smcbigprofits.com
- *smithnoble.com
- *snorelesspillow.com
- *spencergifts.com
- *spirithalloween.com
- *starwoodhotels.com
- *stevemadden.com
- *store.discovery.com
- *store.ecomom.com
- *store.scholastic.com
- *store.theflip.com
- *supermart.com
- *surveyhead.com
- *techdepot.com
- *thenerds.net
- *thesmartcreditsolution.securelinkcorp.com
- *thingsremembered.com
- *thinkcreditreports.com
- *thinkgeek.com
- *this.content.served.by.adshuffle.com
- *thumbplay.com
- *ticketmaster.com
- *ticketnetwork.com
- *TigerDirect.com
- *timeandgems.com
- *tippr.com
- *tjformal.com
- *toolbar.inbox.com
- *topbrandsa.com
- *topbrandsamples.com
- *tour1.passionsearch.com
- *track.amazing-brand-rewards.net
- *track.freezinger.com
- *track.opinion-reward-center.net
- *track.SocialSurveys.us
- *tracking.singlesnet.com
- *trillionario.com
- *truecredit.com
- *trustedid.com
- *turbotax.com
- *ultimatebet.com
- *ultimatebet.net
- *urbanposters.com
- *us.darkorbit.bigpoint.com
- *us.fotolia.com
- *us.runesofmagic.com
- *ussearch.com
- *vayama.com
- *vermontteddybear.com
- *visiondirect.com
- *vitaminworld.com
- *walgreens.com
- *walmart.com
- *wbshop.com
- *websites.intuit.com
- *wintrillions.com
- *wireless.att.com
- *worldlacrosseshop.com
- *worldrugbyshop.com
- *worldsoccershop.com
- *ww.dvdempire.com
- *wwbw.com
- *www.2minuteseo.com
- *www.acidxgames.com
- *www.adf01.net
- *www.alkamate.com
- *www.ameriadvance.com
- *www.amolatina.com
- *www.amor.com
- *www.anastasiadate.com
- *www.ascentive.com
- *www.ashleymadison.com
- *www.asianbeauties.com
- *www.autoloansolutions.com
- *www.babylon.com
- *www.babytobee.com
- *www.bankruptcyprograms.com
- *www.bebeverlyhills.com
- *www.benaughty.com
- *www.bettercareersearch.com
- *www.bidcactus.com
- *www.bidcactusreg.com
- *www.bidz.com
- *www.bkginstaller.com
- *www.bookrenter.com
- *www.brandsurveypanel.com
- *www.briTrack.com
- *www.bustedtees.com
- *www.buycostumes.com
- *www.buythebodyshaper.com
- *www.buyz.com
- *www.buzzdock.com
- *www.carsdirect.com
- *www.cartoonly.com
- *www.cash4offers.com
- *www.cashcrate.com
- *www.cashin10.com
- *www.cashtoday911.com
- *www.catholicsoulmates.com
- *www.celebrateexpress.com
- *www.cellphoneincentives.com
- *www.cellphonereward.com
- *www.chopstick16.com
- *www.christianmatchmaker.com
- *www.christianmingle.com
- *www.clicknkids.com
- *www.clixmerchant.com
- *www.clixsoffer.com
- *www.cobra-info.com
- *www.constructiondeal.com
- *www.consumergiftcards.com
- *www.consumerincentiverewards.com
- *www.consumerrewards.us.com
- *www.cookingtiprewards.com
- *www.coolpremiums.com
- *www.corazon.com
- *www.cougarunite.com
- *www.couponplanet.net
- *www.credit.com
- *www.creditreport.com
- *www.creditscoreid.com
- *www.creditscorepro.com
- *www.cupid.com
- *www.cursormania.com
- *www.customsnuggie.com
- *www.date.com
- *www.dentalplans.com
- *www.dermitage.com
- *www.digsby.com
- *www.diningsurveys.us.com
- *www.dream-asians.com
- *www.dream-marriage.com
- *www.e-researchcouncil.com
- *www.easyquotefinder.net
- *www.efax.com
- *www.eharmony.com
- *www.emusic.com
- *www.epicdirectnetwork.com
- *www.epicvideoarcade.com
- *www.equifaxcreditscorenow.com
- *www.exclusivegiftcards.com
- *www.facetheme.com
- *www.fastloan.com
- *www.favoriteconsumerbrands.com
- *www.findlifequotes.com
- *www.flirt.com
- *www.floraqueen.com
- *www.flycell.com
- *www.fosinaoffers.com
- *www.foxy-singles.com
- *www.freecollegescholarships.net
- *www.freegamessource.com
- *www.freeridegames.com
- *www.gadgetcenter.us.com
- *www.gameconsolerewards.com
- *www.gamefly.com
- *www.gamemine.com
- *www.gamevance.com
- *www.gaydating.com
- *www.gerberlife.com
- *www.girlsdateforfree.com
- *www.gizmodepot.us.com
- *www.gofreecredit.com
- *www.gogetautoinsurance.com
- *www.gogethealthadvice.com
- *www.gogethealthcoverage.com
- *www.gogetitdone.com
- *www.gogetlifeinsurance.com
- *www.gogetmortgagerate.com
- *www.gogetrushcard.com
- *www.gradeguru.com
- *www.hcgultradiet.com
- *www.healthquoteinsider.com
- *www.holabirdsports.com
- *www.holidayshoppingrewards.com
- *www.homestead.com
- *www.hookup.com
- *www.iminent.com
- *www.imvu.com
- *www.inboxdollars.com
- *www.incredimail.com
- *www.inklineglobal.com
- *www.insuremeonline.com
- *www.intelius.com
- *www.iwon.com
- *www.jdate.com
- *www.jewcier.com
- *www.kazulah.com
- *www.lavalife.com
- *www.lctrk.com
- *www.leanbodyx.com
- *www.lifequoteinsider.com
- *www.match.com
- *www.matchmaker.com
- *www.mate1.com
- *www.mate1singles.com
- *www.maturesinglesclick.com
- *www.megamorpher.com
- *www.moneyminters.com
- *www.moremobilefun.com
- *www.motime.ca
- *www.myconsumerrewards.co.uk
- *www.myexclusiverewards.com
- *www.myfuncards.com
- *www.myjupiterjack.com
- *www.mypremiumrewards.com
- *www.myrewardchannel.com
- *www.myvbook.com
- *www.nationalsurveypanel.com
- *www.nationwideopinionpanel.com
- *www.netdegree.com
- *www.netloansearch.com
- *www.new8reports.com
- *www.nextjobfromhome.biz
- *www.nextpaydayonline.com
- *www.noriskinvestor.com
- *www.offerfusion.com
- *www.offermerchant.com
- *www.offersfromqh.com
- *www.officialsurveypanel.com
- *www.omahasteaks.com
- *www.onlinegiftrewards.com
- *www.onlinerewardcenter.com
- *www.ookisa.com
- *www.order-ez.com
- *www.pagerage.com
- *www.partnerwithpaul.com
- *www.perfectmatch.com
- *www.planet49.us
- *www.planetsappho.com
- *www.planningfamily.com
- *www.playsushi.com
- *www.plazmablaster.com
- *www.plundr.com
- *www.policygo.com
- *www.popularscreensavers.com
- *www.premiumproductsonline.com
- *www.premiumrewardclub.com
- *www.profinity.com
- *www.profitconfidential.com
- *www.purehoodiaselect.com
- *www.qualityhealth.com
- *www.quoteit4me.com
- *www.quotewhizhealth.com
- *www.ratemarketplace.com
- *www.realmaturesingles.com
- *www.refinancemyplace.com
- *www.resourcesforamericans.info
- *www.responsivecapture.com
- *www.retrogamer.com
- *www.rewardaisle.com
- *www.rfantrack.com
- *www.rushcard.com
- *www.save500.com
- *www.scholarships4dads.com
- *www.scholarships4moms.net
- *www.scholarships4workingadults.com
- *www.scholarshipzone.com
- *www.seafight.bigpoint.com
- *www.searchcactus.com
- *www.securecardsignup.com
- *www.seniorpeoplemeet.com
- *www.servicemagic.com
- *www.sexsearchcom.com
- *www.shaadi.com
- *www.shoedazzle.com
- *www.singleparentclick.com
- *www.singlesnet.com
- *www.singlesparentsnow.com
- *www.smartdealhomes.com
- *www.smileycentral.com
- *www.smokeremedy.com
- *www.smokersurveys.com
- *www.snapdollars.com
- *www.stimulusgrantapproval.com
- *www.stream-direct.com
- *www.superbrewards.com
- *www.surveyclub.com
- *www.sweetim.com
- *www.taxactonline.com
- *www.teleflora.com
- *www.textndate.com
- *www.thecutekid.com
- *www.thediscountsavingsclub.com
- *www.theepicmediagroup.com
- *www.theflip.com
- *www.thetower200.com
- *www.thinlaptoprewards.com
- *www.topconsumergifts.com
- *www.trade-in-value.com
- *www.travian.us
- *www.true.com
- *www.tryperfectskin.com
- *www.twinplan.com
- *www.upforit.com
- *www.usaresearchpanel.com
- *www.valorebooks.com
- *www.viarexlabs.com
- *www.weather.com
- *www.web2carz.com
- *www.webfetti.com
- *www.whitesmoke.com
- *www.winster.com
- *www.wmtrax.com
- *www.wowprizes.com
- *www.xxxmatch.com
- *www.zwinky.com
- *yourbigbrandrewards.com
- *yourgiftzone.com
- *YourOnlineQuote.com
- *yoursmartrewards.com
- *yttrk.com
- *zaazoomwhite.com
- *zales.com
- *zazzle.ca
- *zazzle.co.uk
- *zazzle.com
- *zazzle.es
- *ziprealty.com
- 7search.com
- ads.arcade-hq.com
- ads.quixsurf.com
- adultfriendfinder.com
- alltheweb.com
- alt.com
- amateur.imlive.com
- amigos.com
- asiafriendfinder.com
- asian.imlive.com
- au.altavista.com
- au.search.yahoo.com
- bad allocation
- bbw.imlive.com
- bigchurch.com
- black.imlive.com
- bondage.com
- boobs.imlive.com
- ca.search.yahoo.com
- cgi.search123.com
- crawlbar.com
- de.altavista.com
- de.mirago.com
- de.search.yahoo.com
- dine.com
- directory.jayde.com
- ditto.com
- emetasearch.com
- en.wikipedia.org
- fetish.imlive.com
- filipinofriendfinder.com
- findsearch.net
- fr.altavista.com
- fr.search.yahoo.com
- frenchfriendfinder.com
- friendfinder.com
- gay.imlive.com
- gayfriendfinder.com
- germanfriendfinder.com
- gradfinder.com
- guanxi.com
- hardcore.imlive.com
- hk.search.yahoo.com
- imlive.com
- indianfriendfinder.com
- instafinder.com
- italianfriendfinder.com
- jewishfriendfinder.com
- koreanfriendfinder.com
- kr.altavista.com
- kr.search.yahoo.com
- latina.imlive.com
- lesbian.imlive.com
- lesbianpersonals.com
- milf.imlive.com
- millionairemate.com
- netster.com
- nicecards.com
- nl.altavista.com
- nz.altavista.com
- outpersonals.com
- ox.arcade-hq.com
- passion.com
- pornstars.imlive.com
- query.nytimes.com
- scoutcrawl.com
- search.about.com
- search.aol.co.uk
- search.aol.com
- search.bbc.co.uk
- search.comcast.net
- search.daum.net
- search.dmoz.org
- search.earthlink.net
- search.live.com
- search.looksmart.com
- search.lycos.co.uk
- search.lycos.com
- search.mywebsearch.com
- search.netscape.com
- search.netzero.net
- search.orange.co.uk
- search.www.infoseek.co.jp
- search.yahoo.co.jp
- search.yahoo.com
- seniorfriendfinder.com
- skinondemand.dvdempire.com
- slim.com
- suche.lycos.de
- teen.imlive.com
- tranny.imlive.com
- travel.ian.com
- tw.search.yahoo.com
- uk.altavista.com
- uk.ask.com
- uk.search.yahoo.com
- uk.searchengine.com
- url.searchuk.com
- usseek.com
- vachercher.lycos.fr
- wesearchall.com
- what2find.com
- www.7search.com
- www.alexa.com
- www.alltheweb.com
- www.altavista.com
- www.amazon.com
- www.arcade-hq.com
- www.arcadehq.com
- www.ask.com
- www.bing.com
- www.crawlbar.com
- www.destinationadult.com
- www.ditto.com
- www.dogpile.com
- www.excite.co.jp
- www.findwhat.com
- www.goguides.org
- www.google
- www.google.be
- www.google.ca
- www.google.co.jp
- www.google.co.kr
- www.google.co.nz
- www.google.co.uk
- www.google.com
- www.google.com.au
- www.google.com.hk
- www.google.com.mx
- www.google.com.tw
- www.google.de
- www.google.es
- www.google.fr
- www.google.it
- www.google.nl
- www.hotbot.com
- www.imlive.com
- www.london-pages.co.uk
- www.mysearch.com
- www.netster.com
- www.northeastofengland.com
- www.recherche.aol.fr
- www.reference.com
- www.sensis.com.au
- www.sex.com
- www.ukindex.co.uk
- www.usseek.com
- your.rogers.com
- zoek.lycos.nl
- Connects to the following websites to display advertisements and redirect Web searches:
- http://{BLOCKED}209.3/a_rd.php?5
- http://{BLOCKED}209.3/a_rd.php?6
- http://{BLOCKED}diaish.com/?q=
- http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=a0b92312&zoneid=1&cb=
- http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=a62fffea&zoneid=4&cb=
- http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=a72b21ae&zoneid=3&cb=
- http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=abffca36&zoneid=2&cb=
- http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=ad90810e&zoneid=5&cb=
- http://{BLOCKED}riendfinder.com/go/g893078-pmo
- http://{BLOCKED}m/go/g893078-pct
- http://{BLOCKED}r.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000002_00000
- http://{BLOCKED}.com/go/g893078
- http://{BLOCKED}iendfinder.com/go/g893078
- http://{BLOCKED}imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000005_00000
- http://{BLOCKED}live.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL000000D_00000
- http://{BLOCKED}rch.com/go/g893078
- http://{BLOCKED}imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000008_00000
- http://{BLOCKED}e.com/go/g893078
- http://{BLOCKED}imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL000000A_00000
- http://{BLOCKED}chingpok.com/?s=11
- http://{BLOCKED}chingpok.com/?s=3
- http://{BLOCKED}chingpok.com/?s=4
- http://{BLOCKED}om/go/g893078-pv
- http://{BLOCKED}.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000003_00000
- http://{BLOCKED}nofriendfinder.com/go/g893078
- http://{BLOCKED}friendfinder.com/go/g893078
- http://{BLOCKED}finder.com/go/g893078
- http://{BLOCKED}live.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000009_00000
- http://{BLOCKED}endfinder.com/go/g893078-pmem
- http://{BLOCKED}friendfinder.com/go/g893078-pct
- http://{BLOCKED}nder.com/go/g893078
- http://{BLOCKED}.com/go/g893078-pmem
- http://{BLOCKED}re.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000007_00000
- http://{BLOCKED}.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000000_00000
- http://{BLOCKED}friendfinder.com/go/g893078
- http://{BLOCKED}nfriendfinder.com/go/g893078
- http://{BLOCKED}friendfinder.com/go/g893078
- http://{BLOCKED}friendfinder.com/go/g893078
- http://{BLOCKED}.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000045_00000
- http://{BLOCKED}n.imlive.com/wmaster.asp?WID=124810085685&LinkID=1036&promocode=BCODEL0000004_00000
- http://{BLOCKED}npersonals.com/go/g893078-pmo
- http://{BLOCKED}mlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL000000C_00000
- http://{BLOCKED}nairemate.com/go/g893078-pmem
- http://{BLOCKED}rds.com/go/g893078-
- http://{BLOCKED}sonals.com/go/g893078-pct
- http://{BLOCKED}n.com/go/g893078-pmo
- http://{BLOCKED}.mercadolibre.com.mx/jm/PmsTrk?tool=5831684&go=http://computacion.mercadolibre.com.mx/
- http://{BLOCKED}ars.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000052_00000
- http://{BLOCKED}ct.qikjump.com/error/?v_url=
- http://{BLOCKED}ct.qikjump.com/rd.php?4049cf76aecd83e075d7b9c12d082625
- http://{BLOCKED}friendfinder.com/go/g893078
- http://{BLOCKED}demand.dvdempire.com/index2.asp?tab_id=1&partner_id=10165041
- http://{BLOCKED}om/go/g893078
- http://{BLOCKED}mlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000006_00000
- http://{BLOCKED}.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL000000B_00000
- http://www.{BLOCKED}.com/gp/product/
- http://www.{BLOCKED}.com/gp/search?ie=UTF8&keywords=
- http://www.{BLOCKED}-hq.com/
- http://www.{BLOCKED}redit.com/aff_ads.php?section=120x90
- http://www.{BLOCKED}redit.com/aff_ads.php?section=s.php?section=468125x125
- http://www.{BLOCKED}redit.com/aff_adx60
- http://www.{BLOCKED}boys.com/listpage.php?psid=quixsurf&pstour=t1&psprogram=PPS&pstool=15_1
- http://www.{BLOCKED}wnload747.com/m.php?a=
- http://www.{BLOCKED}ire.com/index.asp?tab_id=1&partner_id=10165041
- http://www.{BLOCKED}com/partners/aw.aspx?A=8618&G=23&Task=Get
- http://www.{BLOCKED}vvy.com/
- http://www.{BLOCKED}empire.com/index2.asp?tab_id=1&partner_id=10165041
- http://www.{BLOCKED}self.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
- http://www.{BLOCKED}smin.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
- http://www.{BLOCKED}ivates.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
- http://www.{BLOCKED}xasian.com/freechat.php?random&tags=girl+asian&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
- http://www.{BLOCKED}ds.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
- http://www.{BLOCKED}scam.com/freechat.php?random&tags=mature&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
- http://www.{BLOCKED}.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&6cam&pstool=15_2
- http://www.{BLOCKED}online.net/search.php
- http://www.{BLOCKED}inder.com/
- http://www.{BLOCKED}inder.com/click.php/
- http://www.{BLOCKED}nycams.com/freechat.php?random&tags=transgender&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
- http://www.{BLOCKED}p.com/?zoneid=
- http://www.{BLOCKED}p.com/r.php?id=
- http://www.{BLOCKED}p.com/rda.php?id=
- http://www.{BLOCKED}rf.com/
- http://www.{BLOCKED}rf.com/ads_affiliate/
- http://www.{BLOCKED}rf.com/ads_affiliate/right
- http://www.{BLOCKED}rf.com/ads_affiliate/top
- http://www.{BLOCKED}ddyz.com/
- http://www.{BLOCKED}afly.com/
- http://www.{BLOCKED}afly.com/search/web/
- http://www.{BLOCKED}rgainonline.com/adscript_contextual.php?addcode=CD6592&bannerid=2611&optionalinfo=&deploy_id=74267&landing_id=0
- http://www.{BLOCKED}.ca/quixsurf?rf=238132766724741287
- http://www.{BLOCKED}.co.uk/quixsurf?rf=238132766724741287
- http://www.{BLOCKED}.com/quixsurf?rf=238132766724741287
- http://www.{BLOCKED}.es/quixsurf?rf=238132766724741287
SOLUTION
Minimum Scan Engine:
8.900
FIRST VSAPI PATTERN FILE:
7.950.07
FIRST VSAPI PATTERN DATE:
05 Apr 2011
Step 1
For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Remove malware files dropped/downloaded by TROJ_EVADIPED.AM
- TROJ_MONKIF.AE
Step 3
Scan your computer with your Trend Micro product and note files detected as TROJ_EVADIPED.AM
Step 4
Restart in Safe Mode
[ Learn More ]
Step 5
Delete this registry key
[ Learn More ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.
- In HKEY_CLASSES_ROOT
- main.BHO
- main.BHO
- In HKEY_CLASSES_ROOT
- main.BHO.1
- main.BHO.1
- In HKEY_CLASSES_ROOT\AppID
- main.DLL
- main.DLL
- In HKEY_CLASSES_ROOT\AppID
- {A0E1054B-01EE-4D57-A059-4D99F339709F}
- {A0E1054B-01EE-4D57-A059-4D99F339709F}
- In HKEY_CLASSES_ROOT\CLSID
- {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
- {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
- In HKEY_CLASSES_ROOT\Interface
- {986A8AC1-AB4D-4F41-9068-4B01C0197867}
- {986A8AC1-AB4D-4F41-9068-4B01C0197867}
- In HKEY_CLASSES_ROOT\TypeLib
- {8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
- {8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
- {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Step 6
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_EVADIPED.AM If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.