TROJ_EVADIPED.AM

 Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW


It monitors specific URLs. If users access these monitored sites, they are redirected by this malware to specific malicious sites.

This Trojan may be dropped by other malware.

  TECHNICAL DETAILS

File Size:

344,077 bytes

File Type:

DLL

Memory Resident:

No

Initial Samples Received Date:

05 Apr 2011

Payload:

Monitors Web browser, Connects to URLs/Ips

Arrival Details

This Trojan may be dropped by the following malware:

  • TROJ_MONKIF.AE

Autostart Technique

This Trojan registers as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry keys:

HKEY_CLASSES_ROOT\main.BHO

HKEY_CLASSES_ROOT\main.BHO.1

HKEY_CLASSES_ROOT\AppID\main.DLL

HKEY_CLASSES_ROOT\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}

HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}

HKEY_CLASSES_ROOT\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}

HKEY_CLASSES_ROOT\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}

It registers as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry entries:

HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\
InprocServer32
(Default) = {malware path and file name}

Other Details

This Trojan does the following:

  • Monitors the Web browser of the affected system and open other Web pages when the following URLs are accessed:
    • *.123inkjets.com
    • *.2insure4less.com
    • *.4checks.com
    • *.4inkjets.com
    • *.abebooks.com
    • *.aced.com
    • *.adultfriendfinder.com
    • *.airfrance.com
    • *.alt.com
    • *.amigos.com
    • *.art.com
    • *.asiafriendfinder.com
    • *.askpcexperts.com
    • *.audible.com
    • *.autopartswarehouse.com
    • *.avenue.com
    • *.avis.com
    • *.avon.com
    • *.bestwestern.com
    • *.bigchurch.com
    • *.bingoliner.com
    • *.bodybuilding.com
    • *.bondage.com
    • *.brooksbrothers.com
    • *.buckle.com
    • *.budget.com
    • *.bustedtees.com
    • *.buy.com
    • *.cafepress.com
    • *.calendars.com
    • *.cooking.com
    • *.coupons.com
    • *.creditreport.com
    • *.date.com
    • *.delivery.com
    • *.dell.com
    • *.dentalplans.com
    • *.dine.com
    • *.drugstore.com
    • *.ea.com
    • *.ebags.com
    • *.ecampus.com
    • *.efax.com
    • *.eharmony.com
    • *.elitemate.com
    • *.emusic.com
    • *.endless.com
    • *.entertainment.com
    • *.equifax.com
    • *.expedia.com
    • *.extendedstayhotels.com
    • *.fansedge.com
    • *.fathead.com
    • *.filipinofriendfinder.com
    • *.finishline.com
    • *.footlocker.com
    • *.franklincovey.com
    • *.frenchfriendfinder.com
    • *.friendfinder.com
    • *.ftd.com
    • *.ftpress.com
    • *.fulltiltpoker.net
    • *.furniture.com
    • *.fye.com
    • *.gamefly.com
    • *.gamestop.com
    • *.gap.com
    • *.gayfriendfinder.com
    • *.geeks.com
    • *.germanfriendfinder.com
    • *.gifttree.com
    • *.golfsmith.com
    • *.gradfinder.com
    • *.guanxi.com
    • *.herroom.com
    • *.homestead.com
    • *.hotels.com
    • *.hottopic.com
    • *.hrblock.com
    • *.indianfriendfinder.com
    • *.intuit.com
    • *.italianfriendfinder.com
    • *.jellybelly.com
    • *.jewishfriendfinder.com
    • *.jr.com
    • *.kmart.com
    • *.kodakgallery.com
    • *.koreanfriendfinder.com
    • *.lacrosse.com
    • *.legalace.com
    • *.lesbianpersonals.com
    • *.lifelock.com
    • *.livetv4me.com
    • *.lnt.com
    • *.macmall.com
    • *.magazines.com
    • *.magicjack.com
    • *.match.com
    • *.millionairemate.com
    • *.mountaingear.com
    • *.music123.com
    • *.mycricket.com
    • *.myelectronics-depot.net
    • *.netflix.com
    • *.nicecards.com
    • *.officemax.com
    • *.otel.com
    • *.outpersonals.com
    • *.overstock.com
    • *.pacsun.com
    • *.passion.com
    • *.petco.com
    • *.points.com
    • *.priceline.com
    • *.printmything.com
    • *.proactiv.com
    • *.realtytrac.com
    • *.reefgear.com
    • *.restaurant.com
    • *.rushmypassport.com
    • *.rushmytravelvisa.com
    • *.savilerowco.com
    • *.sears.com
    • *.seniorfriendfinder.com
    • *.shoebuy.com
    • *.shoemall.com
    • *.shoes.com
    • *.shopnbc.com
    • *.singlesnet.com
    • *.skechers.com
    • *.slim.com
    • *.snapfish.com
    • *.sportsinteraction.com
    • *.t-mobile.com
    • *.target.com
    • *.thenorthface.com
    • *.ticketsnow.com
    • *.toms.com
    • *.tracfone.com
    • *.uniformcity.com
    • *.virgin-atlantic.com
    • *.vistaprint.com
    • *.westmarine.com
    • *.winhundred.com
    • *.wweshop.com
    • *.zoosk.com
    • *100dayloans.com
    • *24hourfitness.com
    • *5dimes.com
    • *a.websponsors.com
    • *absolutepoker.com
    • *acaiberryselect.com
    • *ad.gpotato.com
    • *adserve.brandgivewaycentre.com
    • *adserve.brandsamplecenter.com
    • *adserve.Urgent-Notification.com
    • *adultfriendfinder.com
    • *advanceautoparts.com
    • *affiliate.acntracker.com
    • *affiliate.fctracker.com
    • *affiliate.gwmtracker.com
    • *affiliate.ismtracker.com
    • *affiliate.tpptracker.com
    • *affiliates.2plus2media.com
    • *affiliates.cpanation.com
    • *affiliates.thecutekid.com
    • *affiliates.webjamads.com
    • *airfare.com
    • *alibris.com
    • *allposters.com
    • *allstate.com
    • *altawhite.com
    • *ameriadvance.com
    • *AmericaRX.com
    • *amerimark.com
    • *angieslist.com
    • *anytimecostumes.com
    • *api.gogetitdone.com
    • *apps.facebook.com
    • *arcade-hq*
    • *arcadeoldies.com*
    • *asseenonpc.directtrack.com
    • *avis.com
    • *barenecessities.com
    • *barnesandnoble.com
    • *basspro.com
    • *bbcamericashop.com
    • *bidrivals.directtrack.com
    • *bigbrandrewards.com
    • *bigcrumbs.com
    • *bing.com/search*q=*
    • *bodenusa.com
    • *bodog.com
    • *bodog.net
    • *bonus.club28282.com
    • *bonus.zingtones.tv
    • *booksonline.com
    • *bowflex.com
    • *bowflexhomegyms.com
    • *brigadeqm.com
    • *buymebeauty.com
    • *c2.flutteroo.com
    • *callawaygolfpreowned.com
    • *cameraboys.com
    • *camerakings.com
    • *campingworld.com
    • *cash.60minutepayday.com
    • *casinosplendido.com
    • *cduniverse.com
    • *cellphoneincentives.com
    • *cheapflights.com
    • *cheaptickets.com
    • *chemistry.com
    • *cigacease.com
    • *circuitcity.com
    • *click2go.org
    • *clicks.emarketmakers.com
    • *clubmed.us
    • *compusa.com
    • *condor.com
    • *congalotto.com
    • *consumergiftcards.com
    • *consumerincentivepromotions.com
    • *coolpremiums.com
    • *copdsignup.copdconnect.com
    • *costumediscounters.com
    • *costumekingdom.com
    • *cougarlife.com
    • *dazzlewhite.com
    • *dazzlewhitepro.com
    • *delias.com
    • *designhotels.com
    • *diamond.com
    • *dickssportinggoods.com
    • *digestit.com
    • *discountadvances.com
    • *disneymovieclub.go.com
    • *dl.freeze.com
    • *dl.installiq.com
    • *dnl.crawler.com
    • *download.couponalert.com
    • *download.dailybibleguide.com
    • *download.dailydollarguide.com
    • *download.guffins.com
    • *download.ourbabymaker.com
    • *download.televisionfanatic.com
    • *download.weatherblink.com
    • *doylescasino.com
    • *dpcsignup.depressionconnect.com
    • *drgsfreshpetfood.com
    • *drugstore.com
    • *DunhamsSports.com
    • *e-cig.org
    • *education.careers.org
    • *eleadztracks.com
    • *en.smartdate.com
    • *espnshop.com
    • *etoro.com
    • *exclusiveclicks.com
    • *exclusivegiftcards.com
    • *extendedstayhotels.com
    • *ezvehiclefinancing.com
    • *fabric.com
    • *fantapper.com
    • *fastwirefunds.com
    • *filmfanatic.mywebsearch.com
    • *fingerhut.com
    • *flightnetwork.com
    • *footsmart.com
    • *fragrance.com
    • *fragrancenet.com
    • *fredericks.com
    • *free.astrology.com
    • *friendschecker.com
    • *fulltiltpoker.com
    • *g.websponsors.com
    • *galleries.securewebsiteaccess.com
    • *gamecoins.com
    • *gameconsolerewards.com
    • *gamesneto.com
    • *gamevance.com
    • *gapc.go2jump.org
    • *gaydvdempire.com
    • *gevalia.com
    • *giftcertificates.com
    • *gnspf.com
    • *gofreecredit.com
    • *goldenlounge.com
    • *goodsamclub.com
    • *google.com/#hl*q=*
    • *google.com/#sclient*q=*
    • *google.com/search*q=*
    • *grandchase.ntreev.net
    • *greatdeals.idonowidont.com
    • *gtahotels.com
    • *harryanddavid.com
    • *hayhouse.com
    • *healthadvert.com
    • *hearingaids.miracle-ear.com
    • *hickoryfarms.com
    • *holidayrecipebook.diabeticconnect.com
    • *homeclick.com
    • *hookedonphonics.com
    • *hostelbookers.com
    • *hotelopia.com
    • *hotelplanner.com
    • *hotelroom.com
    • *hotelscombined.com
    • *hotgiftzone.com
    • *hotusa.com
    • *hotwire.com
    • *identityguard.com
    • *ileadsoffers.com
    • *ileadztracker.com
    • *inkgrabber.com
    • *insuranceapi.azoogleads.com
    • *intercontinental.com
    • *iphonesintocash.com
    • *iq.hot4cell.net
    • *iwager.com
    • *jcwhitney.com
    • *jennaclaire.com
    • *jetblue.com
    • *joesnewbalanceoutlet.com
    • *join1.winhundred.com
    • *joyourself.com
    • *junonia.com
    • *kardashiansmile.com
    • *karmaloop.com
    • *kazulah.smileycentral.com
    • *kitsusaga.aeriagames.com
    • *klm.com
    • *landing.grabaroo.com
    • *landing.singlesnet.com
    • *lastminute.com
    • *launch.roirocket.com
    • *lecconnectllc.go2jump.org
    • *lillianvernon.com
    • *livejasmin.com
    • *liveprivates.com
    • *livesexasian.com
    • *livingsocial.com
    • *lizclaiborne.com
    • *locale-redirect.html*
    • *lsawards.com
    • *ltlprints.com
    • *luggagefactory.com
    • *luggageonline.com
    • *lwken.com
    • *macys.com
    • *maturescam.com
    • *media303.com
    • *medifast1.com
    • *members.spiceornice.com
    • *mercadolibre.com.mx
    • *mhlnk.com
    • *mirror.nbstatic.com
    • *modells.com
    • *moosejaw.com
    • *motel6.com
    • *motorcycle-superstore.com
    • *musicspace.com
    • *my.amazingfreerewards.com
    • *mycams.com
    • *myelectronicrewards.com
    • *myfico.com
    • *myluci.com
    • *mynetfinder.com*
    • *myrapidquote.com
    • *myrewardsvault.com
    • *mytrannycams.com
    • *mywarrantyshop.com
    • *mywebface.mywebsearch.com
    • *nationalcarinsurancesite.com
    • *nationallifeinsurancesite.com
    • *network.kitaramarketplace.com
    • *networksolutions.com
    • *nextscholarapi.azoogleads.com
    • *nflshop.com
    • *nursesdirect.com
    • *nutrisystem.com
    • *offerbargain.com
    • *offers.motime.com.br
    • *officedepot.com
    • *oldnavy.com
    • *onlineshoes.com
    • *orbitz.com
    • *overnightprints.com
    • *ow2.orderwave.com
    • *pangya.ntreev.net
    • *partners.bidrivals.com
    • *partners.cotterweb.net
    • *partners.journeypass.com
    • *partners.nextadnetwork.com
    • *partners.topadmarket.com
    • *partners.valu-pass.com
    • *partstrain.com
    • *paydaymax.com
    • *paydayone.com
    • *perfectmatch.com
    • *personalcashbailout.com
    • *personalcreations.com
    • *personalizationmall.com
    • *petcarerx.com
    • *phobos.apple.com*
    • *playboystore.com
    • *playsushi.com
    • *pokeropolis.com
    • *premiumproductsonline.com
    • *premiumrewardclub.com
    • *psprint.com
    • *puma.com
    • *purecleanse360.com
    • *quickbooks.com
    • *quicken.intuit.com
    • *quikjmp*
    • *quixsurf*
    • *quoteit4me.com
    • *quotes.newcarsplus.com
    • *r.bargaincast.net
    • *r.prize-rewards.net
    • *redenvelope.com
    • *reg.coolsavings.com
    • *register.outspark.com
    • *register.paltalk.com
    • *registration1.mate1.com
    • *rembright.com
    • *rentalcars.com
    • *retrogamer.iwon.com
    • *reviews.angieslist.com
    • *revitol.com
    • *rewardedopinions.com
    • *riu.com
    • *sbfollow10.com
    • *scratch2cash.com
    • *scubastore.com
    • *search.yahoo.com*p=*
    • *secure.bidz.com
    • *secure.creditsesame.com
    • *secure.privatestudentloans.com
    • *secure.renaissancehealthpublishing.com
    • *seehere.com
    • *sellmyhouse.zipbuyer.com
    • *shaiya.aeriagames.com
    • *shindigz.com
    • *shop.nationalgeographic.com
    • *shopforbridal.com
    • *shopping.hp.com
    • *shutterfly.com
    • *shuttledirect.com
    • *sierratradingpost.com
    • *signup.arthritisconnect.com
    • *singlesnetdating.com
    • *skinbotanica.com
    • *skincarerx.com
    • *skis.com
    • *sky-tours.com
    • *skype.com
    • *smartbargains.com
    • *smartlifeinsurance.com
    • *smartwhitesmile.com
    • *smcbigprofits.com
    • *smithnoble.com
    • *snorelesspillow.com
    • *spencergifts.com
    • *spirithalloween.com
    • *starwoodhotels.com
    • *stevemadden.com
    • *store.discovery.com
    • *store.ecomom.com
    • *store.scholastic.com
    • *store.theflip.com
    • *supermart.com
    • *surveyhead.com
    • *techdepot.com
    • *thenerds.net
    • *thesmartcreditsolution.securelinkcorp.com
    • *thingsremembered.com
    • *thinkcreditreports.com
    • *thinkgeek.com
    • *this.content.served.by.adshuffle.com
    • *thumbplay.com
    • *ticketmaster.com
    • *ticketnetwork.com
    • *TigerDirect.com
    • *timeandgems.com
    • *tippr.com
    • *tjformal.com
    • *toolbar.inbox.com
    • *topbrandsa.com
    • *topbrandsamples.com
    • *tour1.passionsearch.com
    • *track.amazing-brand-rewards.net
    • *track.freezinger.com
    • *track.opinion-reward-center.net
    • *track.SocialSurveys.us
    • *tracking.singlesnet.com
    • *trillionario.com
    • *truecredit.com
    • *trustedid.com
    • *turbotax.com
    • *ultimatebet.com
    • *ultimatebet.net
    • *urbanposters.com
    • *us.darkorbit.bigpoint.com
    • *us.fotolia.com
    • *us.runesofmagic.com
    • *ussearch.com
    • *vayama.com
    • *vermontteddybear.com
    • *visiondirect.com
    • *vitaminworld.com
    • *walgreens.com
    • *walmart.com
    • *wbshop.com
    • *websites.intuit.com
    • *wintrillions.com
    • *wireless.att.com
    • *worldlacrosseshop.com
    • *worldrugbyshop.com
    • *worldsoccershop.com
    • *ww.dvdempire.com
    • *wwbw.com
    • *www.2minuteseo.com
    • *www.acidxgames.com
    • *www.adf01.net
    • *www.alkamate.com
    • *www.ameriadvance.com
    • *www.amolatina.com
    • *www.amor.com
    • *www.anastasiadate.com
    • *www.ascentive.com
    • *www.ashleymadison.com
    • *www.asianbeauties.com
    • *www.autoloansolutions.com
    • *www.babylon.com
    • *www.babytobee.com
    • *www.bankruptcyprograms.com
    • *www.bebeverlyhills.com
    • *www.benaughty.com
    • *www.bettercareersearch.com
    • *www.bidcactus.com
    • *www.bidcactusreg.com
    • *www.bidz.com
    • *www.bkginstaller.com
    • *www.bookrenter.com
    • *www.brandsurveypanel.com
    • *www.briTrack.com
    • *www.bustedtees.com
    • *www.buycostumes.com
    • *www.buythebodyshaper.com
    • *www.buyz.com
    • *www.buzzdock.com
    • *www.carsdirect.com
    • *www.cartoonly.com
    • *www.cash4offers.com
    • *www.cashcrate.com
    • *www.cashin10.com
    • *www.cashtoday911.com
    • *www.catholicsoulmates.com
    • *www.celebrateexpress.com
    • *www.cellphoneincentives.com
    • *www.cellphonereward.com
    • *www.chopstick16.com
    • *www.christianmatchmaker.com
    • *www.christianmingle.com
    • *www.clicknkids.com
    • *www.clixmerchant.com
    • *www.clixsoffer.com
    • *www.cobra-info.com
    • *www.constructiondeal.com
    • *www.consumergiftcards.com
    • *www.consumerincentiverewards.com
    • *www.consumerrewards.us.com
    • *www.cookingtiprewards.com
    • *www.coolpremiums.com
    • *www.corazon.com
    • *www.cougarunite.com
    • *www.couponplanet.net
    • *www.credit.com
    • *www.creditreport.com
    • *www.creditscoreid.com
    • *www.creditscorepro.com
    • *www.cupid.com
    • *www.cursormania.com
    • *www.customsnuggie.com
    • *www.date.com
    • *www.dentalplans.com
    • *www.dermitage.com
    • *www.digsby.com
    • *www.diningsurveys.us.com
    • *www.dream-asians.com
    • *www.dream-marriage.com
    • *www.e-researchcouncil.com
    • *www.easyquotefinder.net
    • *www.efax.com
    • *www.eharmony.com
    • *www.emusic.com
    • *www.epicdirectnetwork.com
    • *www.epicvideoarcade.com
    • *www.equifaxcreditscorenow.com
    • *www.exclusivegiftcards.com
    • *www.facetheme.com
    • *www.fastloan.com
    • *www.favoriteconsumerbrands.com
    • *www.findlifequotes.com
    • *www.flirt.com
    • *www.floraqueen.com
    • *www.flycell.com
    • *www.fosinaoffers.com
    • *www.foxy-singles.com
    • *www.freecollegescholarships.net
    • *www.freegamessource.com
    • *www.freeridegames.com
    • *www.gadgetcenter.us.com
    • *www.gameconsolerewards.com
    • *www.gamefly.com
    • *www.gamemine.com
    • *www.gamevance.com
    • *www.gaydating.com
    • *www.gerberlife.com
    • *www.girlsdateforfree.com
    • *www.gizmodepot.us.com
    • *www.gofreecredit.com
    • *www.gogetautoinsurance.com
    • *www.gogethealthadvice.com
    • *www.gogethealthcoverage.com
    • *www.gogetitdone.com
    • *www.gogetlifeinsurance.com
    • *www.gogetmortgagerate.com
    • *www.gogetrushcard.com
    • *www.gradeguru.com
    • *www.hcgultradiet.com
    • *www.healthquoteinsider.com
    • *www.holabirdsports.com
    • *www.holidayshoppingrewards.com
    • *www.homestead.com
    • *www.hookup.com
    • *www.iminent.com
    • *www.imvu.com
    • *www.inboxdollars.com
    • *www.incredimail.com
    • *www.inklineglobal.com
    • *www.insuremeonline.com
    • *www.intelius.com
    • *www.iwon.com
    • *www.jdate.com
    • *www.jewcier.com
    • *www.kazulah.com
    • *www.lavalife.com
    • *www.lctrk.com
    • *www.leanbodyx.com
    • *www.lifequoteinsider.com
    • *www.match.com
    • *www.matchmaker.com
    • *www.mate1.com
    • *www.mate1singles.com
    • *www.maturesinglesclick.com
    • *www.megamorpher.com
    • *www.moneyminters.com
    • *www.moremobilefun.com
    • *www.motime.ca
    • *www.myconsumerrewards.co.uk
    • *www.myexclusiverewards.com
    • *www.myfuncards.com
    • *www.myjupiterjack.com
    • *www.mypremiumrewards.com
    • *www.myrewardchannel.com
    • *www.myvbook.com
    • *www.nationalsurveypanel.com
    • *www.nationwideopinionpanel.com
    • *www.netdegree.com
    • *www.netloansearch.com
    • *www.new8reports.com
    • *www.nextjobfromhome.biz
    • *www.nextpaydayonline.com
    • *www.noriskinvestor.com
    • *www.offerfusion.com
    • *www.offermerchant.com
    • *www.offersfromqh.com
    • *www.officialsurveypanel.com
    • *www.omahasteaks.com
    • *www.onlinegiftrewards.com
    • *www.onlinerewardcenter.com
    • *www.ookisa.com
    • *www.order-ez.com
    • *www.pagerage.com
    • *www.partnerwithpaul.com
    • *www.perfectmatch.com
    • *www.planet49.us
    • *www.planetsappho.com
    • *www.planningfamily.com
    • *www.playsushi.com
    • *www.plazmablaster.com
    • *www.plundr.com
    • *www.policygo.com
    • *www.popularscreensavers.com
    • *www.premiumproductsonline.com
    • *www.premiumrewardclub.com
    • *www.profinity.com
    • *www.profitconfidential.com
    • *www.purehoodiaselect.com
    • *www.qualityhealth.com
    • *www.quoteit4me.com
    • *www.quotewhizhealth.com
    • *www.ratemarketplace.com
    • *www.realmaturesingles.com
    • *www.refinancemyplace.com
    • *www.resourcesforamericans.info
    • *www.responsivecapture.com
    • *www.retrogamer.com
    • *www.rewardaisle.com
    • *www.rfantrack.com
    • *www.rushcard.com
    • *www.save500.com
    • *www.scholarships4dads.com
    • *www.scholarships4moms.net
    • *www.scholarships4workingadults.com
    • *www.scholarshipzone.com
    • *www.seafight.bigpoint.com
    • *www.searchcactus.com
    • *www.securecardsignup.com
    • *www.seniorpeoplemeet.com
    • *www.servicemagic.com
    • *www.sexsearchcom.com
    • *www.shaadi.com
    • *www.shoedazzle.com
    • *www.singleparentclick.com
    • *www.singlesnet.com
    • *www.singlesparentsnow.com
    • *www.smartdealhomes.com
    • *www.smileycentral.com
    • *www.smokeremedy.com
    • *www.smokersurveys.com
    • *www.snapdollars.com
    • *www.stimulusgrantapproval.com
    • *www.stream-direct.com
    • *www.superbrewards.com
    • *www.surveyclub.com
    • *www.sweetim.com
    • *www.taxactonline.com
    • *www.teleflora.com
    • *www.textndate.com
    • *www.thecutekid.com
    • *www.thediscountsavingsclub.com
    • *www.theepicmediagroup.com
    • *www.theflip.com
    • *www.thetower200.com
    • *www.thinlaptoprewards.com
    • *www.topconsumergifts.com
    • *www.trade-in-value.com
    • *www.travian.us
    • *www.true.com
    • *www.tryperfectskin.com
    • *www.twinplan.com
    • *www.upforit.com
    • *www.usaresearchpanel.com
    • *www.valorebooks.com
    • *www.viarexlabs.com
    • *www.weather.com
    • *www.web2carz.com
    • *www.webfetti.com
    • *www.whitesmoke.com
    • *www.winster.com
    • *www.wmtrax.com
    • *www.wowprizes.com
    • *www.xxxmatch.com
    • *www.zwinky.com
    • *yourbigbrandrewards.com
    • *yourgiftzone.com
    • *YourOnlineQuote.com
    • *yoursmartrewards.com
    • *yttrk.com
    • *zaazoomwhite.com
    • *zales.com
    • *zazzle.ca
    • *zazzle.co.uk
    • *zazzle.com
    • *zazzle.es
    • *ziprealty.com
    • 7search.com
    • ads.arcade-hq.com
    • ads.quixsurf.com
    • adultfriendfinder.com
    • alltheweb.com
    • alt.com
    • amateur.imlive.com
    • amigos.com
    • asiafriendfinder.com
    • asian.imlive.com
    • au.altavista.com
    • au.search.yahoo.com
    • bad allocation
    • bbw.imlive.com
    • bigchurch.com
    • black.imlive.com
    • bondage.com
    • boobs.imlive.com
    • ca.search.yahoo.com
    • cgi.search123.com
    • crawlbar.com
    • de.altavista.com
    • de.mirago.com
    • de.search.yahoo.com
    • dine.com
    • directory.jayde.com
    • ditto.com
    • emetasearch.com
    • en.wikipedia.org
    • fetish.imlive.com
    • filipinofriendfinder.com
    • findsearch.net
    • fr.altavista.com
    • fr.search.yahoo.com
    • frenchfriendfinder.com
    • friendfinder.com
    • gay.imlive.com
    • gayfriendfinder.com
    • germanfriendfinder.com
    • gradfinder.com
    • guanxi.com
    • hardcore.imlive.com
    • hk.search.yahoo.com
    • imlive.com
    • indianfriendfinder.com
    • instafinder.com
    • italianfriendfinder.com
    • jewishfriendfinder.com
    • koreanfriendfinder.com
    • kr.altavista.com
    • kr.search.yahoo.com
    • latina.imlive.com
    • lesbian.imlive.com
    • lesbianpersonals.com
    • milf.imlive.com
    • millionairemate.com
    • netster.com
    • nicecards.com
    • nl.altavista.com
    • nz.altavista.com
    • outpersonals.com
    • ox.arcade-hq.com
    • passion.com
    • pornstars.imlive.com
    • query.nytimes.com
    • scoutcrawl.com
    • search.about.com
    • search.aol.co.uk
    • search.aol.com
    • search.bbc.co.uk
    • search.comcast.net
    • search.daum.net
    • search.dmoz.org
    • search.earthlink.net
    • search.live.com
    • search.looksmart.com
    • search.lycos.co.uk
    • search.lycos.com
    • search.mywebsearch.com
    • search.netscape.com
    • search.netzero.net
    • search.orange.co.uk
    • search.www.infoseek.co.jp
    • search.yahoo.co.jp
    • search.yahoo.com
    • seniorfriendfinder.com
    • skinondemand.dvdempire.com
    • slim.com
    • suche.lycos.de
    • teen.imlive.com
    • tranny.imlive.com
    • travel.ian.com
    • tw.search.yahoo.com
    • uk.altavista.com
    • uk.ask.com
    • uk.search.yahoo.com
    • uk.searchengine.com
    • url.searchuk.com
    • usseek.com
    • vachercher.lycos.fr
    • wesearchall.com
    • what2find.com
    • www.7search.com
    • www.alexa.com
    • www.alltheweb.com
    • www.altavista.com
    • www.amazon.com
    • www.arcade-hq.com
    • www.arcadehq.com
    • www.ask.com
    • www.bing.com
    • www.crawlbar.com
    • www.destinationadult.com
    • www.ditto.com
    • www.dogpile.com
    • www.excite.co.jp
    • www.findwhat.com
    • www.goguides.org
    • www.google
    • www.google.be
    • www.google.ca
    • www.google.co.jp
    • www.google.co.kr
    • www.google.co.nz
    • www.google.co.uk
    • www.google.com
    • www.google.com.au
    • www.google.com.hk
    • www.google.com.mx
    • www.google.com.tw
    • www.google.de
    • www.google.es
    • www.google.fr
    • www.google.it
    • www.google.nl
    • www.hotbot.com
    • www.imlive.com
    • www.london-pages.co.uk
    • www.mysearch.com
    • www.netster.com
    • www.northeastofengland.com
    • www.recherche.aol.fr
    • www.reference.com
    • www.sensis.com.au
    • www.sex.com
    • www.ukindex.co.uk
    • www.usseek.com
    • your.rogers.com
    • zoek.lycos.nl
  • Connects to the following websites to display advertisements and redirect Web searches:
    • http://{BLOCKED}209.3/a_rd.php?5
    • http://{BLOCKED}209.3/a_rd.php?6
    • http://{BLOCKED}diaish.com/?q=
    • http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=a0b92312&zoneid=1&cb=
    • http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=a62fffea&zoneid=4&cb=
    • http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=a72b21ae&zoneid=3&cb=
    • http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=abffca36&zoneid=2&cb=
    • http://{BLOCKED}ixsurf.com/www/delivery/afr.php?n=ad90810e&zoneid=5&cb=
    • http://{BLOCKED}riendfinder.com/go/g893078-pmo
    • http://{BLOCKED}m/go/g893078-pct
    • http://{BLOCKED}r.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000002_00000
    • http://{BLOCKED}.com/go/g893078
    • http://{BLOCKED}iendfinder.com/go/g893078
    • http://{BLOCKED}imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000005_00000
    • http://{BLOCKED}live.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL000000D_00000
    • http://{BLOCKED}rch.com/go/g893078
    • http://{BLOCKED}imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000008_00000
    • http://{BLOCKED}e.com/go/g893078
    • http://{BLOCKED}imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL000000A_00000
    • http://{BLOCKED}chingpok.com/?s=11
    • http://{BLOCKED}chingpok.com/?s=3
    • http://{BLOCKED}chingpok.com/?s=4
    • http://{BLOCKED}om/go/g893078-pv
    • http://{BLOCKED}.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000003_00000
    • http://{BLOCKED}nofriendfinder.com/go/g893078
    • http://{BLOCKED}friendfinder.com/go/g893078
    • http://{BLOCKED}finder.com/go/g893078
    • http://{BLOCKED}live.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000009_00000
    • http://{BLOCKED}endfinder.com/go/g893078-pmem
    • http://{BLOCKED}friendfinder.com/go/g893078-pct
    • http://{BLOCKED}nder.com/go/g893078
    • http://{BLOCKED}.com/go/g893078-pmem
    • http://{BLOCKED}re.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000007_00000
    • http://{BLOCKED}.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000000_00000
    • http://{BLOCKED}friendfinder.com/go/g893078
    • http://{BLOCKED}nfriendfinder.com/go/g893078
    • http://{BLOCKED}friendfinder.com/go/g893078
    • http://{BLOCKED}friendfinder.com/go/g893078
    • http://{BLOCKED}.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000045_00000
    • http://{BLOCKED}n.imlive.com/wmaster.asp?WID=124810085685&LinkID=1036&promocode=BCODEL0000004_00000
    • http://{BLOCKED}npersonals.com/go/g893078-pmo
    • http://{BLOCKED}mlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL000000C_00000
    • http://{BLOCKED}nairemate.com/go/g893078-pmem
    • http://{BLOCKED}rds.com/go/g893078-
    • http://{BLOCKED}sonals.com/go/g893078-pct
    • http://{BLOCKED}n.com/go/g893078-pmo
    • http://{BLOCKED}.mercadolibre.com.mx/jm/PmsTrk?tool=5831684&go=http://computacion.mercadolibre.com.mx/
    • http://{BLOCKED}ars.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000052_00000
    • http://{BLOCKED}ct.qikjump.com/error/?v_url=
    • http://{BLOCKED}ct.qikjump.com/rd.php?4049cf76aecd83e075d7b9c12d082625
    • http://{BLOCKED}friendfinder.com/go/g893078
    • http://{BLOCKED}demand.dvdempire.com/index2.asp?tab_id=1&partner_id=10165041
    • http://{BLOCKED}om/go/g893078
    • http://{BLOCKED}mlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL0000006_00000
    • http://{BLOCKED}.imlive.com/wmaster.asp?WID=124810085685&LinkID=701&promocode=BCODEL000000B_00000
    • http://www.{BLOCKED}.com/gp/product/
    • http://www.{BLOCKED}.com/gp/search?ie=UTF8&keywords=
    • http://www.{BLOCKED}-hq.com/
    • http://www.{BLOCKED}redit.com/aff_ads.php?section=120x90
    • http://www.{BLOCKED}redit.com/aff_ads.php?section=s.php?section=468125x125
    • http://www.{BLOCKED}redit.com/aff_adx60
    • http://www.{BLOCKED}boys.com/listpage.php?psid=quixsurf&pstour=t1&psprogram=PPS&pstool=15_1
    • http://www.{BLOCKED}wnload747.com/m.php?a=
    • http://www.{BLOCKED}ire.com/index.asp?tab_id=1&partner_id=10165041
    • http://www.{BLOCKED}com/partners/aw.aspx?A=8618&G=23&Task=Get
    • http://www.{BLOCKED}vvy.com/
    • http://www.{BLOCKED}empire.com/index2.asp?tab_id=1&partner_id=10165041
    • http://www.{BLOCKED}self.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
    • http://www.{BLOCKED}smin.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
    • http://www.{BLOCKED}ivates.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
    • http://www.{BLOCKED}xasian.com/freechat.php?random&tags=girl+asian&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
    • http://www.{BLOCKED}ds.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
    • http://www.{BLOCKED}scam.com/freechat.php?random&tags=mature&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
    • http://www.{BLOCKED}.com/freechat.php?random&tags=girl&psid=quixsurf&pstour=t2&psprogram=PPS&6cam&pstool=15_2
    • http://www.{BLOCKED}online.net/search.php
    • http://www.{BLOCKED}inder.com/
    • http://www.{BLOCKED}inder.com/click.php/
    • http://www.{BLOCKED}nycams.com/freechat.php?random&tags=transgender&psid=quixsurf&pstour=t2&psprogram=PPS&template=freechat3&6cam&pstool=15_2
    • http://www.{BLOCKED}p.com/?zoneid=
    • http://www.{BLOCKED}p.com/r.php?id=
    • http://www.{BLOCKED}p.com/rda.php?id=
    • http://www.{BLOCKED}rf.com/
    • http://www.{BLOCKED}rf.com/ads_affiliate/
    • http://www.{BLOCKED}rf.com/ads_affiliate/right
    • http://www.{BLOCKED}rf.com/ads_affiliate/top
    • http://www.{BLOCKED}ddyz.com/
    • http://www.{BLOCKED}afly.com/
    • http://www.{BLOCKED}afly.com/search/web/
    • http://www.{BLOCKED}rgainonline.com/adscript_contextual.php?addcode=CD6592&bannerid=2611&optionalinfo=&deploy_id=74267&landing_id=0
    • http://www.{BLOCKED}.ca/quixsurf?rf=238132766724741287
    • http://www.{BLOCKED}.co.uk/quixsurf?rf=238132766724741287
    • http://www.{BLOCKED}.com/quixsurf?rf=238132766724741287
    • http://www.{BLOCKED}.es/quixsurf?rf=238132766724741287

  SOLUTION

Minimum Scan Engine:

8.900

FIRST VSAPI PATTERN FILE:

7.950.07

FIRST VSAPI PATTERN DATE:

05 Apr 2011

Step 1

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by TROJ_EVADIPED.AM

     TROJ_MONKIF.AE

Step 3

Scan your computer with your Trend Micro product and note files detected as TROJ_EVADIPED.AM

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.

 
  • In HKEY_CLASSES_ROOT
    • main.BHO
  • In HKEY_CLASSES_ROOT
    • main.BHO.1
  • In HKEY_CLASSES_ROOT\AppID
    • main.DLL
  • In HKEY_CLASSES_ROOT\AppID
    • {A0E1054B-01EE-4D57-A059-4D99F339709F}
  • In HKEY_CLASSES_ROOT\CLSID
    • {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
  • In HKEY_CLASSES_ROOT\Interface
    • {986A8AC1-AB4D-4F41-9068-4B01C0197867}
  • In HKEY_CLASSES_ROOT\TypeLib
    • {8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    • {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}

Step 6

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TROJ_EVADIPED.AM If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.