Visit ThreatExpert web site |Close Report

Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %Temp%\sremove.exe.1.log 53 bytes MD5: 0x2F9A1CB96A01780037003D9393D7BA7F
SHA-1: 0xA23BBEC374B2AB48F47D83433E323C0C81F6FB71		 (not available)
2 %ProgramFiles%\3721\3721\alliveex.dll 142,664 bytes MD5: 0x8E222BA7531B6144EB7A95E38D83FC13
SHA-1: 0x2C26F41B07B7E052CD44C3C5956268CA099C624F		 CnsMin [McAfee]
AdWare.CnsMin.B.2 [Ikarus]
3 %ProgramFiles%\3721\3721\AutoLive.dll 130,376 bytes MD5: 0x3E826A5BA620E7B96196B967C91B6D3F
SHA-1: 0x2770060919C590E1C03DB497080750F245AEB3F4		 CnsMin [McAfee]
4 %ProgramFiles%\3721\3721\Helper.dll 40,264 bytes MD5: 0x436219F60BF969E715B81671D4BA7A3D
SHA-1: 0x7771C9BFDD4FC845F5339ED7B6A13113AA013719		 CnsMin [McAfee]
Spyware:Win32/CnsMin [Microsoft]
Trojan.Generic [Ikarus]
5 %ProgramFiles%\3721\alLiveEx.dll 139,264 bytes MD5: 0x36682C96F28DDE1DC1CB8925404EDD0B
SHA-1: 0xBC36DF3C8A102F60647854066C621134F334DC77		 Generic PUP.z [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
Spyware.Win32.CnsMin [Ikarus]
6 %ProgramFiles%\3721\alrex.dll 32,072 bytes MD5: 0xE8078DB51ABF2C3AF35D8F7931D17B06
SHA-1: 0x4E357016A8DD22C083C59B25C21D130566E8AA95		 CnsMin [McAfee]
Virus.Win32.Cnsmin [Ikarus]
7 %ProgramFiles%\3721\Assist\adfilter.dll 38,912 bytes MD5: 0x349F6FBEC9374F19E1339E1F6342E805
SHA-1: 0xCDA8DC8024FE653DFE6E2125CD8F9612E6835856		 Generic PWS.y [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
AdWare.CnsMin.A [Ikarus]
Win-Trojan/Cnsmin.38912 [AhnLab]
8 %ProgramFiles%\3721\Assist\Angling.dll 159,744 bytes MD5: 0x1E4E33938822FF8351503C80F1E65728
SHA-1: 0x7DF5398F7B73B982097B2DA31A35C6B897990400		 (not available)
9 %ProgramFiles%\3721\Assist\asbar.dll 159,744 bytes MD5: 0x5C1EF3DCDD7632F3B24689BADE8376C8
SHA-1: 0x3A62FC23CEAA95B601A35D157AC0888326577270		 Adware-CoolBar [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
Virus.Win32.Asibar [Ikarus]
10 %ProgramFiles%\3721\Assist\ascenter.exe 81,920 bytes MD5: 0x0287D78EB8380BB5BD337A7DF30CF2E3
SHA-1: 0x11869FA5CA71260EB241FEDD38BE125EC3415A0F		 Generic PUP.z [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
Spyware.Win32.CnsMin [Ikarus]
11 %ProgramFiles%\3721\Assist\asctrlh.dll 13,312 bytes MD5: 0x8F52F5CFF871E6ABF4952688813F7FCF
SHA-1: 0x7C7E2C657D87A749C9C66745F35E9BCBB8606C55		 Spyware:Win32/CnsMin [Microsoft]
Spyware [Ikarus]
12 %ProgramFiles%\3721\Assist\asfsks.dll 104,960 bytes MD5: 0xC80423EF1977B1D25FAA45E58FF3D105
SHA-1: 0xA3387277DBA0A7792DE189C8BC4A86E7D20F42CB		 Generic PUP.z [McAfee]
Spyware:Win32/CnsMin [Microsoft]
Spyware.Win32.CnsMin [Ikarus]
packed with UPX [Kaspersky Lab]
13 %ProgramFiles%\3721\Assist\asiesec.dll 221,184 bytes MD5: 0x5BBC06B3B3BC058A1FFA25D089E00E42
SHA-1: 0x73E50A0BC990AE13C9217F42F3E1EF91EB173170		 (not available)
14 %ProgramFiles%\3721\Assist\asnoad.dll 118,784 bytes MD5: 0x26D4629F7DA52B32113AD715C942BEEA
SHA-1: 0x5D6399F0328E5B60F79790C2BD4044B910B4B990		 Generic PWS.y [McAfee]
Spyware:Win32/CnsMin [Microsoft]
Spyware.Win32.CnsMin [Ikarus]
15 %ProgramFiles%\3721\Assist\assecblk.dll 49,152 bytes MD5: 0x12C853830CC8A6F5B8C808F5FE47B39B
SHA-1: 0xD5E71F6807793B7341EDDAA3455EDD500F8D6956		 Generic PWS.y!bee [McAfee]
Spyware:Win32/CnsMin [Microsoft]
Spyware [Ikarus]
16 %ProgramFiles%\3721\Assist\assistex.dll 28,672 bytes MD5: 0xDD04A77E3F8C2CE1CBA0BDC420A43178
SHA-1: 0xBEDC007DA211FCA5B8A19D2F8D13565667BBE256		 (not available)
17 %ProgramFiles%\3721\Assist\aswiper.dll 131,072 bytes MD5: 0xDB381DF09AEDE4F42E8A6E9BB4DABB8A
SHA-1: 0x753676570729BEAD9B66EDD1B0DF55201F3FA3EA		 Generic PUP.z [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
CC.Agent.CU [Ikarus]
18 %ProgramFiles%\3721\Assist\ieacore.dll 135,680 bytes MD5: 0x780EB6B6BF7D452C0F88E9736802B76A
SHA-1: 0x6A59C65D6297074C34F00314A9A51869E6D02640		 AdWare.Cdn [Ikarus]
packed with UPX [Kaspersky Lab]
19 %ProgramFiles%\3721\Assist\optimum.dll 32,768 bytes MD5: 0x306E32CB1433AAB2A87EE99C8BFA32B4
SHA-1: 0x2F3A4643362AFDFAD6085E4EC572909BCEF7AC0A		 CnsMin [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
AdWare.CnsMin.A [Ikarus]
20 %ProgramFiles%\3721\Assist\repair.dll 163,840 bytes MD5: 0x8171EC417710F0D11FF2789D1B46A43F
SHA-1: 0xE6851BB6F9AB2E0F1954597CEC5376C2A10A60AD		 (not available)
21 %ProgramFiles%\3721\Assist\TbWrap.dll 167,936 bytes MD5: 0x3B98078EFEB0D7774828D25351305B28
SHA-1: 0xEBE0059128B6430D38AEA58B1BE0DE7C4E72ACAE		 Generic PUP.z!j [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
Spyware.Win32.CnsMin [Ikarus]
Win-Trojan/Cnsmin.167936 [AhnLab]
22 %ProgramFiles%\3721\Assist\yalive.dll
%ProgramFiles%\Yahoo!\Assistant\YAlive.dll 		433,584 bytes MD5: 0xFF8F996F5DE9AD1A69D352B52F1A21F2
SHA-1: 0x6B0623331F2201A93E77978CB0EBA97E85347D7C		 (not available)
23 %ProgramFiles%\3721\AssistSe.exe 65,536 bytes MD5: 0x664373E4F181B8053363FD68CDD15697
SHA-1: 0xA885DD7DF7712C047FBBC8A5A08216409BB2273F		 Generic PWS.y!bds [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
Spyware.Win32.CnsMin [Ikarus]
24 %ProgramFiles%\3721\AutoLive.dll 143,360 bytes MD5: 0x22AEB3A59DDC59EA14393B8B47C9B277
SHA-1: 0x05006A105BE16397310BBA9147556C1530D17F34		 CnsMin [McAfee]
AdWare.Yousi.A.7 [Ikarus]
25 %ProgramFiles%\3721\autolive.ini 1,188 bytes MD5: 0xEDD01B6AB0BB1F112E831C882676266C
SHA-1: 0x87B50A61DF619DFAC72CCE4356BBD108836B2266		 (not available)
26 %ProgramFiles%\3721\autolvsw.ini 814 bytes MD5: 0x24A2A9449A20737195C7C0326D581CEB
SHA-1: 0xAEEC79FA5847706CFA6ABC6E1A456CDFCC89E22D		 (not available)
27 %ProgramFiles%\3721\cns01.dat 5,083 bytes MD5: 0x05A527466282C69CB67C3AEC5EE6EA90
SHA-1: 0xE8B5D4EFF8EA35A202C0FD4280B4FB432DF402BF		 AdWare.Yousi.A.7 [Ikarus]
28 %ProgramFiles%\3721\cns03.dat 1,889 bytes MD5: 0xE2F5880D48B675C9F58D842166999618
SHA-1: 0x66AADF8491A72391431164DE223A534B556B55B4		 (not available)
29 %ProgramFiles%\3721\cnsm.dll 36,864 bytes MD5: 0x6FC370C59E939B5612164A1478015556
SHA-1: 0x1B62456EBA94A3FE2AD79891AB3E55609A4C283B		 Generic PWS.y!dih [McAfee]
TrojanSpy:Win32/Jhook.A [Microsoft]
Trojan-Spy.WinHook [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
30 %ProgramFiles%\3721\helper.dll 49,218 bytes MD5: 0x30309B0AD8A73787F9798883F9116B37
SHA-1: 0x47FB6CAB2738AF9A4CC5494B752D04F69A37732F		 Spyware:Win32/CnsMin [Microsoft]
Virus.Win32.Alhel [Ikarus]
31 %ProgramFiles%\3721\Notifier.dll 97,608 bytes MD5: 0x6E8A0135C5805DCFD093633707612639
SHA-1: 0x554A05394CB2AC57AC7C0021E9270231E76CF58D		 CnsMin [McAfee]
AdWare.Agent [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
32 %ProgramFiles%\3721\scrblock.dll 23,040 bytes MD5: 0xE895343EB12DE4901009A0873D97BDB6
SHA-1: 0x1D8ADFF2C9E08437259874E42482483F49A051CC		 CnsMin [McAfee]
Mal/Generic-L [Sophos]
Spyware:Win32/CnsMin [Microsoft]
AdWare.Autolive [Ikarus]
33 %ProgramFiles%\3721\windex.dat 11,616 bytes MD5: 0x9DEBD9EA424C733A929611C815BCCFAC
SHA-1: 0x6E92085DAC84489E875D07871E232B17A44997C2		 possibleThreat.windex [Ikarus]
34 %ProgramFiles%\3721\winhex.dat 72 bytes MD5: 0x8087046BBF54BEC53CBCA8F7C465C6BA
SHA-1: 0x245C852EF73B8F45C3E3BA927E8EC02D2E20B50B		 possibleThreat.winhex [Ikarus]
35 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\1.gif 661 bytes MD5: 0xE9AE4192CD9CEF145A0A8734B0704B45
SHA-1: 0x112D54006FB6D38150D11F8005F4AD4B5B7EEB29		 (not available)
36 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\10.gif 239 bytes MD5: 0x1726107378E6CA2BF02C4B69E6EDB859
SHA-1: 0xA5C928470624CBFC6B72DAAE328388EB8E130D1A		 (not available)
37 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\11.gif 628 bytes MD5: 0xECADF07E9039EBEE536EF09C9388F88D
SHA-1: 0x680E9D55A5DFCDA7BA4837650CADA633FC8BA39A		 (not available)
38 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\13.gif 219 bytes MD5: 0xCDEFFDF2073A17772D7E569C3C47E9B6
SHA-1: 0xFA6FF129AF38E1AC2079D016C4A48779E55CCB67		 (not available)
39 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\14.gif 282 bytes MD5: 0x911A9CCA23190C17E91358C5C4A70457
SHA-1: 0xE5ED0BD38B67463D72E5223075719558B4270EAC		 (not available)
40 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\15.gif 619 bytes MD5: 0x7E4DCB630007B195A679034499CF7CA1
SHA-1: 0xB86BA792562DC992BC2E8ACAD809B9B4BD8F2B1B		 (not available)
41 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\16.gif 230 bytes MD5: 0x2E044E56032C591D375186C1850C9816
SHA-1: 0xB01174CE876463276D74E01218D8F5B306F9014B		 (not available)
42 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\17.gif 416 bytes MD5: 0xABDB8E91AB9A44408B63442DD8BE3CE4
SHA-1: 0x94EC9FB5FA952FE6A35B69240C3359EFF1CD7B3C		 (not available)
43 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\18.gif 223 bytes MD5: 0xE9DB6D6A669EC7F0AB81E59F890452FD
SHA-1: 0x56075BAA3EA24C92E7B1B60F06813159430CD23A		 (not available)
44 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\19.gif 420 bytes MD5: 0x4AAF0336AB6925BD307E5863D5EA4039
SHA-1: 0xCF8EA5F994B2EC4403BF2AB88F6732F1429AB40D		 (not available)
45 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\20.gif 262 bytes MD5: 0x92EEF2FEB28AB791A873B9A1983D511E
SHA-1: 0x28A937F3879CA705BC466241FC2A90B1F2203154		 (not available)
46 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\22.gif 281 bytes MD5: 0xD9917C7A40AD2CA71B7CBBABF5DFBD46
SHA-1: 0x870989974D4419684458009EFC276DBE080F8DF0		 (not available)
47 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\3.gif 240 bytes MD5: 0x82185D4A102739867AAFAE1EED69B95D
SHA-1: 0x30816E1C159A0454B6E6B7171EC5D1E9C86ECD21		 (not available)
48 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\6.gif 617 bytes MD5: 0x033278A4269B334E7C6C2F4C0939DC7F
SHA-1: 0x5F03A68EA0E7121B0F2EDDAA720FAFCBCC1413E6		 (not available)
49 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\7.gif 275 bytes MD5: 0xB9376506B8695CE3AC32CD516F2881AB
SHA-1: 0x1B052D7DE7475E8D4EE2E775E4056441887A48BD		 (not available)
50 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\8.gif 403 bytes MD5: 0x91188BF3A8A52DCDD91AB5F70D4F62B9
SHA-1: 0x0562CC5D1EB58EACDFC5A03971CA7C83603F8CEA		 (not available)
51 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\9.gif 155 bytes MD5: 0x996672DA3F47120E7AD619B9C112BB23
SHA-1: 0x83573249FE4B081286DF5B3003352A8264B3A660		 (not available)
52 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\profile.xml 7,340 bytes MD5: 0x3545AD8CDA1B79DEFD8543AA638FE2C6
SHA-1: 0x31CB45D1670F9EF595E9FF744779DB19E53A2904		 (not available)
53 %ProgramFiles%\Yahoo!\Assistant\Assist\profile\Thumbs.db 22,016 bytes MD5: 0x795F2F8FD388B0AD7AAB592D0FC3BFDD
SHA-1: 0xA9A61E0E67E75995702CEE9A894F1321E8543B60		 (not available)
54 %ProgramFiles%\Yahoo!\Assistant\Assist\sremove.exe 48,560 bytes MD5: 0x7419C57D0CB94F7E80E09AAF32E4C5C5
SHA-1: 0x5D94ABE43C51B7E13C6588A10E16F37EAF58B537		 (not available)
55 %ProgramFiles%\Yahoo!\Assistant\Assist\yasbar.dll 380,336 bytes MD5: 0x216F6CB6B17E25AE20E9746E80984F5D
SHA-1: 0xB23A52B8C09054919E995DA3C6C08F30C8990C89		 (not available)
56 %ProgramFiles%\Yahoo!\Assistant\Assist\yassist.dll 77,232 bytes MD5: 0x049EC36515101EC16FF913AD0FE01BF3
SHA-1: 0x0DE9DAB3F7314A153B77FD1C4CCD67DDFE7C339F		 (not available)
57 %ProgramFiles%\Yahoo!\Assistant\yal01.dat 5,064 bytes MD5: 0xDB218185F9AA52F633B59D4C790018A7
SHA-1: 0xD87B1B4D0C8D7BE0D536E02C2DEA9FA9510F2CCC		 (not available)
58 %ProgramFiles%\Yahoo!\Assistant\YAlive.dll.1.log 106 bytes MD5: 0x8B3D9084B41C614EC67E34665843E581
SHA-1: 0x538280531F60C780CDA3CB5C2612B3EA9DE0539E		 (not available)
59 %ProgramFiles%\Yahoo!\Assistant\yhelper.dll 97,712 bytes MD5: 0x892562698E6325B10B09E80922C5947B
SHA-1: 0xDFF8381775B0C0564A3D5F2E884CF62412CA890A		 (not available)
60 %ProgramFiles%\Yahoo!\Assistant\ylive.exe 89,520 bytes MD5: 0x8BB4A98DA698D5952E8B28097D6C62B0
SHA-1: 0x0D09B5A17D62BC0FD60CD4433EF46DBFC25BD1FE		 (not available)
61 %DownloadedProgramFiles%\Cns02.dat 1,768 bytes MD5: 0xB8881A13929E9C121461B4160C8642BE
SHA-1: 0x651758194730E95F6B1D18D961724D0F98AA5E9E		 Spyware.Win32.CnsMin [Ikarus]
62 %DownloadedProgramFiles%\CnsInst.dll 118,784 bytes MD5: 0x1AD1C03BA57FF1B5FCA4FBD08EE95370
SHA-1: 0xBF94D96FF99E8668B795AC316A4BAD9F7591CB1D		 Spyware:Win32/CnsMin [Microsoft]
Spyware.Win32.CnsMin [Ikarus]
63 %DownloadedProgramFiles%\CnsMin.dll 237,568 bytes MD5: 0x86CF38F368943C9723A5492909B9ADF3
SHA-1: 0x911B3F8A292DDD0DEA0493CD2E63DF032D5D1C78		 Spyware:Win32/CnsMin [Microsoft]
Spyware [Ikarus]
64 %System%\cns.dat 47,152 bytes MD5: 0x6412BB559FD415FBD10E3B3EC7635969
SHA-1: 0x7D9A5993945954FB3400E00DA2EE5DC6CE7E2C0D		 (not available)
65 %System%\cns.dll 32,768 bytes MD5: 0xA3C40FFD4A1316F3AA7FE264F68D014C
SHA-1: 0xED187BE694407736C06026D8AA6176D400D5F25F		 Generic PUP.z [McAfee]
Spyware:Win32/CnsMin [Microsoft]
Virus.Win32.Downloader [Ikarus]
66 %System%\cns.exe 28,672 bytes MD5: 0xC1CD4C1A83C1C8FC1FA2C95405127265
SHA-1: 0x1C5C7A896740FCAE5D851089C4F68F140C210D77		 Trojan.Win32.DNSChanger.gpg [Kaspersky Lab]
CnsMin [McAfee]
Spyware:Win32/CnsMin [Microsoft]
Trojan.Win32.DNSChanger [Ikarus]
Win-Trojan/Dnschanger.28672.Z [AhnLab]
67 %System%\drivers\khlamb.sys 48,128 bytes MD5: 0x0DCA478B42F12CEAD839FD73B2148DBB
SHA-1: 0x3B8C2CACE7CC7B106C8BF2A40718361D44EE3245		 Trojan Horse [Symantec]
Trojan.Win32.Agent.tfc [Kaspersky Lab]
Generic PUP.x [McAfee]
VirTool:WinNT/Protmin.gen!B [Microsoft]
VirTool.WinNT.Protmin.B [Ikarus]
Win-Trojan/Agent.48128.EC [AhnLab]
68 [file and pathname of the sample #1] 2,064,088 bytes MD5: 0x482E75ED5D86885E0ADC4469901E9BBE
SHA-1: 0x6E7EE2C8BBE70DB4DA4ADF80E4CA627BDE8807A6		 Trojan.Win32.DNSChanger.gpg [Kaspersky Lab]
Trojan.Genlot [Ikarus]
packed with UPX [Kaspersky Lab]
69 %System%\Selur.enc 1,417 bytes MD5: 0x5CF8B7974D72EAD2F7297F29A5E94C1B
SHA-1: 0xC6278A9241B367AC7F833AFDF7C3E68258079FCA		 possibleThreat.Selur [Ikarus]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
ylive.exe%ProgramFiles%\yahoo!\assistant\ylive.exe94,208 bytes
ascenter.exe%ProgramFiles%\3721\assist\ascenter.exe81,920 bytes

 

Registry Modifications

 

Other details

China
Taiwan

Remote HostPort Number
202.165.100.10580

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2013 ThreatExpert. All rights reserved.