Trojan.FakeAV.3510

Trojan.FakeAV.3510

Manipulasi Windows HOSTS file dan block antivirus

Kalau antivirus palsu (Rogue Antivirus) yang lain memiliki ciri khas menakut-nakuti korbannya dengan laporan infeksi virus yang palsu, maka antivirus palsu yang satu ini memiliki hobi melakukan blokir atas segambreng software sekuriti dan pengalihan file hosts Windows sehingga komputer korbannya yang berhasil di infeksinya tidak dapat mengakses situs-situs penyedia jasa sekuriti. Pengalihan Hosts file ini yang perlu diwaspadai oleh para pengguna komptuer, khususnya pengguna internet banking karena dengan pengalihan hosts, phishing website dan teknik rekayasa sosial yang tepat, hal ini berpotensi menyebabkan pembobolan pada akun internet banking. Sekalipun sudah dilengkapi dengan yang perlindungan Kalkulator PIN / Token (two factor authentication). Karena itulah penting bagi anda yang menggunakan Internet Banking untuk menggunakan antivirus yang memiliki fitur Proteksi Hosts file seperti yang diberikan oleh Dr Web Security Space.

Ciri-ciri dan gejala virus

Virus ini dibuat dengan menggunakan bahasa pemograman Visual Basic dengan ukuran sekitar 62 KB dengan menggunakan icon Visual Basic. (lihat gambar 1)

Gambar 1, virus induk Trojan.FakeAV.3510

Salah satu ciri yang dapat dikenali adalalah, setiap user membuka Internet explorer akan muncul website [http://www.qseach.com/?ref=kzCXow==] yang menyerupai website search engine www.google.com (lihat gambar 2). Selain itu akan muncul beberapa file shortcut dengan icon yang berbeda-beda, kabar baiknya file shortcut ini sementara hanya akan muncul di USB Flash. File shortcut ini merupakan file duplikat dari file/direktori yang disembunyikan oleh virus dengan tujuan untuk mengelabui user. (lihat gambar 3)

Gambar 2, Halaman utama Internet Explorer yang sudah di ubah

Gambar 3, file shortcut hasil duplikasi dari file yang disembunyikan oleh virus Trojan.FaveAV.3510

Dengan update terbaru Dr.Web antivirus sudah mendeteksi virus ini sebagai Trojan.FaveAV.3510 (lihat gambar 4)

Gambar 4, hasil deteksi Dr.Web anti-virus

File induk virus

Pada saat user menjalankan file induk virus, maka akan muncul pesan error (lihat gambar 5) kemudian ia akan membuat file induk yang akan di jalankan secara otomatis pada saat komputer booting.

Gambar 5, pesan error saat komputer booting

Berikut beberapa file yang akan dibuat oleh virus:

C:\Documents and Settings\%user%\132616c4\winlogon.exe

Catatan: %user%, adalah user yang digunakan pada saat login Windows

Registri Windows

Agar file tersebut dapat di aktifkan secara otomatis pada saat komputer booting, ia akan membuat beberapa registri berikut:

HKCU\Software\Microsoft\WIndows\CurrentVersion\Run
- 74e4144414 = C:\Documents and Settings\%user%\132616c4\winlogon.exe

HKLM\Software\Microsoft\WIndows\CurrentVersion\Run
- 74e4144414 = C:\Documents and Settings\%user%\132616c4\winlogon.exe

Catatan: %user% adalah user yang digunakan pada saat login Windows

Blok Fungsi Windows

Agar user kesulitan dalam melakukan pembersihan, ia akan melakukan blok beberapa fungsi Windows seperti Task Manager, MSConfig, CMD (Command Prompt), Regedit atau Folder Options dengan melakukan perubahan pada registry berikut:

HKCU\Software\Microsoft\WIndows\CurrentVersion\Policies\Associations
- LowRiskFileTypes = .exe

HKCU\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer
- NoFile = 1
- NoFolderOptions = 1
- NoRun = 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableRegistryTools = 1
- DisableTaskMgr = 1

HKCU\Software\Policies\Microsoft\Windows\System
- DisableCMD = 1

HKLM\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer
- NoFolderOptions = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
- EnableFirewall = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
- EnableFirewall = 1

Selain itu ia jug akan membuat string pada registry berikut agar file virus diaktifkan pada layer administrator serta mendaftarkan pada list Firewall agar tidak di blok oleh Firewall Windows.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN

HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN

HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

Blok Software Security

Selain blok fungsi Windows tersebut, ia akan melakukan blok terhadap tools/software security termasuk program antivirus dengan membaca “caption text Windows” serta dengan melakukan debugger (pengalihan) untuk menjalankan file virus yang berada di direktori [C:\Documents and Settings\%user%\132616c4\winlogon.exe]. Untuk melakukan debugger (pengalihan) tersebut, ia akan membuat string pada registry berikut:

Alamat Key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\

Alamat sub key:

_apv.exe

_avp32.exe

_apvcc.exe

_apvm.exe

_findviru.exe

a2servic.exe

ackwin32.exe

acs.exe

advxdwin.exe

agentsvr.exe

agentw.exe

ahnsd.exe

alerter.exe

alertsvc.exe

alogserv.exe

amon.exe

amon9x.exe

antigem.exe

anti-trojan.exe

antivirus.exe

ants.exe

apimonitor.exe

aplica32.exe

apvxdwin.exe

ashwebsv.exe

atcon.exe

atguard.exe

atro55en.exe

atupdates.exe

atwatch.exe

aupdate.exe

autodown.exe

autotrace.exe

autoupdate.exe

avcenter.exe

avconfig.exe

avconsol.exe

ave32.exe

avgcc32.exe

avgctrl.exe

avgmc.exe

avgnt.exe

avgserv9.exe

avguard.exe

avgw.exe

avkserv.exe

avkpop.exe

avkservice.exe

avkwcl9.exe

avkwtl9.exe

avnotify.exe

avnt.exe

avp.exe

avp32.exe

avpccc.exe

avpdos32.exe

avpexec.exe

avpinst.exe

avpm.exe

avpmon.exe

avpnt.exe

avptc32.exe

avpupd.exe

avrescue.exe avscanavsha-

dow.exe

avsched32.exe

avsynmgr.exe

avupgsvc.exe

avwebloader.exe

avwin95.exe

avwinnt.exe

avwsc.exe

avwupd32.exe

avxmonitor9x.exe

avxmonitornt.exe

avxquar.exe

avxw.exe

azonealarm.exe bd_professional.exe

bidef.exe

bidserver.exe

bipcp.exe bipcpevalsetup.exe

bisp.exe

blackd.exe

blackice.exe

boot.exe

bootwarn.exe

borg2.exe

bs120.exe

BullGuard.exe

callmsi.exe

ccapp.exe

ccevtmgr.exe

cclaw.exe

ccpsetmgr.exe

ccshtdwn.exe

cdp.exe

cfgwiz.exe

cfiadmin.exe

cfiaudit.exe

cfind.exe

cfinet.exe

cfinet32.exe

ChromeSetup.exe

clamauto.exe

claw95.exe

claw95cf.exe

claw95ct.exe

Clean.exe

clear.exe

clear3.exe

cleanpc.exe

cmd.exe

cmgrdian.exe

cmon016.exe

combofix.exe connectionmoni-

tor.exe

cpd.exe

cpdclnt.exe

cpf.exe

cpf9x206.exe

cpfnt206.exe

csinject.exe

cdinsm32.exe

css1631.exe

ctfmon.exe

ctrl.exe

cv.exe

cwntdwmo.exe

defalert.exe

defscangui.exe

defwatch.exe

deputy.exe

Diskmon.exe

doors.exe

dpf.exe

drvins32.exe

drwatson.exe

drweb32.exe

dumphive.exe

dv95.exe

dv95_o.exe

dvp95.exe

dvp95_0.exe

earthagent.exe

ecengine.exe

ecls.exe

ecmd.exe

edi.exe

efinet32.exe

efpeadm.exe

egui.exe

EHttpSrv.exe

ekrn.exe

ent.exe

esafe.exe

escanhnt.exe

escanv95.exe

espwatch.exe

etrustcip.exe

evpn.exe

ewido.exe

exanantivirus-cnet.exe

exit.exe

expert.exe

explored.exe

fact.exe

f-agnt95.exe

fameh32.exe

fa-setup.exe

fast.exe

fch32.exe

fih32.exe

filemon.exe

findviru/exe

firewall.exe

FirewallCOntrolPanel.exe FirewallSettings.exe

fix-it.exe

flowprotector.exe

fnrb32.exe

FPAVServer.exe

fprot.exe

f-prot95.exe

fp-win.exe

fp-win_trial.exe

frw.exe

fsaa.exe

fsav.exe

fsav32.exe

fsav530stbyb.exe

fsav530wtbyb.exe

fsav95.exe

fsave32.exe

fsgk32.exe

fslaunch.exe

fsm32.exe

fsma32.exe

fsmb32.exe

fssm32.exe

f-stopw.exe

fwenc.exe

fwinstall.exe

gbmenu.exe

gbpoll.exe GenericRenosFix.exe

generics.exe

gibe.exe GoogleToolsbalInstaller_download_signed.exe

gpedit.exe

guard.exe

guarddog.exe

guardgui.exe

guardhlp.exe hacktracersetup.exe

HelpPane.exe

hidec.exe

HijackThis.exe

HJTInstall.exe

HostsCHK.exe

htlog.exe

hwpe.exe

iamapp.exe

iamserv.exe

iamstats.exe

ibmasn.exe

ibmavsp.exe

icloadnt.exe

icmon.exe

icmoon.exe

icssuppnt.exe

icsupp.exe

icsupp95.exe

icsuppnt.exe

IEDFix.exe

iface.exe

ifw2000.exe

iomon98.exe

iparmor.exe

iris.exe

isrv95.exe

jammer.exe

jed.exe

jedi.exe kav8.0.0.357es.exe

kavlite40eng.exe

kacpers40eng.exe

kavsvc.exe

kerio-pf-213-en-win.exe

kerio-wrl.421-en-win.exe

kerio-wrp-421-en-win.exe killprocesssetup-

161.exe

kiss8.0.0.50gla-

tam.exe

kpf.exe

kpfw32.exe

ldnetmon.exe

ldpro.exe

dpromenu.exe

ldscan.exe

licmgr.exe

localnet.exe

lockdown.exe

lockdown2000.exe

lookout.exe

lsetup.ese

luall.exe

luau.exe

lucomserver.exe

luinit.exe

lispt.exe

mbam.exe

mbamgui.exe

mbabservice.exe

mcagent.exe

mcmnhdlr.exe

mcshield.exe

mctool.exe

mcuimgr.exe

mcupdate.exe

mcvsrte.exe

mcvsshld.exe mfw2en.exe

mfweng3.02d30.exe

mgavrtcl.exe

mgahtml.exe

mgui.exe

minilog.exe

monitor.exe

monsys32.exe

monsysnt.exe

monwow.exe

moolive.exe

mpfagent.exe

mpfservice.exe

mpftray.exe

mrflux.exe

MSASCui.exe

msblast.exe

msconfig.exe

msinfo32.exe

msn.exe

mspatch.exe

mssmmc32.exe

mu0311ad.exe

mwatch.exe

mxtask.exe

n32scan.exe n32scanw.exe

nai_vs_stst.exe

nav32_loader.exe

nav8-try.exe

navap.exe

navapsvc.exe

navvapw32.exe

navauto-protect.exe

navdx.exe

naveng.exe navengnavex15.exe

navex15.exe

navlu32.exe

navnt.exe

navrunr.exe

navsched.exe

navstub.exe

navw.exe navw32.exe

navwnt.exe

nc2000.exe

ncinst4.exe

nd98spst.exe

ndntspst.exe

neomonitor.exe

neowatchlog.exe

netarmor.exe

netcfg.exe

netinfo.exe

netmon.exe

netscanpro.exe

Netscape/exe

netspyhunter-1.2exe

netstat.exe

netutils.exe

nisserv.exe

nisum.exe

nmain.exe

nod32.exe

normist.exe norton_internet_sec_3.0_407.exe

notstart.exe npf40_tw_98_nt_me_2k.exe

npfmessenger.exe

nprotect.exe

npscheck.exe

npssvc.exe

nsched32.exe

ntdetect.exe

ntrtscan/exe

ntxconfig.exe

nui.exe

nupdate.exe

nupgrade.exe

nvapsvc.exe

nvarch16.exe

nvc95.exe

nvlaunch.exe

nvsvc32.exe

nwinst4.exe

nwservice.exe

nwtools16/exe

offguard.exe

ogrc.exe

opera.exe opera_964_int_Setup.exe

ostronet.exe

outpost.exe outpostproinstall.exe

padmin.exe

panixk.exe

pathping.exe

pavcl.exe

pavproxy.exe

pavsched.exe

pavw.exe

pcc2002s902.exe

pccclient.exe

pccguide.exe

pcciomon.exe

pccmain.exe

pccntmon.exe

pccpfw.exe

pccwin97.exe

pccwin98.exe

pcdsetup.exe

pcfwallicon.exe

pcp10117_0.exe

pcscan.exe pcscanpdsetup.exe

penis32.exe

periscope.exe

persfw.exe

pev.exe

pf2.exe

pfwadmin.exe

ping.exe

pingscan.exe

platin.exe

pop3trap.exe

poproxy.exe

popscan.exe

portdetective.exe

portmon.exe

portmonitor.exe

ppinupdt.exe

pptbc.exe

ppvstop.exe

prckiller.exe

process.exe processmonitor.exe

procexp.exe

procexplorerv1.0.exe

procmon.exe

programauditor.exe

proport.exe

protectx.exe

pspf.exe

purge.exe

pview.exe

pview95.exe

qconsole.exe

qserver.exe

rapapp.exe

rav.exe

rav7.exe

rav7win.exe

rav8win32eng.exe

realmon.exe

regedt32.exe

rescue.exe

rescue32.exe

restart.exe

route.exe

routemon.exe

rrguard.exe

rshell.exe

rstrui.exe

rtvscn95.exe

rulaunch.exe

safari.exe

safeweb.exe

SandboxieBITS.exe

sandboxieCrypto.exe

sandboxieRPcSs.exe

sandboxieWUAU.exe

SbieCtrl.exe

SBieSvc.exe

sbserv.exe

scan32.exe

scan 95.exe

scanpm.exe

sched.exe

schedapp.exe

scrscan.exe

scvhosl.exe

sd.exe

sdclt.exe

serv95.exe

setup_flowprotector_us.exe

setupvameeval.exe

sgssfw32.exe

sh.exe

sharedaccess.exe

shellspyinstall.exe

shn.exe

smc.exe

SmitfraudFix.exe

sofi.exe

spf.exe

sphinx.exe

spider.exe

spysweeper.exe

spyxx.exe

SrchSTS.exe

srwatch.exe

ss3edit.exe

st2.exe

supftrl.exe

supporter5.exe

sweep.exe

sweep95.exe

sweepnet.ese

sweepsrv.sys.exe

swnetup.exe

swreg.exe

swsc.exe

swxcacls.exe

symprxysvc.exe

symtray.exe

sysdoc32.exe

syshelp.exe

taskkill.exe

tasklist.exe

taskmgr.exe

taskmon.exe

taumon.exe

tauscan.exe

tbscan.exe

tc.exe

tca.exe

tcm.exe

tcpsvs32.exe

tds2.exe

tds2-98.exe

tds2-nt.exe

tds-3.exe

tfak.exe

tfak5.exe

tftpd.exe

tgbob.exe

titain.exe

titainxp.exe

tmlisten.exe

tmntsrv.exe

tracertpt.exe

trjscan.exe

trjsetup.exe

trojantrap3.exe

UCCLSID.exe

Ui0Detect.exe

undoboot.exe

unzip.exe

update.exe

UserAccountControlSettings.exe

VACFix.exe

vbcmserv.exe

vbcons.exe

vbust.ese

vbwin9x,exe

vbwinntw.exe

vccmserv.exe

vcontrol.exe

vcsetup.exe vet32.exe

vet98.exe

vettray.exe

vfsetup.exe

vir-help.exe

virusmdpersonalfirewall.exe

vmsrvc.exe

vlan300.exe

vnpc3000.exe

vpc32.exe

vpc42.exe

vpcmap.exe

vpfw30s.exe

vtray.exe

vscan.exe

vscan40.exe

vscan6.02d30.exe

vsched.exe

vsecomr.exe

vshwin32.exe

vsisetup.exe

vsmain.exe

vsmon.exe

vsscan40.exe

vsstat.exe

vswin9xe.exe

vswinntse.exe

vswinperse.exe

vvstat.exe

w32dsm89.exe

w9x.exe

eatchdog.exe

webscan.exe

webscanx.exe

webtrap.exe

WerFault.exe

wfindv32.exe

whoswatchingme.exe

wingate.exe

winhlpp32.exe

wink.exe

winmgm32.exe

winppr32.exe

winrecon.exe

Winroute.exe

winservices.exe

winsfcm.exe

wmias.exe

wnt.exe

wradmin.exe

wrctrl.exe

WS2Fix.exe

wsbgate.exe

wuauclt.exe

wyvernworksfirewall.exe

xpf202en.exe

xscan.exe

zapro.exe

zapsetup3001.exe

zatutor.exe

zatutorzauinst.exe

zauinst.exe

zlh.exe

zonalarm.exe

zobalm2601.exe

zonealarm.exe

Alamat String dan value

Debugger = "C:\Documents and Settings\%user%\132616C4\winlogon.exe"

Catatan: %user% ini adalah user/account yang digunakan pada saat login Windows

Ubah halaman utama Internet Explorer

Selain itu, ia juga akan melakukan perubahan pada halaman utama Internet Explorer dengan menampilkan website yang telah ditentukan. Untuk melakukan hal tersebut ia akan merubah string registry berikut:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
- HomePage = 1

HKCU\Software\Microsoft\Internet Explorer\main
- Start Page = http://768yeh1j7yj5t07.directorio-w.com
- Search Page = http://e1hhl4a03j39jb3.directorio-w.com
- Local Page = http://nm17u2g9x4l2nj3.directorio-w.com
- Default_Search_URL = http://82580978n05e6zb.directorio-w.com
- Default_Page_URL = http://6448664he9p069e.directorio-w.com

Merubah icon USB Flash

Virus ini juga akan merubah icon USB Flash menjadi icon Folder dan blok akses USB Flash jika user mengakses dengan cara double click pada USB Flash tersebut. Dengan melakukan double click pada USB Flash tersebut maka secara otomatis akan mengaktifkan virus. (lihat gambar 6)

Gambar 6, Drive USB Flash yang diubah oleh virus

Menyembunyikan file/folder

Lagi-lagi USB Flash menjadi korban, kali ini ia akan menyembunyikan semua file/folder yang ada di USB Flash dan sebagai gantinya ia akan membuat file duplikat yang mempunyai nama yang sama dengan file/folder yang disembunyikan berupa file shortcut dengan ciri-ciri

Jika yang disembunyikan berupa Folder
- Icon Folder
- Mempunyai ekstensi .LNK
- Ukuran 1 KB

Jika yang disembunyikan berupa File
- Icon acak
- Mempunyai ekstensi %ekstensi asal%.lnk, dimana %ekstensi asal% adalah ekstensi asli yang dimiliki oleh file tersebut, contohnya: lamaran.doc.lnk
- Ukuran 1 KB

Untuk setiap file shortcut yang dibuat akan mempunyai target untuk menjalankan file virus (Ua3kmh73O3jyut4Iok.exe) yang sudah dipersiapkan bila di jalankan, file target tersebut biasanya akan di simpan di USB Flash. (lihat gambar 7)

Gambar 7, File Shortcut yang dibuat oleh virus untuk manipulasi user

Ubah Hosts File Windows

Ia juga akan melakukan perubahan terhadap file Hosts Windows [C:\Windows\System32\Drivers\Etc\Hosts] yang mengakibatkan sejumlah website tidak dapat di akses. Berikut beberapa alamat website yang akan di blok. (lihat gambar 8)

208.109.220.97 viabcp.com

208.109.220.97 www.viabcp.com

208.109.220.97 bcpzonasegura.viabcp.com

173.236.65.144 www.produbanco.com

173.236.65.144 produbanco.com

173.236.65.144 www.pichincha.com

173.236.65.144 pichincha.com

173.236.65.144 wwwp1.pichincha.com

173.236.65.144 wwwp2.pichincha.com

173.236.65.144 wwwp3.pichincha.com

173.236.65.144 wwwp4.pichincha.com

173.236.65.144 wwww01.pichincha.com

173.236.65.144 wwww02.pichincha.com

173.236.65.144 wwww03.pichincha.com

173.236.65.144 wwww04.pichincha.com

173.236.65.144 www.bancoguayaquil.com

173.236.65.144 bancoguayaquil.com

216.245.208.36 bn.com.pe

216.245.208.36 www.bn.com.pe

216.245.208.36 zonasegura1.bn.com.pe

216.245.208.36 www.zonasegura1.bn.com.pe

151.164.123.246 iniciorapido.info

65.29.206.117 www.iniciorapido.info

129.230.114.137 buscalo.in

205.0.103.170 www.buscalo.in

107.39.173.27 buscafacil.com

21.160.69.154 www.buscafacil.com

85.105.233.106 emsisoft.com

161.131.222.207 ahnlab.com

63.171.36.253 antivir.es

234.35.119.192 antiy.net

41.236.27.143 authentium.com

118.7.16.176 avast.com

19.46.86.34 avg.com

190.234.237.229 bitdefender.com

253.112.145.181 quickheal.com

74.138.134.213 clamav.net

232.245.204.71 comodo.com

146.110.31.198 drweb.com

210.55.195.218 aladdin.com

30.13.184.251 ca.com

120.120.254.41 f-prot.com

102.241.82.235 f-secure.com

98.186.58.187 fortinet.com

242.212.47.220 gdata.es

76.252.49.78 ikarus.at

59.116.200.17 jiangmin.com

54.61.108.224 kaspersky.com

199.88.97.1 mcafee.com

32.127.167.115 microsoft.com

15.247.250.242 eset.es

10.193.226.6 norman.com

87.219.215.38 nprotect.com

245.2.217.84 pandasecurity.com

227.123.112.23 pctools.com

223.68.20.231 prevx.com

43.94.9.8 rising-global.com

201.201.79.121 sophos.com

183.66.163.60 sunbeltsoftware.com

179.11.71.12 symantec.com

255.225.60.45 hacksoft.com.pe

157.77.130.159 trendmicro.com

140.197.25.30 anti-virus.by

135.142.189.49 hauri.net

212.101.178.82 virusbuster.hu

113.208.248.196 www.emsisoft.com

96.72.75.67 www.ahnlab.com

91.18.239.19 www.antivir.es

168.44.228.51 www.antiy.net

70.83.42.165 www.authentium.com

52.204.125.104 www.avast.com

48.149.101.56 www.avg.com

124.175.90.89 www.bitdefender.com

26.214.92.202 www.quickheal.com

8.79.244.73 www.clamav.net

4.24.152.93 www.comodo.com

80.50.141.126 www.drweb.com

238.90.211.240 www.aladdin.com

221.22.38.111 www.ca.com

216.223.14.62 www.f-prot.com

37.182.3.95 www.f-secure.com

194.33.5.209 www.fortinet.com

109.153.156.148 www.gdata.es

172.99.64.100 www.ikarus.at

249.57.53.132 www.jiangmin.com

151.164.123.246 www.kaspersky.com

65.29.206.117 www.mcafee.com

129.230.114.137 www.microsoft.com

205.0.103.170 www.eset.es

107.39.173.27 www.norman.com

21.160.69.154 www.nprotect.com

85.105.233.106 www.pandasecurity.com

161.131.222.207 www.pctools.com

63.171.36.253 www.prevx.com

234.35.119.192 www.rising-global.com

41.236.27.143 www.sophos.com

118.7.16.176 www.sunbeltsoftware.com

19.46.86.34 www.symantec.com

190.234.237.229 www.hacksoft.com.pe

253.112.145.181 www.trendmicro.com

74.138.134.213 www.anti-virus.by

232.245.204.71 www.hauri.net

146.110.31.198 www.virusbuster.hu

210.55.195.218 www.emsisoft.com

30.13.184.251 www.anti-trojan.net

120.120.254.41 malwarescan.emsisoft.com

102.241.82.235 forum.emsisoft.com

98.186.58.187 www.emsisoft.net

242.212.47.220 www.emsisoft.it

76.252.49.78 www.emsisoft.de

59.116.200.17 www.anti-trojan-software.net

54.61.108.224 mamutu.com

199.88.97.1 www.emsisoft.es

32.127.167.115 malwarescan.emsisoft.de

15.247.250.242 ww.emsisoft.com

10.193.226.6 www.emsisoft.fr

87.219.215.38 www.emsisoft.nl

245.2.217.84 onlinecheck.emsisoft.com

227.123.112.23 onlinecheck.emsisoft.de

223.68.20.231 www.emsisoft.org

43.94.9.8 scan.anti-trojan.net

201.201.79.121 www.trojaner.info

183.66.163.60 onlinecheck.emsisoft.org

179.11.71.12 onlinecheck.emsisoft.net

255.225.60.45 blitzblank.com

157.77.130.159 www.emsisoft.at

140.197.25.30 www.emsisoft.jp

135.142.189.49 www.mamutu.com

212.101.178.82 malwarescan.emsisoft.es

113.208.248.196 www.mamutu.de

96.72.75.67 download5.emsisoft.com

91.18.239.19 download1.emsisoft.com

168.44.228.51 download4.emsisoft.com

70.83.42.165 global.ahnlab.com

52.204.125.104 www.hackshields.com

48.149.101.56 www.internationalservicecheck.com

124.175.90.89 www.irangoals.com

26.214.92.202 ixomodels.com

8.79.244.73 www.indielisboa.com

4.24.152.93 www.latin-mass-society.org

80.50.141.126 www.arpia.be

238.90.211.240 www.owen.org

221.22.38.111 www.prdouglas.co.uk

216.223.14.62 www.zarya.info

37.182.3.95 www.willsee.com

194.33.5.209 halmapr.com

109.153.156.148 karuna-shechen.org

172.99.64.100 www.barder.com

249.57.53.132 www.antivir.es

151.164.123.246 www.buraka.tv

65.29.206.117 www.dr-bull.com

129.230.114.137 www.manchester-offices.co.uk

205.0.103.170 saverssite.com

107.39.173.27 canada.karuna-shechen.org

21.160.69.154 developmentdrums.org

85.105.233.106 www.imddomains.co.uk

161.131.222.207 cutlines.org

63.171.36.253 elblogdemanu.com

234.35.119.192 ruben.bzin.net

41.236.27.143 welkam.co.jp

118.7.16.176 www.cambridge-steiner-school.co.uk

19.46.86.34 naturesimages.net

190.234.237.229 www.1stavenuelimousines.co.uk

253.112.145.181 www.mtr-design.com

74.138.134.213 dev.depeuter.org

232.245.204.71 www.emeraldclassic.co.uk

146.110.31.198 www.peterhearnwaste.co.uk

210.55.195.218 etrr.co.uk

30.13.184.251 www.avoncourt.com

120.120.254.41 sarahmcconnellphotography.net

102.241.82.235 www.ixomodels.com

98.186.58.187 natsko.com

242.212.47.220 www.nottinghampoetryseries.com

76.252.49.78 www.sheffieldmind.co.uk

59.116.200.17 ixostore.ixomodels.com

54.61.108.224 www.flairweddings.co.uk

199.88.97.1 www.fimasys.com

32.127.167.115 cohartuk.com

15.247.250.242 qqjkw.net

10.193.226.6 vivo-austin.com

87.219.215.38 www.freeality.com

245.2.217.84 bestofewan.com

227.123.112.23 www.handwritingforkids.com

223.68.20.231 cowsmo.com

43.94.9.8 www.2xlgames.com

201.201.79.121 kimzimmer.net

183.66.163.60 basetendencies.com

179.11.71.12 trackingtheworld.com

255.225.60.45 www.reviewsofbooks.com

157.77.130.159 www.collectedcurios.com

140.197.25.30 www.renningers.com

135.142.189.49 ccslaughterspdx.com

212.101.178.82 www.briarhurst.com

113.208.248.196 www.smf.org

96.72.75.67 ribbonwarehouse.com

91.18.239.19 www.garryowen.com

168.44.228.51 45pounds.com

70.83.42.165 isotopecomics.com

52.204.125.104 roysephotos.com

48.149.101.56 www.stadiumpage.com

124.175.90.89 www.elvis-express.com

26.214.92.202 www.tomorrowsedge.net

8.79.244.73 www.beautybar.com

4.24.152.93 pineleafboys.com

80.50.141.126 www.mountainlakeslodge.com

238.90.211.240 pvtc.org

221.22.38.111 bhsbees.com

216.223.14.62 baristamagazine.com

37.182.3.95 www.gokidding.com

194.33.5.209 defalcos.com

109.153.156.148 www.celticmerchant.com

172.99.64.100 www.hxproduction.com

249.57.53.132 www.wellgousa.com

151.164.123.246 blog.titanium-jewelry.com

65.29.206.117 www.brightoctober.com

129.230.114.137 hishomeforchildren.com

205.0.103.170 www.phoenixtrikeworks.com

107.39.173.27 www.professorbeyer.com

21.160.69.154 www.secondchanceboxer.com

85.105.233.106 www.residentphotography.com

161.131.222.207 woottonfootball.com

63.171.36.253 www.deborahshelton.net

234.35.119.192 bobbondart.com

41.236.27.143 www.authentium.com

118.7.16.176 asap.authentium.com

19.46.86.34 www.authentium.com.au

190.234.237.229 avast.com

253.112.145.181 www.avast.com

74.138.134.213 files.avast.com

232.245.204.71 download535.avast.com

146.110.31.198 avg.com

210.55.195.218 www.avg.com

30.13.184.251 grisoft.com

120.120.254.41 www.grisoft.com

102.241.82.235 antivirus-tools.com

98.186.58.187 archive.bitdefender.com

242.212.47.220 avx.rob-have.net

76.252.49.78 b-have.orgbitdefender-ar.com

127.184.12.85 bitdefender.com

122.129.176.36 bitdefender.org

11.156.165.69 bitdefenderchina.com

100.195.235.183 bitdefenderguatemala.com

83.59.62.54 bitdefendermalaysia.com

78.5.38.74 bitdefendertaiwan.com

155.31.27.106 bitdefenderuruguay.com

57.70.29.152 bitdefenderusa.com

39.191.180.91 buy.bitdefender-es.com

35.136.88.43 buy.bitdefender.com

111.162.77.76 buy.bitdefender.de

13.13.147.189 de.bitdefender.com

251.134.231.128 fr.bitdefender.com

247.79.139.80 futurenow.bitdefender.com

67.37.128.113 it.bitdefender.com

225.145.198.227 jobs.bitdefender.com

208.9.93.98 kb.bitdefender.com

203.210.1.117 kb.bitdefender.de

24.169.246.150 kb.bitdefender.us

181.20.60.8 latin.bitdefender.com

164.140.143.135 linux.bitdefender.com

159.86.51.87 malwarecity.com

236.112.40.119 malwarecity.netmalwarecity.org

138.151.110.233 malwarepedia.com

120.16.193.172 neunet.orgnews.bitdefender.com

116.217.169.124 nl.bitdefender.com

192.243.158.157 renewals.bitdefender.com

94.26.160.14 sales.bitdefender.com

76.147.56.141 square.bitdefender.com

72.92.220.161 store.bitdefender.com

148.118.209.194 store.de.bitdefender.com

50.158.23.52 us.bitdefender.com

33.90.106.179 virusscanonline.net

28.35.82.130 wedoantivirus.com

105.250.71.163 www.antivirus-tools.com

6.101.73.21 www.avx.ro

177.221.224.216 www.bit-defender.de

240.167.132.168 www.bitdefende.de

61.125.121.200 www.bitdefender-es.com

219.232.191.58 www.bitdefender.be

133.97.18.185 www.bitdefender.cl

197.42.182.205 www.bitdefender.co.uk

17.68.171.238 www.bitdefender.com

175.107.241.95 www.bitdefender.com.au

89.228.136.222 www.bitdefender.com.sg

153.173.45.174 www.bitdefender.com.tw

229.199.34.19 www.bitdefender.com.vn

131.239.104.65 www.bitdefender.de

46.103.187.4 www.bitdefender.es

109.48.95.211 www.bitdefender.fr

186.75.84.244 www.bitdefender.hk

87.114.154.102 www.bitdefender.us

2.46.49.41 www.bitdefenderme.com

65.180.213.249 www.malwarecity.com

178.242.238.62 www.malwarecity.fr

80.93.52.175 quickheal.com

250.214.135.46 www.quickheal.com

58.159.43.66 www.clamav.net

134.117.32.99 cgi.clamav.net

224.225.103.145 lurker.clamav.net

206.89.186.83 wwws.clamav.net

202.34.162.35 lists.clamav.net

91.60.151.68 bugs.clamav.net

180.100.153.182 system-cleaner.comodo.com

163.220.48.121 backup.comodo.com

158.165.212.72 www.comodoantispam.com

47.192.201.105 easy-vpn.comodo.com

136.231.15.219 www.trustlogo.com

119.95.98.90 ztl.comodo.com

114.41.74.110 www.livepcsupport.com

191.67.63.143 www.whichssl.com

93.106.65.188 www.trustix.com

75.227.216.127 disk-encryption.comodo.com

71.172.124.79 speedtest.comodo.com

147.198.113.112 www.contentverification.com

49.50.184.226 idauthority.com

31.170.11.164 www.comodo.tv

27.115.175.116 online-backup.comodo.com

104.73.164.149 www.testmypcsecurity.com

5.181.234.7 www.ccssforum.org

244.45.129.134 i-vault.comodo.com

239.246.37.153 internetsecurity.comodo.com

60.205.26.186 www.comodopartners.com

217.56.96.44 timestamp.comodoca.com

200.176.179.171 secure-email.comodo.com

195.122.87.123 timestamp.wosign.com

16.148.76.156 rover800.gaima.co.uk

174.187.146.13 www.nsclean.com

156.52.229.208 www.contentverification.com

152.253.205.160 new-estore.drweb.com

228.23.194.193 support.drweb.com

130.63.197.51 pda.drweb.com

112.183.92.177 updates.drweb.com

108.128.0.197 drweb.com

185.154.245.230 vms.drweb.com

86.194.59.88 solutions.drweb.com

69.126.142.215 news.drweb.com

64.71.118.166 my.drweb.com

141.30.107.199 buy.drweb.com

42.137.109.57 products.drweb.com

25.69.72.64 new-support.drweb.com

88.15.236.16 promotions.drweb.com

165.229.225.48 network.drweb.com

67.80.39.162 customers.drweb.com

237.201.122.33 store.drweb.com

45.146.30.53 company.drweb.com

121.172.19.86 training.drweb.com

23.212.90.200 license.drweb.com

193.76.241.70 cureit.ru

1.21.149.22 free.drweb.com

78.47.138.123 info.drweb.com

235.87.208.169 new-partners.drweb.com

150.207.35.108 drweb.net

213.152.199.59 new-company.drweb.com

34.179.188.92 new-beta.drweb.com

191.218.2.206 new-forum.drweb.com

106.150.153.145 secure.av-desk.com

169.28.61.97 www.av-desk.com

246.54.50.129 new-solutions.drweb.com

148.161.120.243 new-www.drweb.com

62.26.203.114 www.freedrweb.ru

126.227.111.134 daniloff.net

202.185.100.167 drweb-inside.com

36.37.171.213 drwebinside.com

18.157.254.151 aladdin.com

14.102.230.103 alladdin.ru

159.128.219.136 chickensroamfree.com

248.168.221.250 ealaddin.net

231.32.116.189 ealaddin.orgeshop.aladdin.com

226.233.24.140 secureme.com

115.4.13.173 www.aks.com

204.43.83.31 www.aladdin.com

187.163.166.158 www.ealaddin.com

182.109.142.178 www.ealaddin.com

3.135.131.210 auwww.ealaddin.nl

161.174.133.0 www.esafe.com

143.39.28.195 www.hasp.se

139.240.192.147 www.safenet-inc.com

215.10.181.180 www3.safenet-inc.com

117.118.252.38 www.ca.com

99.238.79.232 cacomvip.ca.com

95.183.243.184 www.netegrity.com

172.141.232.217 search.ca.com

73.249.46.75 cai.com

56.113.197.202 www.f-prot.com

51.58.105.221 frisk-software.com

128.17.94.254 www.frisk.is

29.124.164.112 www.frisk-software.com

12.244.247.239 f-secure.com

7.190.155.191 f-secure.frf-secure.hk

84.216.212.35 f-secure.nlfsecure.com

54.67.26.149 fsecure.nlwebyard.com

36.188.109.88 www.f-secure.com

32.133.85.40 www.fsecure.com

108.159.74.73 www.virus.fi

10.199.77.187 fortihero.com

248.63.228.57 fortilog.com

244.8.136.77 fortinet.co.at

65.34.125.110 fortinet.com

222.74.195.224 fortiprotect.com

205.6.22.95 fortiwifi.com

200.207.254.46 www.apsecure.com

21.166.243.79 www.fortifed.com

178.17.245.193 www.fortiid.com

93.137.140.132 www.fortimail.com

156.83.48.84 www.fortinet-apac.com

233.41.37.116 www.fortinet.ch

135.148.107.230 www.fortinet.co.il

49.13.190.101 www.fortinet.com

113.214.98.121 www.fortinet.com

189.240.87.154 arwww.fortinet.cz

91.24.157.12 www.fortinet.net

5.144.53.138 www.fortinet.nl

69.89.217.90 www.fortinet.sg

146.115.206.191 www.fortinetuk.com

47.155.20.237 www.secure-elements.com

218.19.103.176 gdata.es

25.220.11.127 www.gdata.es

102.247.0.160 ikarus.at

3.30.70.18 www.ikarus.at

174.218.221.213 global.jiangmin.com

237.96.197.233 jiangmin.com.cn

126.190.186.9 jiangmin.com

28.41.0.123 www.jiangmin.com.cn

198.162.83.250 www.kaspersky.com

6.107.247.14 forum.kaspersky.com

82.65.236.47 support.kaspersky.co

172.172.50.93 usa.kaspersky.com

154.37.134.31 brazil.kaspersky.com

150.238.110.239 latam.kaspersky.com

39.8.99.16 kaspersky.com

128.48.101.130 me.kaspersky.com

111.168.252.69 images.kaspersky.com

106.113.160.20 www.mcafee.com

251.140.149.53 support.mcafee.com

84.179.219.167 msr.mcafee.com

67.43.46.38 home.mcafee.com

62.245.22.58 networkassociates.com

139.15.11.90 us.mcafee.com

41.54.13.136 tr.mcafee.com

23.175.164.75 au.mcafee.com

19.120.72.27 mx.mcafee.com

95.146.61.60 networkassociates.nai.com

253.253.131.174 go.mcafee.com

235.118.215.112 fr.mcafee.com

231.63.123.64 uk.mcafee.com

52.21.112.97 de.mcafee.com

209.229.26.55 obscgi.mcafee.com

36.94.177.182 nai.com

32.39.86.202 www.entercept.com

108.253.75.235 jp.mcafee.com

10.105.145.93 mcafeeb2b.com

249.225.228.219 cn.mcafee.com

244.170.136.171 service.mcafee.com

65.197.125.204 br.mcafee.com

222.236.195.62 www.mcafee.at

205.100.22.1 mcafeeretail.com

200.46.254.209 it.mcafee.com

21.72.243.241 tw.mcafee.com

178.111.245.99 privacy.microsoft.com

161.231.140.226 tempuri.org

157.177.48.246 schemas.xmlsoap.org

233.203.37.23 www.microsoft.com

135.242.107.136 specs.xmlsoap.org

117.175.190.7 www.eugrantsadvisor.ie

113.120.167.215 schemas.microsoft.com

189.78.156.248 encarta.msn.com

91.186.158.106 www.sysinternals.com

6.50.53.44 grv.microsoft.com

69.251.217.252 www.xmlsoap.org

146.210.206.29 www.eugrantsadvisor.se

115.129.88.211 www.eugrantsadvisor.com

30.249.171.82 research.microsoft.com

93.195.79.102 www.engyro.com

170.221.68.134 www.exchangeyourcareer.com

71.4.138.248 www.eugrantsadvisor.de

242.124.33.119 exchangeyourcareer.net

50.70.197.71 eugrantsadvisor.de

126.96.186.172 eugrantsadvisor.cz

28.135.0.217 www.eset.es

198.0.83.156 demos.eset.es

6.201.247.108 descargas.eset.es

82.227.237.141 blogs.protegerse.com

240.11.51.255 eos.eset.es

155.199.202.193 pedidos.protegerse.com

218.76.110.145 reg-int.nod32-es.com

39.103.99.178 reg.eset.es

196.210.169.36 vicentevirtual.com

111.74.252.163 cou85.com

174.20.160.183 www.norman.com

251.234.149.215 fsc.norman.com

84.85.219.5 nprobeta.norman.com

67.205.114.12 register.norman.com

131.219.90.220 webadmin.norman.no

19.245.79.253 sandbox.norman.com

109.28.81.110 www.nprotect.com

91.149.232.49 global.nprotect.com

87.94.140.1 www.nprotect.co.kr

231.120.130.34 www.npin.co.kr

65.160.200.148 siren24.nprotect.com

48.24.27.18 15660808.co.kr

43.225.3.38 biz.nprotect.com

120.252.248.71 nprotect.net

21.35.250.117 www.nprotect.com.br

4.155.145.56 liveprotect.net

255.101.53.8 nprotect.seoul.go.kr

76.127.42.40 chollian.nprotect.co.kr

233.234.112.154 www.pandasecurity.com

216.98.195.93 research.pandasecurity.com

212.44.103.45 support.pandasecurity.com

32.2.92.78 pandalabs.pandasecurity.com

190.109.162.191 pandasecurity.com

172.230.57.62 mop.pandasecurity.com

168.175.221.82 timeforyourbusi.pandasecurity.com

56.201.23.183 cybercrime.pandasecurity.com

214.53.93.41 free.pandasecurity.com

196.173.176.167 cloudprotection.pandasecurity.com

192.118.84.119 shop.pandasecurity.com

13.145.73.152 soporte.pandasecurity.com

170.184.143.10 together.pctools.com

153.48.226.205 www.prevx.com

148.249.202.157 info.prevx.com

225.20.191.189 free.prevx.com

126.59.193.47 spywarefiles.prevx.com

109.179.88.174 spywaredlls.prevx.com

105.125.252.194 shield.prevx.com

181.151.241.227 www.prevx1.com

83.190.55.84 howsafeismypc.com

65.123.138.211 www.retento.com

61.68.114.163 www.freerav.com

137.26.104.196 www.rising-global.com

39.134.106.54 www.risingav.com.au

210.254.1.248 support.rising-global.com

17.199.165.200 superboy2010.com.au

94.158.154.233 www.sophos.com

251.9.224.91 feeds.sophos.com

166.129.51.218 esp.sophos.com

229.74.215.238 cn.sophos.com

50.101.204.14 tw.sophos.com

207.140.18.128 kr.sophos.com

122.4.169.255 sophos.com

186.206.77.207 podcasts.sophos.com

6.232.66.52 www.sunbeltsoftware.com

164.15.136.97 go.sunbeltsoftware.com

78.136.219.36 oem.sunbeltsoftware.com

178.117.164.24 antispam.sunbeltsoftware.com

254.143.153.57 antispyware.sunbeltsoftware.com

156.183.223.171 antivirus.sunbeltsoftware.com

71.115.118.110 sunbeltsoftware.com

134.248.26.61 shop.sunbeltsoftware.com

211.19.15.94 live.sunbeltsoftware.com

112.126.85.208 firewall.sunbeltsoftware.com

27.246.168.79 www.symantec.com

90.192.76.99 security.symantec.com

167.150.65.131 securityrespons.symantec.com

1.1.135.177 service1.symantec.com

239.122.218.116 enterprisesecur.symantec.com

235.67.194.68 eval.symantec.com

123.93.183.101 symantec.com

213.132.185.214 definitions.symantec.com

195.253.80.153 investor.symantec.com

191.198.245.105 et.symantec.com

79.224.234.138 sfdoccentral.symantec.com

169.8.48.252 servicenews.symantec.com

152.128.131.123 securityrespons.symantec.com

147.73.107.142 sea.symantec.com

224.100.96.175 go.symantec.com

125.139.98.221 dell.symantec.com

108.3.249.160 sun.symantec.com

103.205.157.112 marian.symantec.com

180.231.146.144 tms.symantec.com

82.82.216.2 securitycheck.symantec.com

64.203.43.197 smallbiz.symantec.com

60.148.207.149 www.symantec.com

136.106.196.182 visualtracking.symantec.com

38.213.10.39 search.symantec.com

20.78.161.166 liveupdate.symantec.com

16.23.70.186 sitedirector.symantec.com

92.237.59.219 edm.symantec.com

250.89.129.145 hostedmailsecur.symantec.com

45.21.24.16 www4.symantec.com

40.222.188.223 education.symantec.com

117.249.177.0 vos.symantec.com

18.32.247.114 www.hacksoft.com.pe

1.152.74.53 hacksoft.pe

252.98.50.5 www.hacksoft.pe

73.124.39.37 housecall.trendmicro.com

231.163.41.151 www.trendmicro.com

213.27.192.22 housecall65.trendmicro.com

209.229.100.42 us.trendmicro.com

29.255.89.75 blog.trendmicro.com

187.38.159.188 emea.trendmicro.com

169.227.242.59 housecall60.trendmicro.com

165.172.219.11 jp.trendmicro.com

241.130.208.44 de.trendmicro.com

143.238.210.158 it.trendmicro.com

58.102.105.97 itw.trendmicro.com

121.47.13.48 esupport.trendmicro.com

198.6.2.81 es.trendmicro.com

99.113.72.195 br.trendmicro.com

14.233.155.66 tw.trendmicro.com

77.179.63.86 la.trendmicro.com

154.205.52.118 uk.trendmicro.com

56.244.122.232 ru.trendmicro.com

226.108.17.103 smbstore.trendmicro.com

34.54.181.55 apac.trendmicro.com

110.80.170.156 store.trendmicro.com

12.119.240.201 training.trendmicro.com

182.240.67.140 trial.trendmicro.com

246.185.232.92 ushousecall02.trendmicro.com

66.211.221.125 subwiz.trendmicro.com

224.251.35.239 go.trendmicro.com

139.183.186.178 feeds.trendmicro.com

202.60.94.129 channelpartner.trendmicro.com

23.87.83.162 wtc.trendmicro.com

180.194.153.20 shop.trendmicro.com

95.58.236.147 fr.trendmicro.com

158.4.144.167 threatinfo.trendmicro.com

235.218.133.199 newsletters.trendmicro.com

69.69.203.245 www.anti-virus.by

51.189.30.184 bg.virusblokada.com

47.135.6.136 www.vba.com.by

191.161.251.169 beta.anti-virus.by

25.200.253.26 www.bg.virusblokada.com

7.65.148.221 www.hauri.net

3.10.57.173 www.hauri.co.kr

147.36.46.206 company.hauri.net

237.76.116.64 www.globalhauri.com

220.196.199.191 shop.hauri.co.kr

215.141.175.210 hauri.co.kr

36.168.164.243 pg.hauri.net

193.207.166.33 esecurity.livecall.co.kr

176.71.61.228 mall.hauri.co.kr

171.17.225.180 company.hauri.co.kr

248.43.214.212 haurijapan.com

150.150.28.70 virobot.co.kr

132.14.111.9 www.virusbuster.hu

128.216.19.217 virusbuster.hu

204.174.8.250 scanner.novirusthanks.org

106.25.78.107 scanner2.novirusthanks.or

88.146.229.234 novirusthanks.org

84.91.138.254 www.novirusthanks.org

160.49.127.31 virustotal.com

62.157.197.145 www.virustotal.com

45.21.24.16 virscan.org

40.222.188.223 www.virscan.org

117.249.177.0 virusscan.jotti.org

18.32.247.114 jotti.org

1.152.74.53 www.jotti.org

252.98.50.5 viruschief.com

73.124.39.37 www.viruschief.com

231.163.41.151 scanner.virus.org

213.27.192.22 virus.org

209.229.100.42 www.virus.org

29.255.89.75 scan4you.net

187.38.159.188 www.scan4you.net

169.227.242.59 avhide.com

165.172.31.79 www.avhide.com

53.198.20.112 anubis.iseclab.org

211.50.22.226 iseclab.org

126.170.173.165 www.iseclab.org

189.115.81.116 threatexpert.com

10.74.70.149 www.threatexpert.com

167.181.140.7 forospyware.com

82.45.223.134 www.forospyware.com

145.247.131.154 in.answers.yahoo.com

222.17.120.186 es.answers.yahoo.com

123.56.190.44 kioskea.net

38.176.85.171 www.kioskea.net

102.122.249.123 es.kioskea.net

178.148.238.224 mygeekside.com

80.187.52.13 www.mygeekside.com

250.52.135.208 www.tecniservicioslys.com

58.253.44.160 tecniservicioslys.com

134.23.33.193 virusfreezone.info

36.63.103.51 www.virusfreezone.info

207.251.254.246 intranet.cidiroax.ipn.mx

14.128.162.197 spycheck.es

91.155.151.230 www.spycheck.es

248.6.221.88 antivirus.hispavista.com

163.126.48.215 computing.net

226.72.212.235 www.computing.net

47.30.201.11 spycheck.co.uk

137.137.15.57 www.spycheck.co.uk

119.1.98.252 midescargas.com

115.203.74.204 www.midescargas.com

3.229.63.237 static.yoreparo.com

93.12.65.94 softfaq.com

75.133.216.33 www.softfaq.com

71.78.125.241 configurarequipos.com

215.104.114.18 www.configurarequipos.com

49.144.184.132 seasonsecurity.com

32.8.11.3 www.seasonsecurity.com

27.209.243.22 removetrojanvirus.org

104.236.232.55 www.removetrojanvirus.org

5.19.234.101 ibusca.me

244.139.129.40 www.ibusca.me

Gambar 8, Host file Windows

Media penyebaran

Untuk menyebarkan dirinya, ia akan menggunakan media USB Flash dengan memanfaatkan fitur autorun Windows dengan membuat 2 buah file yakni:

autorun.inf
85luFefZ08lzEPQXsS014zzp9LV3F54yhE0zz5k0g\S-1-3-01-4639134501-7494416267-104346834-7052\Ua3kmh73O3jyut4Iok.exe

File [autorun.inf] ini berisi script untuk menjalankan file [Ua3kmh73O3jyut4Iok.exe] yang akan di aktifkan secara otomatis pada saat user mengakses USB Flash. (lihat gambar 9)

Gambar 9, Isi script autorun.inf

Selain itu untuk “menjebak” user ia akan membuat file duplikat berupa shortcut yang akan mempunyai nama file yang sama dengan nama file yang disembunyikan, file shortcut ini akan mempunyai icon acak (lihat gambar 10)

Gambar 10, File Shortcut yang dibuat oleh virus

Cara pembersihan Trojan.FakeAV.3510

Untuk pembersihan, Anda dapat menggunakan Tools Dr.Web CureIt! dari antivirus Dr.Web. Silahkan download tools tersebut di alamat berikut:

http://www.freedrweb.com/cureit/?lng=en

Setelah tools tersebut berhasil di download, jalankan tools tersebut dengan cara double click pada file Dr.Web CureIt!. Pada saat muncul konfirmasi “DrWeb CureIt! – Enhanced Protection Mode”, klik tombol [OK], pada saat Anda memilih mode ini Anda tidak akan dapat melakukan aktifitas di komputer hal ini di lakukan agar proses pembersihan dapat dilakukan lebih optimal. (lihat gambar 11)

Gambar 11, Dr.Web CureIt! – Enhanced Protection Mode

Kemudian akan muncul layar scan “Dr.Web Scanner for Windows – Express Scan”, biarkan sampai proses scan selesai dilakukan. Jika muncul proses pembersihan pada saat proses scan dilakukan, klik tombol [Yes to All), lihat gambar 12.

Gambar 12, konfirmasi pembersihan virus

Untuk pembersihan optimal, scan semua Drive termasuk USB Flash/HDD eksternal dengan memilih opsi [Scan complete] (lihat gambar 13)

Gambar 13, Scan dengan menggunakan Dr.Web CureIt!

Catatan:

Dr.Web antivirus juga akan secara otomatis mengembalikan HOSTS file Windows yang sudah di ubah oleh Trojan.fakeAV.3510 ke setting awal. Jika muncul konfirmasi perbaikan terhadap file HOSTS Windows yang sudah diubah oleh virus, klik tombol [Yes]. (Lihat gambar 14)

Gambar 14, Restore HOSTS File Windows dengan menggunakan Dr.Web CureIt!

Klik Restart, jika muncul konfirmasi restart dari antivirus Dr.Web

Fix Registry Windows yang sudah di ubah oleh virus, untuk mempercepat proses perbaikan salin script di bawah ini pada program Notepad dan simpan dengan nama REPAIR.INF, jalankan file tersebut dengan cara

Klik kanan REPAIR.INF
Klik INSTALL

[Version]

Signature="$Chicago$"

Provider=Vaksincom

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"

HKCU, Software\Microsoft\Internet Explorer\main, Start Page,0, "about:blank"

HKCU, Software\Microsoft\Internet Explorer\main, Search Page,0,"about:blank"

HKCU, Software\Microsoft\Internet Explorer\main, Local Page,0, "about:blank"

HKCU, Software\Microsoft\Internet Explorer\main, Default_Search_URL,0, "about:blank"

HKCU, Software\Microsoft\Internet Explorer\main, Default_Page_URL,0, "about:blank"

[del]

HKCU, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Associations

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFile

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoRun

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableRegistryTools

HKCU, Software\Microsoft\WIndows\CurrentVersion\Policies\System, DisableTaskMgr

HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKLM, SOFTWARE\Policies\Microsoft\WindowsFirewall

HKCU, Software\Policies\Microsoft\Internet Explorer\Control Panel, HomePage

HKLM, Software\Microsoft\WIndows\CurrentVersion\Run, 74e4144414

HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKLM, Software\Microsoft\WIndows\CurrentVersion\Policies\System, EnableLUA

Hapus secara manual lokasi registy berikut:
- Klik menu [Start]
- Klik [RUN]
- Ketik REGEDIT.EXE, kemudian klik tombol [OK]
- Kamudian hapus string registry berikut
  - HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
    - C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN

HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\layers
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = RUNASADMIN

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\Documents and Settings\%user%\132616c4\winlogon.exe = C:\Documents and Settings\%user%\132616c4\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401

Catatan: %user% ini adalah nama user/acount yang digunakan saat logon Windows

Fix Image File Execution File. Silahkan download file FixImageFile di alamat http://rapidshare.com/files/446070146/FixImageFile.zip kemudian import file FixImageFile_XP.reg (Windows XP) atau FixImageFile_Vista_Win7.reg (Windows Vista/7) dengan cara: (lihat gambar 15)
- Klik [Start]
- Klik [Run]
- Ketik REGEDIT.EXE kemudian klik tombol [OK]
- Setelah muncul layar “Registry Editor”, klik menu [File]
- Klik [Import]

Gambar 15, Import registry

Kemudian arahkan ke file FixImageFile.reg, kemudian klik tombol [Open] (lihat gambar 16)

Gambar 16, Menentukan lokasi fix registry

Jika muncul layar konfirmasi, klik tombol [OK] (lihat gambar 17)

Gambar 17, Konfirmasi import registry

Tampilkan file yang telah disembunyikan oleh virus di USB Flash, caranya:
- Klik [Start]
- Klik [Run]
- Ketik CMD kemudian klik tombol [OK]

Setelah muncul aplikasi Command Prompt (CMD), pindahkan posisi kursor ke USB Flash dengan mengetik perintah %USB Flash%: kemudian tekan tombol Enter.

Catatan:

%USB Flash% adalah drive yang berbeda-beda, contoh jika USB Flash Anda adalah E maka ketik perintah E:

Kemudian ketik perintah ATTRIB -s -h -r /s /d kemudian klik tombol Enter (lihat gambar 18)
Tunggu beberapa saat sampai proses selesai dilakukan

Gambar 18, Menampilkan file yang disembunyikan di USB Flash

Untuk pembersihan optimal, scan dengan menggunaan antivirus yang up-to-date

HardCode

Trojan.FakeAV.3510 0

0 Responses So Far:

Categories

Archives

Follower

About Me