|
THis is a program installed by a variant of CoolWebSearch Juicy.
It is an Internet Explorer BHO that acts as a backdoor. Stored in the System32 folder under the name ?msXXX.dll? where XXX is three random lower-case letters; uses a random class ID. When a new IE window is open, it contacts its controlling server which directs it to install further software including sp2chk.exe (a rootkit-like hook that makes other CWS files invisible to the Windows file Explorer), tlntadmnx.exe (which puts the site 63.219.181.7 in the IE Trusted Sites Zone, then calls it to install the OnlineDialer/Ole parasite, which loads Richfind/Q) and tcpsvcss.exe (which hijacks the DNS server settings of all internet connections to 69.50.188.180 and 195.225.176.31, allowing these servers to redirect access to any site to an attacker). It can also load the CoolWebSearch/WinProtect, Freshbar and WareOut parasites.
THIS IS A STARTUP PROGRAM AND NOT A TASK MANAGER PROCESS ITEM !!
Field Value
Name sp2chk.exe
Command sp2chk.exe
Description Added by the Aluroot.A TROJAN!
__________________
Managed Shared Hosting starting at $4.99/mo
Managed VPS starting at $29.99/mo
|