Gen.Variant.Adware.Symmi.41092_45be0ba90b
Susp_Dropper (Kaspersky), Gen:Variant.Adware.Symmi.41092 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 45be0ba90bed9769996964b9ab65df22
SHA1: 51cac1c297c2ba71f70db4c1c34acc6de715e1b3
SHA256: 0546c136bd33f1db43906c662aebc7052398ae77db408d46b5911492c2823349
SSDeep: 12288:hChNaPG4GjeZHkwuPikQ7lKH5p5H9x1teZHkwuXiZQblKh5pDxXTd8zb0:hChNUG4GjeZEXi37l6Br1teZEviObl2J
Size: 649741 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: StdLib
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3800
chrome.exe:3928
chrome.exe:1808
regsvr32.exe:2496
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\icons\default\MediaWatchV1home7445_32.png (10 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll (1438 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ch\MediaWatchV1home7445.crx (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (13747 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome.manifest (149 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll (19321 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\uninstall.exe (11397 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (424 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\ffMediaWatchV1home7445.js (747 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\overlay.xul (344 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\install.rdf (788 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\ffMediaWatchV1home7445ffaction.js (678 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\icons\Thumbs.db (564 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE67.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp (0 bytes)
The process chrome.exe:3928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_16.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\manifest.json (535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\ffMediaWatchV1home7445chaction.js (834 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_64.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_128.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_48.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_IMAGES (80 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_MESSAGE_CATALOGS (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\icon.ico (5 bytes)
The process chrome.exe:1808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_16.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\B72E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\manifest.json (969 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\D940.tmp (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log (69 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1 (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG (618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (744 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_XNFbplNQia974aj (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager (1066 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\temp-index (456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage (3286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\e2042f2bac3c4012_0 (1188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_48.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\icon.ico (596 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA7B.tmp (326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Current Session (1768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\MediaWatchV1home7445.crx (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA3C.tmp (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0V1D2EDSBRU76AHZJFWR.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal (2753 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (4692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal (10985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\1963.tmp (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal (5378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (3450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal (33745 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_128.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B73E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA8C.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor (1374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies (78 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_12F2a5PPplkvI0f (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal (6985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG (534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA3B.tmp (160 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences~RF15da47.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_16.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\B72E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\the-real-index~RF1631ba.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF15b347.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms~RF15fe5b.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\the-real-index~RF15c255.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF16195a.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir_1808_17872 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\280F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF15cafc.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF160fd8.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_48.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF15da86.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_IMAGES (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\2820.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\icon.ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\the-real-index~RF15c1e7.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\MediaWatchV1home7445.crx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old~RF15b9ec.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State~RF15da86.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF15d94e.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_128.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B73E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF15da38.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF15b663.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_MESSAGE_CATALOGS (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Last Session (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF15c763.TMP (0 bytes)
The process regsvr32.exe:2496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll (90 bytes)
Registry activity
The process %original file name%.exe:3800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"UninstallString" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\uninstall.exe"
[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{6f02327d-af8c-4e89-bfb0-f085f2f27df9}" = "51 66 7A 6C 4C 1D 3B 1B 6D 2B 13 74 B2 FE E5 0B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist]
"1" = "koikkkbidedbdhpibnldmifjfiiapajf"
[HKLM\SOFTWARE\MediaWatchV1\Media Watch]
"Installed" = "1"
[HKLM\SOFTWARE\Google\Chrome\Extensions\koikkkbidedbdhpibnldmifjfiiapajf]
"Version" = "1.1"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}]
"(Default)" = "Media Watch"
[HKLM\SOFTWARE\MediaWatchV1home7445\Components]
"ff" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"DisplayIcon" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\uninstall.exe"
"NoModify" = "1"
[HKLM\SOFTWARE\Mozilla\Firefox\extensions]
"ext@MediaWatchV1home7445.net" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"URLInfoAbout" = ""
"NoRepair" = "1"
[HKLM\SOFTWARE\Google\Chrome\Extensions\koikkkbidedbdhpibnldmifjfiiapajf]
"Path" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ch\MediaWatchV1home7445.crx"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\MediaWatchV1home7445\Components]
"CH" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"DisplayVersion" = "1.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\MediaWatchV1home7445\Components]
"ie" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"Publisher" = "Media Watch"
"DisplayName" = "Media Watch"
[HKLM\SOFTWARE\MediaWatchV1home7445]
"Path" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process chrome.exe:1808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid_enableddate" = "0"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "0"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid" = ""
"metricsid_installdate" = "0"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts]
"aggregate" = "sum()"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"usagestats" = "0"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"lastrun" = "13126666546371223"
[HKCU\Software\Google\Chrome\BLBeacon]
"failed_count" = "0"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "1"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn]
"aggregate" = "sum()"
[HKCU\Software\Google\Chrome\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "0"
[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"
[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "1"
[HKCU\Software\Google\Chrome]
"UsageStatsInSample" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Google\Chrome\PreReadFieldTrial]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"experiment_labels"
The process regsvr32.exe:2496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{5929BA57-A9DF-4F89-BCDE-2233A23BDA90}\TypeLib]
"Version" = "1.1"
"(Default)" = "{157E0954-7BEC-49A3-846B-47AD2A4D2717}"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}\InprocServer32]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll"
[HKCR\Interface\{5929BA57-A9DF-4F89-BCDE-2233A23BDA90}]
"(Default)" = "IMediaWatchV1home7445BHO"
[HKCR\TypeLib\{157E0954-7BEC-49A3-846B-47AD2A4D2717}\1.1\HELPDIR]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie"
[HKCR\TypeLib\{157E0954-7BEC-49A3-846B-47AD2A4D2717}\1.1\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}]
"(Default)" = "MediaWatchV1home7445"
[HKCR\TypeLib\{157E0954-7BEC-49A3-846B-47AD2A4D2717}\1.1\0\win32]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll"
[HKCR\Interface\{5929BA57-A9DF-4F89-BCDE-2233A23BDA90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{157E0954-7BEC-49A3-846B-47AD2A4D2717}\1.1]
"(Default)" = "MediaWatchV1home7445Lib"
[HKCR\Interface\{5929BA57-A9DF-4F89-BCDE-2233A23BDA90}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}\TypeLib]
"(Default)" = "{157e0954-7bec-49a3-846b-47ad2a4d2717}"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}\Version]
"(Default)" = "1.1"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}\InprocServer32]
"ThreadingModel" = "Apartment"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}]
"(Default)" = "MediaWatchV1home7445"
"NoExplorer" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| fa9e10bad193c53a078cda885e0f4cb9 | c:\Program Files\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll |
| ac1361b2741f858b1817e00a81738a65 | c:\Program Files\MediaWatchV1\MediaWatchV1home7445\uninstall.exe |
| 51ba1095f0ae45a2d444bea506cb9ad4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Media Watch
Product Name: Media Watch home 7445
Product Version: 1.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1
File Description:
Comments:
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 45056 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 237568 | 3120 | 3584 | 2.92202 | 76cf3ba7b2975156ad03518cde724eff |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 76
f21ecd224a4a852c898ee1ec51c517aa
464e228e017335f2601c0f2ebf88af6d
c55abf6b18f8cc58695482cf83aa7ac3
f5cce1fa300129316bbcb5b7c641bb93
39f22d82d1e182ff17043275cec7f045
5c4b9d3f58cae635ce073e8f3a5a6125
eee365627ac509f2595ea1046d407a6c
f0cdf4d68adaf67754ccf36dc3517d44
8a25860c33a7b04a9615bb91adb7669d
3ce9ff5cc74119e8fce35396c7b49975
744f068187516b7d8fd2f55303134f03
6ceb526d605c1eaaebd66c726bb9e7e7
419a06f84869e926929753a0b23a6c33
a3fc321598cebcc3515c493d61479172
162194818bda609562ebd75c64d2ed3d
a6949f382f6b5a5851854b339e20e098
efcdd3d80b3953d0a7cb5bd9178d5d6b
2f224b1c8d3787996ed4432f58c4363c
4cf8dd829001d9281424e5badc8f0553
0f90be30512d37c0c675d09a0dc7034e
e63c2c05b5e18fcd0ac1a665fc1e33a6
6d4f0ae75ae178b4dcbbf507dcd971bb
e576282be32bd81637cd7cd24ae0c30b
94c8092017b2b2e0893ba9ab8173d449
08e3867d1ce13fbdd28bb9ec2e0660a6
URLs
| URL | IP |
|---|---|
| www.gstatic.com |  172.217.20.195 |
| www.google.com.ua | |
| chrome.google.com | |
| shavar.services.mozilla.com | |
| translate.googleapis.com | |
| dns.msftncsi.com | |
| www.googleapis.com | |
| ssl.gstatic.com | |
| self-repair.mozilla.org | |
| search.services.mozilla.com | |
| clients4.google.com | |
| apis.google.com | |
| tiles.services.mozilla.com | |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
rs\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll
rome\content\icons\default\MediaWatchV1home7445_32.png
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp
me7445\uninstall.exe
1home7445.crx
\.ORf
/?$?*?.?%?
C4Kc.dVg]Gt
f.BjV
o!.wSs
.dC(z
images/MediaWatchV1home7445_48.png
k1V}%F
.ry~;8
nsdAE68.tmp
5.dll" /s
0ba90bed9769996964b9ab65df22.exe
c:\%original file name%.exe
%Program Files%\MediaWatchV1\MediaWatchV1home7445
chrome\content\icons\default
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsdAE67.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>CompanyWebsite
firefox.exe_2172:
.text
`.rdata
@.data
.gfids
@.rsrc
@.reloc
xul.dll
USER32.dll
WINMM.dll
Could not find the Mozilla runtime.
.thunks
.syzygy
\dependentlibs.list
Mozilla
Firefox
firefox
49.0.1
20160922113459
{ec8030f7-c20a-464f-9b0e-13a3a9e97384}hXXps://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=49.0.1&buildid=20160922113459Invalid path found: '%s'
Incorrect number of arguments passed to -app
application.ini path not recognized: '%s'
XUL_APP_FILE=%s
Couldn't set %s.
Couldn't read application.ini
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/base/win/scoped_handle.cc
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.cc
Check failed: name.second.
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/interception.cc
CreateNamedPipeW
_TargetCreateNamedPipeW@36
c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\security\sandbox\chromium\base/numerics/safe_conversions.h
kernel32.dll
NtCreateKey
_TargetNtCreateKey@32
NtOpenKey
_TargetNtOpenKey@16
NtOpenKeyEx
_TargetNtOpenKeyEx@20
NtOpenKey[Ex]
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
dependentlibs.list
.gtest
c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\browser\app\firefox.pdb
.text$di
.text$lp00firefox
.text$mn
.text$np
.text$x
.text$yd
.text$zy
.text$zz
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIZ
.CRT$XPA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$00
.rdata$r
.rdata$sxdata
.rdata$zz
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.data$zz
.didat$5
.bss$00
.bss$dk00
.bss$pr00
.bss$zz
.gfids$y
.rsrc$01
.rsrc$02
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
firefox.exe
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z
mozglue.dll
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
MSVCP140.dll
VCRUNTIME140.dll
_seh_filter_exe
_register_thread_local_exe_atexit_callback
_crt_atexit
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
version="1.0.0.0"
name="Firefox"
<description>Firefox</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<ms_asmv3:requestedExecutionLevel level="asInvoker" uiAccess="false" />
<ms_asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</ms_asmv3:windowsSettings>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>f^.mHuQ8
.KscP
yy.QG
c"=Ýp
.CE&I8
%d>ZZ
\LMQ!)%C
0(2U2
?'?4?<?]?
: :$:8:<:@:\:`:
2 2(20282@2
7 7<7@7\7`7|7
KERNEL32.DLL
user32.dll
WFirefox
kernelbase.dll
ntdll.dll
wow_helper.exe"
gdi32.dll
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
pipe\
Firefox and Mozilla Developers; available under the MPL 2 license.
Mozilla Corporation
Firefox is a Trademark of The Mozilla Foundation.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3800
chrome.exe:3928
chrome.exe:1808
regsvr32.exe:2496 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\icons\default\MediaWatchV1home7445_32.png (10 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll (1438 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ch\MediaWatchV1home7445.crx (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (13747 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome.manifest (149 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll (19321 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\uninstall.exe (11397 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (424 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\ffMediaWatchV1home7445.js (747 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\overlay.xul (344 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\install.rdf (788 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\ffMediaWatchV1home7445ffaction.js (678 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\icons\Thumbs.db (564 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_16.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\manifest.json (535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\ffMediaWatchV1home7445chaction.js (834 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_64.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_128.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_48.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_IMAGES (80 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_MESSAGE_CATALOGS (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\icon.ico (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\B72E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\D940.tmp (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log (69 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1 (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG (618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (744 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_XNFbplNQia974aj (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager (1066 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\temp-index (456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage (3286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\e2042f2bac3c4012_0 (1188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA7B.tmp (326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Current Session (1768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\MediaWatchV1home7445.crx (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA3C.tmp (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0V1D2EDSBRU76AHZJFWR.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal (2753 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (4692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal (10985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\1963.tmp (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal (5378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (3450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal (33745 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B73E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA8C.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_12F2a5PPplkvI0f (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal (6985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG (534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA3B.tmp (160 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
