Gen.Variant.Mikey.53671_a5f67d7258

by malwarelabrobot on November 17th, 2016 in Malware Descriptions.

Gen:Variant.Mikey.53671 (B) (Emsisoft), Gen:Variant.Mikey.53671 (AdAware), Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR, SearchProtectToolbar.YR, PUPSpigot.YR (Lavasoft MAS)
Behaviour: Trojan, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a5f67d72585374944214bf0515a8f89e
SHA1: 3fbf23c2a2816e7715c1e58061fd90072d7b52b1
SHA256: 031c1e3b2e7a7116d763020ee95a73d0d80905fee5235cfce29053748e51987e
SSDeep: 24576:2Xidl4Xf8noZwpKQcim9YOmTRXYypqfFkiYjPu3wNb53N/ A9Qs5:2X l4Xf8noZwpKQcim9YOmTRIyp Fkia
Size: 866304 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-30 20:25:07
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3640
AF8.tmp.exe:704
2DB5.tmp.exe:3392

The Trojan injects its code into the following process(es):

2DB5.tmp.exe:3784
mshta.exe:1876

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe (203151 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe (14717 bytes)

The process AF8.tmp.exe:704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe (601 bytes)

The process 2DB5.tmp.exe:3784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\install.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\pt.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\install.1479267018.zip (283430 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\index.hta (617 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BP8T0ROY.txt (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\br.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\common.js (350 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\common.css (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz_ru.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\initialize.js (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_browser_setup.bmp (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\installer.css (587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\it.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_install_offer.js (7 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (0 bytes)

The process mshta.exe:1876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\json[1].js (321 bytes)

Registry activity

The process %original file name%.exe:3640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The process AF8.tmp.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SecureWebChannel]
"channel" = "UN"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The process 2DB5.tmp.exe:3784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}]
"(Default)" = "ActiveBinderX Control"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "3465448718"

[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb]
"(Default)" = ""

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0]
"(Default)" = "ActiveBinderProj Library"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}]
"(Default)" = "FS"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\FS.ActiveBinderX]
"(Default)" = "ActiveBinderX Control"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ToolboxBitmap32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx,1"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}]
"(Default)" = "IActiveBinderXEvents"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\FS.ActiveBinderX\Clsid]
"(Default)" = "{4E120188-0CAC-468C-B2D9-9D1F079EBC25}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ProgID]
"(Default)" = "FS.ActiveBinderX"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Control]
"(Default)" = ""

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb\0]
"(Default)" = "Properties,0,2"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus\1]
"(Default)" = "205201"

[HKCU\Software\BitTorrent\uTorrent]
"OfferName" = ""

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx"

[HKCU\Software\BitTorrent\uTorrent]
"OfferAccepted" = "0"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\"

The process mshta.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1299588363"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "E0 96 8A CC B9 3F D2 01"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "mshta.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "E0 96 8A CC B9 3F D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
5fe59fc57869508e1c84812dbd36ce3b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe
abd8436cde5d6d9e93f100696833a432 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe
eaba486ca44ce139b1a6c2520fe61837 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll
eed49c88dba5f2aa10cbd3acf66d899d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx
abd8436cde5d6d9e93f100696833a432 c:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Russian

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 804428 804864 4.03481 155fea8d8fe3d0ecd5d1496f7e6807ae
.rdata 811008 15226 15360 3.72657 7ec49599859d637936160683ed7c4691
.data 827392 19468 5120 2.36152 dca73757d8c69906e7ea30d4a202ef06
.rsrc 847872 1944 2048 3.40613 906292853ebc9065ed2761365638d1c5
.reloc 851968 37846 37888 4.38762 bbca78fffe2008893ae82c0edbdc7037

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50
hxxp://download-new.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/
hxxp://ip-api.com/json?callback=jQuery19104680431319236995_1479267031092&_=1479267031093
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9
hxxp://download-lb.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/ 67.215.238.66
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50 107.20.217.71
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9 107.20.217.71
router.utorrent.com 82.221.103.244
s3-us-west-2.amazonaws.com 54.231.176.240
router.bittorrent.com 67.215.246.10
api.mediaconfig.net 104.27.181.218
s3.amazonaws.com 54.231.113.200


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET POLICY External IP Lookup ip-api.com

Traffic

POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 248

{"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"1"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:19 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /json?callback=jQuery19104680431319236995_1479267031092&_=1479267031093 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ip-api.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/javascript; charset=utf-8
Date: Wed, 16 Nov 2016 03:30:41 GMT
Content-Length: 321
jQuery19104680431319236995_1479267031092({"as":"AS31561 PITLINE-AS","c
ity":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline L
td","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.9
6.226","region":"63","regionName":"Kharkivs'ka Oblast'","status":"succ
ess","timezone":"Europe/Kiev","zip":""});HTTP/1.1 200 OK..Access-Contr
ol-Allow-Origin: *..Content-Type: text/javascript; charset=utf-8..Date
: Wed, 16 Nov 2016 03:30:41 GMT..Content-Length: 321..jQuery1910468043
1319236995_1479267031092({"as":"AS31561 PITLINE-AS","city":"Kharkiv","
country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.980
8,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.226","region":
"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone":
"Europe/Kiev","zip":""});..



GET /endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/ HTTP/1.1
Host: download-lb.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 0


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Wed, 16 Nov 2016 03:30:19 GMT
Content-Type: application/octet-stream
Content-Length: 2433394
Connection: close
X-bt-sig: e45628ba9017b03bf753bb594522832bb887f01252f10e491abd62777107f08c164919d4cd2c6a689096026ed96ba079eae046a1f8e849ee260627522f6e3e8187fafc361ac39ee6ea4286bc191fe72d2b04fdc1c1e959967f9b1071bd545a21d57cf685d753e90fe2716cbc373f6111bbc08e80a8ab6dc4e7b7ca1875491d3250a413091460df232811157e8ac94ccc16e27f86e1b2fae06d85134b412bfea212ca232e8d54563d735c41cdc5e9fa04e71e6bc882efe31a3785104a37fe8d1518016cc9816654e2d16f3cfa2c55726e9a0f7547367f873b23eb28f8c00937e6f30a8cd6aa6fdc6170de1da1630830d62b7b81d84ddf630cefcc3727a277846c
Last-Modified: Wed, 26 Oct 2016 01:55:28  0000
Accept-Ranges: none
Content-Disposition: attachment; filename="hta.zip"
X-bt-size: 2433394
Cache-Control: private
X-rl-mx: true
Rule-UUID: de7f6050-4f7c-45cf-a888-37b23152e2e9
Content-MD5: a2929026e7bb88527b8fae3606ec75fa
Expires: Tue, 01 Jan 1980 00:00:00  0000
X-bt-hash: 827ff98342a0f809fee80ea0dd3a701d77d2578d
PK.........[YIF1~ti...i.......index.hta<html>..<head>.    
<title>Loading...</title>.    <meta charset="utf-8">
.    <meta http-equiv="X-UA-Compatible" content="IE=9">.    <
meta http-equiv="MSThemeCompatible" content="yes">..    <script 
src="scripts/initialize.js"></script>..    <link rel="styl
esheet" href="styles/common.css"/>..    <!--[if lte IE 8]>.  
  <script src="scripts/es5-shim.js"></script>.    <![en
dif]-->..</head>..<body class="installer_body">.    <
;!-- this is the loading img while loading offer page -->.    <d
iv id='loading_img'></div>.</body>..<script src="scr
ipts/common.js"></script>..<script src="scripts/install.js
"></script>..</html>.PK.........[YIw[Yy?...?.......unin
stall.hta<html>..<head>.    <title>Loading...</ti
tle>.    <meta charset="utf-8">.    <meta http-equiv="X-UA
-Compatible" content="IE=9">.    <meta http-equiv="MSThemeCompat
ible" content="yes">..    <script src="scripts/initialize.js">
;</script>..    <link rel="stylesheet" href="styles/common.cs
s"/>...    <!--[if lte IE 8]>.        <script language="ja
vascript" type="text/javascript" src='scripts/es5-shim.js'></scr
ipt>.    <![endif]-->..</head>..<body class="install
er_body">.</body>..<script src="scripts/common.js"><
/script>...<script src="scripts/uninstall.js"></script
<<< skipped >>>


POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 234

{"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"0"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:19 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 261

{"eventName":"hydra1","action":"packDownloadResult","type":"i","result":"1","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"11","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"2"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:29 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: i-50.b-000.xyz.bench.utorrent.com


HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:42 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: keep-alive
{"response_code":200}..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 270

{"eventName":"hydra1","action":"INFO","type":"i","res":"1916x902","cts":"1479267028","pv":"","cau":"0","cc":"0","bkt1":"0","ssb":"11","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"3"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Wed, 16 Nov 2016 03:30:29 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3640:

.text
`.rdata
@.data
.rsrc
@.reloc
%s.ef
HKEY
%s %s
%s %d
%s%s%s%s%s
%s near end of file
%s near '%s'
unable to decode byte 0x%x
invalid Unicode '\uX'
invalid Unicode '\uX\uX'
control character 0x%x
duplicate object key
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
operator
ole32.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
KERNEL32.dll
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpConnect
WinHttpOpen
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpReadData
WinHttpQueryDataAvailable
WINHTTP.dll
USER32.dll
OLEAUT32.dll
IPHLPAPI.DLL
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
zcÁ
status=IS&uuid=44add590-e741-f447-b13e-dd9039a59e82&user_os=Win7 32&user_hash=&v=35.34&nuuid=11b152f39435d677c83fadb989059307&user_agent=IE&trsrc=1
user_agent=IE&uuid=44add590-e741-f447-b13e-dd9039a59e82&user_os=Win7 32&proc=System,smss.exe,csrss.exe,wininit.exe,csrss.exe,winlogon.exe,services.exe,lsass.exe,lsm.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,spoolsv.exe,svchost.exe,vmtoolsd.exe,TPAutoConnSvc.exe,taskhost.exe,explorer.exe,svchost.exe,TPAutoConnect.exe,conhost.exe,vmtoolsd.exe,dllhost.exe,SearchIndexer.exe,msdtc.exe,svchost.exe,WmiPrvSE.exe,sandbox_svc.exe,conhost.exe,taskhost.exe,cmd.exe,conhost.exe,tshark.exe,cmd.exe,conhost.exe,Procmon.exe&main=1&v=35.34&nuuid=11b152f39435d677c83fadb989059307&user_hash=&trsrc=1 &aff=trs1&enc=
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
status=%s&uuid=%s&user_os=%s&user_hash=%s&v=%s&nuuid=%s&user_agent=%s&trsrc=%s
kernel32.dll
updater_url
%s.exe
updater_cmd
c:\%original file name%.exe
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
= =,=2=]=
0 0,020]0
5l6
6{7€8^8
5#5/555`5
?!?%?)?4?:?
7"7.747_7
4!4%4)43494
:#:/:5:`:
8 809;9-;
</<5<`<}<
>#>'> >/>:>@>
> >,>2>)?4?
3!4-4H4g4}4
? ?$?(?,?0?4?8?<?@?
7 7$7(7,7
:$:(:,:0:4:8:<:@:
;(;/;4;8;<;];
;&<,<0<4<8<
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
Content-Type: application/x-www-form-urlencoded
user_agent=IE&uuid=%hs&user_os=%hs&proc=%s&main=%hs&v=%hs&nuuid=%hs&user_hash=%hs&trsrc=%hs&aff=%hs&enc=%hs
https
hXXps://s3-us-west-2.amazonaws.com/151125/helloworld.exe
api.wiseinstaller.net
4.6.1.4
quia.mp3

mshta.exe_1876:

.text
`.data
.rsrc
@.reloc
clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
msvcrt.dll
KERNEL32.dll
ADVAPI32.dll
RegCloseKey
RegOpenKeyExA
_amsg_exit
_acmdln
mshta.pdb
name="Microsoft.Windows.InetCore.mshta"
version="5.1.0.0"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
Kernel32.dll
2kernel32.dll
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
MSHTA.EXE
Windows
9.00.8112.16421


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3640
    AF8.tmp.exe:704
    2DB5.tmp.exe:3392

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe (203151 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe (14717 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\install.js (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\pt.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx (998 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\install.1479267018.zip (283430 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (89 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\loading.gif (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\index.hta (617 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\es5-shim.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BP8T0ROY.txt (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (107 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (26 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\br.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\ru.json (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_bittorrent.ico (103 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\common.js (350 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\fr.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\search_protect.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\common.css (102 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\en.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll (933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz.png (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\de.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\uninstall.hta (575 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\uninstall.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz_ru.png (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\initialize.js (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_browser_setup.bmp (204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_icon.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\bt_icon_48px.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\installer.css (587 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\es.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\it.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_install_offer.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\json[1].js (321 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now