Gen.Variant.Mikey.54508_181bcf826f

by malwarelabrobot on November 29th, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.ICLoader.agjy (Kaspersky), Gen:Variant.Mikey.54508 (B) (Emsisoft), Gen:Variant.Mikey.54508 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 181bcf826fd65d8603fdf638017c0377
SHA1: 0184fa30d6ac4835a9ef1357bb6d23139100faee
SHA256: c083a04d34b8fb3e27506bc2c4661b3f8eb3c5982dc56f90dc21380c1343931f
SSDeep: 3072:EaaaQnlQ4OuVN2zPgy MA BC3K5eq8m3KQ://QnlYRoK7p9
Size: 156408 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-23 22:35:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

FrameworkEngine.exe:1020
%original file name%.exe:3668
gpedit.exe:4048
insF1FC.tmp.exe:3304
Updater.exe:3460
fservice.exe:1832
regsvr32.exe:3208
regsvr32.exe:3176
cscript.exe:3508
cscript.exe:1588
cscript.exe:1988
cscript.exe:3984
cscript.exe:2364
updater.exe:4056
updater.exe:2120
updater.exe:240
updater.exe:1660
cservice.exe:3280
bservice.exe:536

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\insF1FC.tmp.exe (189223 bytes)

The process gpedit.exe:4048 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (1208 bytes)

The process insF1FC.tmp.exe:3304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SafetySearch\framework\message_target.js (977 bytes)
%Program Files%\SafetySearch\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_messaging.js (730 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-left.png (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\pz_info (26 bytes)
%Program Files%\SafetySearch\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (1231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\ie_installer.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (2705 bytes)
%Program Files%\Bench\BService\1.1\bservice.exe (533 bytes)
%Program Files%\SafetySearch\framework\backgroundscript_engine.js (2 bytes)
%Program Files%\SafetySearch\framework\global.js (1 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files%\SafetySearch\icons\icon100.png (3 bytes)
%Program Files%\Bench\Updater\updater.exe (1175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\userscript_engine.js (2 bytes)
%Program Files%\SafetySearch\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systemreport.js (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\utils.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafetySearch\Uninstall.lnk (1 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\webrequest.js (6 bytes)
%Program Files%\SafetySearch\framework\i18n.js (2 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\framework\utils.js (5 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Program Files%\SafetySearch\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe (3419 bytes)
%Program Files%\SafetySearch\FrameworkEngine.exe (7635 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2CB4.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\backgroundscript_engine.js (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas_content.js (1 bytes)
%Program Files%\Bench\NmHost\manifest.json (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas.js (9 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files%\Bench\FService\1.1\fservice.exe (2951 bytes)
%Program Files%\SafetySearch\CanvasFramework\webrequest.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox_installer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess2.dll (838 bytes)
%Program Files%\SafetySearch\framework\xhr.js (3 bytes)
%Program Files%\SafetySearch\CanvasFramework\registry.js (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\install.rdf (1 bytes)
%Program Files%\SafetySearch\framework-ui\browser_button.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\canvas.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns238D.tmp (15 bytes)
%Program Files%\Bench\Updater\1.7.0.0\updater.exe (10772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\console.js (1 bytes)
%Program Files%\SafetySearch\framework\lang.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\message_target.js (870 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-left.png (316 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_webrequest.js (129 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll (8 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-top.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2A72.tmp (15 bytes)
%Program Files%\Bench\BService\1.1\bhelper.dll (2719 bytes)
%Program Files%\SafetySearch\framework-ui\notifications.js (2 bytes)
%Program Files%\SafetySearch\framework\browser.js (12 bytes)
%Program Files%\SafetySearch\framework\extension_info.js (836 bytes)
%Program Files%\SafetySearch\config.xml (2 bytes)
%Program Files%\Bench\FService\1.1\fhelper.dll (5261 bytes)
%Program Files%\Bench\CService\1.0\chelper.dll (7665 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\get.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_bg.js (892 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu_item_handler.html (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\main_installer.js (1 bytes)
%Program Files%\SafetySearch\framework\loader.js (428 bytes)
%Program Files%\SafetySearch\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns24E5.tmp (15 bytes)
%Program Files%\SafetySearch\framework\initialize.js (532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\projectInstaller.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_workaround.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon128.png (4 bytes)
%Program Files%\SafetySearch\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\jquery.min.js (4587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (351 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-right.png (234 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\notifications.js (797 bytes)
%Program Files%\SafetySearch\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content.js (7 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-left.png (235 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-right.png (311 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-middle.png (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_loader.js (906 bytes)
%Program Files%\SafetySearch\CanvasFramework\jquery.min.js (2735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\md5.js (3 bytes)
%Program Files%\Bench\CService\1.0\cservice.exe (3215 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu.js (1 bytes)
%Program Files%\SafetySearch\icons\icon32.png (1 bytes)
%Program Files%\Bench\NmHost\nmhost.exe (4497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns1E8A.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\icon.ico (32 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns3686.tmp (15 bytes)
%Program Files%\SafetySearch\extension_info.json (1 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\invoke.js (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\userscript_engine.js (3 bytes)
%Program Files%\SafetySearch\FrameworkBHO.dll (9500 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\System.dll (23 bytes)
%Program Files%\SafetySearch\framework\timer.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke.js (406 bytes)
%Program Files%\SafetySearch\framework-ui\notification.html (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\installer.js (898 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\bootstrap.js (1 bytes)
%Program Files%\SafetySearch\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExecCv.dll (15 bytes)
%Program Files%\SafetySearch\framework\json2.js (2 bytes)
%Program Files%\SafetySearch\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B7.tmp (595 bytes)
%Program Files%\Bench\Wd\wd.exe (2526 bytes)
%Program Files%\SafetySearch\FrameworkBHO64.dll (9651 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B6.tmp (274 bytes)
%Program Files%\SafetySearch\framework\io.js (2 bytes)
%Program Files%\SafetySearch\framework\api.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\md5dll.dll (14 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns21C7.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (18662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsDownloadCv.dll (3577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_installer.js (6 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-right.png (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_common.js (6 bytes)
%Program Files%\SafetySearch\framework\storage.js (3 bytes)
%Program Files%\SafetySearch\framework\invoke_async.js (1 bytes)
%Program Files%\SafetySearch\framework\updater.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\migrate.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (5016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systeminfo.js (4 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2CB4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns21C7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3185.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\pz_info (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\get.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns238D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExecCv.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd1841.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns24E5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess2.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\md5dll.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3492.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2A72.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns1E8A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns3686.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsDownloadCv.dll (0 bytes)

The process Updater.exe:3460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\bench-sys.job (328 bytes)

The process fservice.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Bench\FService\1.1\fhelper.dll (204 bytes)

The process regsvr32.exe:3208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SafetySearch\FrameworkBHO64.dll (495 bytes)

The process regsvr32.exe:3176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\SafetySearch\FrameworkBHO.dll (405 bytes)

The process cscript.exe:3508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Bench\NmHost\manifest.json (215 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (79 bytes)
%Program Files%\Bench\NmHost\data\installer\fjnoekdlmmjagmmlchagfonjgbioomoo (1 bytes)
C:\Windows\System32\drivers\etc\hosts (1823 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (2 bytes)

The process cscript.exe:1588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (495 bytes)

The process cscript.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\userscript_engine.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\bootstrap.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_loader.js (906 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_messaging.js (730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke.js (406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\message_target.js (870 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_browseraction.js (822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\jquery.min.js (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\notifications.js (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\utils.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\webrequest.js (6 bytes)

The process cscript.exe:2364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (4 bytes)
%Program Files%\SafetySearch\FrameworkEngine.exe (294 bytes)
%Program Files%\SafetySearch\extension_info.json (2 bytes)

The process updater.exe:4056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (328 bytes)

The process updater.exe:2120 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\BenchUpdater\products.xml (497 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (0 bytes)

The process updater.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (326 bytes)

The process updater.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Bench\Updater\products.xml (431 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B7.tmp (0 bytes)

The process cservice.exe:3280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Bench\CService\1.0\chelper.dll (233 bytes)

The process bservice.exe:536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Bench\BService\1.1\bhelper.dll (90 bytes)

Registry activity

The process FrameworkEngine.exe:1020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\TypeLib]
"(Default)" = "{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"AppPath" = "%Program Files%\SafetySearch\"

[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}]
"(Default)" = "SafetySearch"

[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}]
"(Default)" = "IKangoEngine"

[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0]
"(Default)" = "EngineLib"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"AppName" = "FrameworkEngine.exe"

[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkEngine.exe"

[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib]
"(Default)" = "{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}"

[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32]
"ServerExecutable" = "%Program Files%\SafetySearch\FrameworkEngine.exe"

[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"Policy" = "3"

[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafetySearch"

[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\0\win32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkEngine.exe"

The process %original file name%.exe:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process gpedit.exe:4048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList]
"1" = "fjnoekdlmmjagmmlchagfonjgbioomoo;http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
"1" = "fjnoekdlmmjagmmlchagfonjgbioomoo;http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{25A35375-5A53-46E1-872D-FB021280E7FA}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]

The process insF1FC.tmp.exe:3304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\SafetySearch]
"CDN" = "safetysearch-a.akamaihd.net"

[HKLM\SOFTWARE\Bench\NmHost]
"(Default)" = "%Program Files%\Bench\NmHost\nmhost.exe"

[HKLM\SOFTWARE\SafetySearch]
"InstallTime" = "1480365683"

[HKLM\SOFTWARE\Bench\CService]
"PID" = "2031"

[HKLM\SOFTWARE\Bench\FService]
"Path" = "%Program Files%\Bench\FService\1.1"

[HKLM\SOFTWARE\SafetySearch]
"straoi" = "nov 28, 2016"

[HKLM\SOFTWARE\AdvertisingSupport]
"Existing" = "1"

[HKLM\SOFTWARE\Bench\CService]
"ZoneId" = "14136871"

[HKLM\SOFTWARE]
"38989" = "SafetySearch"

[HKLM\SOFTWARE\Bench\CService]
"Version" = "1.0"

[HKLM\SOFTWARE\AdvertisingSupport]
"Seen" = "1"

[HKLM\SOFTWARE\Bench\CService]
"aoi" = "1480365683"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER]
"iexplore.exe" = "0"

[HKLM\SOFTWARE\Bench\CService]
"Path" = "%Program Files%\Bench\CService\1.0"

[HKLM\SOFTWARE\Bench\FService\38989]
"{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}" = ""

[HKLM\SOFTWARE\Bench\CService]
"straoi" = "nov 28, 2016"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe"

[HKLM\SOFTWARE\SafetySearch]
"SystemId" = "c62e94071dfd4f9df8f37d998ede05ad"

[HKLM\SOFTWARE\AdvertisingSupport]
"SystemId" = "c62e94071dfd4f9df8f37d998ede05ad"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch/icon.ico"

[HKLM\SOFTWARE\Bench\BService]
"Path" = "%Program Files%\Bench\BService\1.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayName" = "SafetySearch"

[HKLM\SOFTWARE\Bench\FService]
"Version" = "1.1"

[HKLM\SOFTWARE\Bench\CService\38989]
"(Default)" = ""

[HKLM\SOFTWARE\Bench\Updater\38989]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch"

[HKLM\SOFTWARE\Bench\Wd\38989]
"(Default)" = ""

[HKLM\SOFTWARE\SafetySearch]
"UTCInstallTime" = "1480358483"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "11001"

[HKLM\SOFTWARE\SafetySearch]
"PID" = "2031"

[HKLM\SOFTWARE\Bench\Updater]
"Path" = "%Program Files%\Bench\Updater\updater.exe"

[HKLM\SOFTWARE\Bench\BService]
"Version" = "1.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"NoRepair" = "1"

[HKLM\SOFTWARE\SafetySearch]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch"
"FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER_32" = "0"

[HKLM\SOFTWARE\Bench\FService\38989]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"Publisher" = "Stunning Apps"

[HKLM\SOFTWARE\Bench\CService]
"Format" = "//{domain}/loaders/{pid}/l.js?pid={pid}&systemid={systemid}&ext={ext}&aoi={aoi}&zoneid={zoneid}&crr={crr}&type=d"

[HKLM\SOFTWARE\SafetySearch]
"ZoneId" = "14136871"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "11001"

[HKLM\SOFTWARE\Bench\NmHost\38989]
"(Default)" = ""

[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.bench.nmhost]
"(Default)" = "%Program Files%\Bench\NmHost\manifest.json"

[HKLM\SOFTWARE\Bench\CService]
"ext" = "SafetySearch"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll,"

[HKLM\SOFTWARE\AdvertisingSupport]
"SeenDate" = "1480358483"

[HKLM\SOFTWARE\SafetySearch]
"Seen" = "1"

[HKLM\SOFTWARE\Bench\BService\38989]
"(Default)" = ""

[HKLM\SOFTWARE\Bench\CService]
"Domain" = "safetysearch-a.akamaihd.net"

[HKLM\SOFTWARE\SafetySearch]
"SeenDate" = "1480358483"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"NoModify" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files%\Bench\BService\1.1\bservice.exe"

"FService" = "%Program Files%\Bench\FService\1.1\fservice.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch-repairJob" = "wscript.exe C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js SafetySearch-repairJob"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files%\Bench\Wd\wd.exe"

"CService" = "%Program Files%\Bench\CService\1.0\cservice.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\SafetySearch]
"Seen"

[HKLM\SOFTWARE\AdvertisingSupport]
"Seen"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafetySearch-repairJob"

"Wd"

The process regsvr32.exe:3176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"

[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"

[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"

[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"

[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}]
"(Default)" = "IKangoToolbar"

[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}]
"(Default)" = "SafetySearch"

[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafetySearch"

[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0]
"(Default)" = "Framework 1.0 Type Library"

[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7782DBE4-75A1-453D-B9FD-643F752E4532}" = "SafetySearch"

[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"

[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}]
"(Default)" = "IKangoBHO"

[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"
"ThreadingModel" = "Apartment"

[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"(Default)" = "SafetySearch BHO"

[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"

[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib]
"Version" = "1.0"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"NoExplorer" = "1"

"(Default)" = "SafetySearch BHO"

The process cscript.exe:1588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SafetySearch]
"czoneid" = "12199"

The process cscript.exe:3984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Bench\InstalledExtensions]
"38989" = ""

The process cscript.exe:2364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"Flags" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7782DBE4-75A1-453D-B9FD-643F752E4532}"

Dropped PE files

MD5 File path
8e4be86a6eb429ec81eda3e027d0d29d c:\Program Files\Bench\BService\1.1\bhelper.dll
e52deb34958a6b9c9defd04072ba320c c:\Program Files\Bench\BService\1.1\bservice.exe
59ee67deedd9086cbd4fa6b8d857ee70 c:\Program Files\Bench\CService\1.0\chelper.dll
fffee0f36c519fa973cf697a65b22371 c:\Program Files\Bench\CService\1.0\cservice.exe
807855debcc9534020d05dbfba5dbf3a c:\Program Files\Bench\FService\1.1\fhelper.dll
8d5c6e316e1c04772e50ecc268a1d8da c:\Program Files\Bench\FService\1.1\fservice.exe
5820ed0b943181e5c0cd842d73698d60 c:\Program Files\Bench\NmHost\nmhost.exe
729975e07ead4a4b14d020c2bb446833 c:\Program Files\Bench\Updater\1.7.0.0\updater.exe
27862bc4eb31d1e68b866a9f32c87fd4 c:\Program Files\Bench\Updater\updater.exe
b361e5282cbdd81b2222a3fe60f20b40 c:\Program Files\Bench\Wd\wd.exe
731d623281519541f71a696b71c16b90 c:\Program Files\SafetySearch\FrameworkBHO.dll
b29b7a811a626b60b460cb1c1a51ff87 c:\Program Files\SafetySearch\FrameworkBHO64.dll
888e7cba78f0bee1d0a669b9687330d0 c:\Program Files\SafetySearch\FrameworkEngine.exe
ba251b19a0dcbcde8f910dc97dd5074f c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe
2796990b18b323edd2446efec850a354 c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe
82771129b12517cf5c6e2244d14e8360 c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe
161f9defe2b6718d7773d964f5c6dfd2 c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe
6431e91e5005953ea0ff94cc702160d2 c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe
da9d120e344d0749718e769d0ed22b44 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\insF1FC.tmp.exe
05450face243b3a7472407b999b03a72 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 912 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 70748 71168 4.59942 82c456d343592e9e366847f6b73b39d6
.rdata 77824 25020 25088 3.22801 2bde5eac7ad12da7ba53279929920a7d
.data 106496 29660 21504 0.816513 604e239442f8b7da60746ee2c6a44683
.rsrc 139264 27456 27648 4.02543 1201cd04fb4d0015033ccad9ac736b35
.reloc 167936 4804 5120 4.43662 8d41a58665602d3c48e6a4ec841329f9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
043b5becf3173c8b310c330f9e54bac0
4e1a385f850ea93ee6d6e6216c0e3f20
046a8b11d4587bc86a2597ed5c99ecb0

URLs

URL IP
hxxp://a1073.d.akamai.net/get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc
hxxp://d2rx3wo6u6259k.cloudfront.net/installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820
hxxp://54.235.90.58/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4
hxxp://a402.g.akamai.net/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4
hxxp://d2rx3wo6u6259k.cloudfront.net/tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820
hxxp://d2rx3wo6u6259k.cloudfront.net/id-check/c62e94071dfd4f9df8f37d998ede05ad/
hxxp://d2rx3wo6u6259k.cloudfront.net/newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820
hxxp://www.installping5.info/tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 52.222.174.193
hxxp://www.installping5.info/id-check/c62e94071dfd4f9df8f37d998ede05ad/ 52.222.174.193
hxxp://fjnoekdlmmjagmmlchagfonjgbioomoo/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4
hxxp://www.installping5.info/newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820 52.222.174.193
hxxp://www.installping5.info/installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 52.222.174.193
hxxp://www.update-srv.info/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 212.30.134.183
hxxp://www.vac-p2.info/get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc 212.30.134.161


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Server: nginx/1.8.0
Date: Mon, 28 Nov 2016 18:42:25 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 28 Nov 2016 18:41:30 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 8de312de5733c1d56008ab19876f303d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: DGuX31Gfa_APPlUF3VAMhCdc-NYhZjzehhfpU5C9da_llZxU6jngeA==



GET /newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Server: nginx/1.8.0
Date: Mon, 28 Nov 2016 18:42:25 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 28 Nov 2016 18:41:30 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 8d84df16ba20ff1d2ca3914948494e04.cloudfront.net (CloudFront)
X-Amz-Cf-Id: brTcyJNx3DZmJx_mCvvFe5uj9RnfyRAOp7NROlfBIxQFawErSYV0kw==



GET /latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: VVV.update-srv.info


HTTP/1.1 200 OK
Content-Type: application/json
Server: nginx/1.4.6 (Ubuntu)
Content-Length: 285
Date: Mon, 28 Nov 2016 18:41:27 GMT
Connection: keep-alive
{.  "ext_id": "fjnoekdlmmjagmmlchagfonjgbioomoo", .  "ip": "54.225.95.
126", .  "url": "hXXp://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU
0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCO
dqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4O
J4".}HTTP/1.1 200 OK..Content-Type: application/json..Server: nginx/1.
4.6 (Ubuntu)..Content-Length: 285..Date: Mon, 28 Nov 2016 18:41:27 GMT
..Connection: keep-alive..{.  "ext_id": "fjnoekdlmmjagmmlchagfonjgbioo
moo", .  "ip": "54.225.95.126", .  "url": "hXXp://fjnoekdlmmjagmmlchag
fonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-L
MpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM
.t27mdaCQFGhlnavJHDQywkB4OJ4".}..



GET /latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: fjnoekdlmmjagmmlchagfonjgbioomoo


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.4.6 (Ubuntu)
Date: Mon, 28 Nov 2016 18:46:37 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: hXXp://VVV.update-srv.info/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx/1.4.6 (Ubunt
u)</center>..</body>..</html>..HTTP/1.1 302 Moved Te
mporarily..Server: nginx/1.4.6 (Ubuntu)..Date: Mon, 28 Nov 2016 18:46:
37 GMT..Content-Type: text/html..Content-Length: 169..Connection: keep
-alive..Location: hXXp://VVV.update-srv.info/latest/crx/.eJwNyU0KgCAQQ
OG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMa
ew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4..<
;html>..<head><title>302 Found</title></head&g
t;..<body bgcolor="white">..<center><h1>302 Found<
;/h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)&
lt;/center>..</body>..</html>....



GET /installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 26
Connection: close
Server: nginx/1.8.0
Date: Mon, 28 Nov 2016 18:42:19 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 28 Nov 2016 18:42:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: WiLa6LCdowVfv52NmC1anhKr10kNPq54IfwsVQbJSddlZFyPnMd_rQ==
2031:14136871:nov 28, 2016..



GET /get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
X-Builder-DL: 1
Host: VVV.vac-p2.info


HTTP/1.1 200 OK
Content-Disposition: attachment; filename="SafetySearch.exe"
Content-Type: application/octet-stream
Server: nginx/1.4.6 (Ubuntu)
Content-Length: 2961832
Date: Mon, 28 Nov 2016 18:41:21 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......K.......[...............b.......R.......U.....Rich..............
..............PE..L.....KU.................b...........3............@.
......................................@...............................
.. ................................0..8...............................
.....................................................text....a.......b
.................. ..`.rdata...............f..............@..@.data...
.\..........................@....ndata................................
...rsrc...............................@..@.reloc......................
........@..B..........................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...C..H.P.u..u..u...p.@..K...SV.5..C.W.E.P.u...t.@..e...E..E.P.u...x.@
..}..e....@.@........FR..VV..U... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...<.@..E..P.E..E.
P.u...|.@..u....E..9}...n....~X.te.v4..P.@..E...tU.}.j.W.E......E.....
..T.@..vXW..X.@..u..5L.@.W..h ....E..E.Pj.h..C.W....@..u.W...u....E.P.
u.....@._^3.[.....L$....C...i......T.....tUVW.q.3.;5..C.sD..i......D..
S.....t.G.....t...O..t .....u...3....3...F.....;5..C.r.[_^...U..QQ
<<< skipped >>>


GET /id-check/c62e94071dfd4f9df8f37d998ede05ad/ HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 1
Connection: close
Server: nginx/1.8.0
Date: Mon, 28 Nov 2016 16:22:20 GMT
X-Powered-By: PHP/5.3.3
Age: 8405
X-Cache: Hit from cloudfront
Via: 1.1 0f820adb6671fcc6033a9aa95ec8e0fb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kT19U7bpRxYn_M7VXPEFMkNjXtkTRm2ttmTh0XsVfSHiEZno9SNNwQ==
1..







The Trojan connects to the servers at the folowing location(s):







bservice.exe_536:




.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
bservice.pdb
KERNEL32.dll
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
SHLWAPI.dll
GetProcessHeap
GetCPInfo
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
? ?$?(?,?0?4?8?<?
4 4@4`4|4
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
bhelper.dll
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_bhelper_mutex0
%Program Files%\Bench\BService\1.1\bservice.exe

fservice.exe_1832:




.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
D:\Work\canvas-kango\misc\FirefoxHook\bin\fservice.pdb
GetProcessHeap
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExW
USER32.dll
SHLWAPI.dll
GetCPInfo
zcÁ
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
9 9$9(9,90949~9
8Ÿ9l9x9
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
kernel32.dll
USER32.DLL
fhelper.dll
lGlobal\{99C44C16-7756-43C1-8225-7AA442EA393E}_fhelper_mutex0
%Program Files%\Bench\FService\1.1\fservice.exe

cservice.exe_3280:




.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
D:\Users\craig\Documents\canvas-kango\framework\installer\cservice.pdb
GetProcessHeap
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExW
USER32.dll
SHLWAPI.dll
GetCPInfo
zcÁ
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
9 9$9(9,90949~9
8Ÿ9l9x9
: :<:@:`:
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
kernel32.dll
USER32.DLL
chelper.dll
lGlobal\{0CF04375-3346-4EF0-B153-8378FF716E2C}_chelper_mutex0
%Program Files%\Bench\CService\1.0\cservice.exe

wd.exe_1404:




.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
wd.pdb
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
GetCPInfo
zcÁ
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
: :$:(:,:0:4:~:
combase.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
kernel32.dll
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_watchdog_mutex0
\bservice.exe
bservice.exe
\bservice64.exe
bservice64.exe
\cservice.exe
cservice.exe
\cservice64.exe
cservice64.exe
\fservice.exe
fservice.exe
\fservice64.exe
fservice64.exe
%Program Files%\Bench\Wd\wd.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    FrameworkEngine.exe:1020
    %original file name%.exe:3668
    gpedit.exe:4048
    insF1FC.tmp.exe:3304
    Updater.exe:3460
    fservice.exe:1832
    regsvr32.exe:3208
    regsvr32.exe:3176
    cscript.exe:3508
    cscript.exe:1588
    cscript.exe:1988
    cscript.exe:3984
    cscript.exe:2364
    updater.exe:4056
    updater.exe:2120
    updater.exe:240
    updater.exe:1660
    cservice.exe:3280
    bservice.exe:536
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\insF1FC.tmp.exe (189223 bytes)
    C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
    C:\Windows\System32\GroupPolicy\Machine\Registry.pol (1208 bytes)
    %Program Files%\SafetySearch\framework\message_target.js (977 bytes)
    %Program Files%\SafetySearch\framework-ui\options.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\context_menu.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\browser.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_messaging.js (730 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\top-left.png (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\pz_info (26 bytes)
    %Program Files%\SafetySearch\icons\button.png (517 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\options.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (1231 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_webrequest.js (129 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\ie_installer.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\registry.js (707 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\timer.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (2705 bytes)
    %Program Files%\Bench\BService\1.1\bservice.exe (533 bytes)
    %Program Files%\SafetySearch\framework\backgroundscript_engine.js (2 bytes)
    %Program Files%\SafetySearch\framework\global.js (1 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\tail-left.png (307 bytes)
    %Program Files%\SafetySearch\icons\icon100.png (3 bytes)
    %Program Files%\Bench\Updater\updater.exe (1175 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\xhr.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\userscript_engine.js (2 bytes)
    %Program Files%\SafetySearch\background.html (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systemreport.js (537 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\utils.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafetySearch\Uninstall.lnk (1 bytes)
    %Program Files%\SafetySearch\AppFramework\appAPI_bg.js (892 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\webrequest.js (6 bytes)
    %Program Files%\SafetySearch\framework\i18n.js (2 bytes)
    %Program Files%\SafetySearch\CanvasFramework\canvas.js (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon48.png (1 bytes)
    %Program Files%\SafetySearch\framework\utils.js (5 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
    %Program Files%\SafetySearch\icons\icon48.png (1 bytes)
    %Program Files%\SafetySearch\CanvasFramework\md5.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke_async.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe (3419 bytes)
    %Program Files%\SafetySearch\FrameworkEngine.exe (7635 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2CB4.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\backgroundscript_engine.js (1 bytes)
    %Program Files%\SafetySearch\CanvasFramework\canvas_content.js (1 bytes)
    %Program Files%\Bench\NmHost\manifest.json (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas.js (9 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\top-right.png (308 bytes)
    %Program Files%\Bench\FService\1.1\fservice.exe (2951 bytes)
    %Program Files%\SafetySearch\CanvasFramework\webrequest.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox_installer.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess2.dll (838 bytes)
    %Program Files%\SafetySearch\framework\xhr.js (3 bytes)
    %Program Files%\SafetySearch\CanvasFramework\registry.js (863 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\install.rdf (1 bytes)
    %Program Files%\SafetySearch\framework-ui\browser_button.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\loader.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\canvas.js (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns238D.tmp (15 bytes)
    %Program Files%\Bench\Updater\1.7.0.0\updater.exe (10772 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\browser_button.js (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\lang.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\uninstall.js (76 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\framework_api.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\console.js (1 bytes)
    %Program Files%\SafetySearch\framework\lang.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\message_target.js (870 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-left.png (316 bytes)
    %Program Files%\SafetySearch\AppFramework\appAPI_webrequest.js (129 bytes)
    %Program Files%\SafetySearch\AppFramework\appAPI_common.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsProcess.dll (8 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\tail-top.png (315 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\io.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns2A72.tmp (15 bytes)
    %Program Files%\Bench\BService\1.1\bhelper.dll (2719 bytes)
    %Program Files%\SafetySearch\framework-ui\notifications.js (2 bytes)
    %Program Files%\SafetySearch\framework\browser.js (12 bytes)
    %Program Files%\SafetySearch\framework\extension_info.js (836 bytes)
    %Program Files%\SafetySearch\config.xml (2 bytes)
    %Program Files%\Bench\FService\1.1\fhelper.dll (5261 bytes)
    %Program Files%\Bench\CService\1.0\chelper.dll (7665 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon100.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\extension_info.js (613 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\get.dat (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_bg.js (892 bytes)
    %Program Files%\SafetySearch\framework-ui\context_menu_item_handler.html (225 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\main_installer.js (1 bytes)
    %Program Files%\SafetySearch\framework\loader.js (428 bytes)
    %Program Files%\SafetySearch\framework-ui\framework_api.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\core.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\chrome_windows.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns24E5.tmp (15 bytes)
    %Program Files%\SafetySearch\framework\initialize.js (532 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\projectInstaller.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_workaround.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon128.png (4 bytes)
    %Program Files%\SafetySearch\framework\messaging.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\jquery.min.js (4587 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\api.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (351 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\middle-right.png (234 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon32.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\notifications.js (797 bytes)
    %Program Files%\SafetySearch\framework\console.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content.js (7 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\middle-left.png (235 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-right.png (311 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\top-middle.png (240 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\chrome.manifest (57 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\i18n.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_loader.js (906 bytes)
    %Program Files%\SafetySearch\CanvasFramework\jquery.min.js (2735 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\md5.js (3 bytes)
    %Program Files%\Bench\CService\1.0\cservice.exe (3215 bytes)
    %Program Files%\SafetySearch\framework-ui\context_menu.js (1 bytes)
    %Program Files%\SafetySearch\icons\icon32.png (1 bytes)
    %Program Files%\Bench\NmHost\nmhost.exe (4497 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns1E8A.tmp (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\icon.ico (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns3686.tmp (15 bytes)
    %Program Files%\SafetySearch\extension_info.json (1 bytes)
    %Program Files%\SafetySearch\AppFramework\appAPI_browseraction.js (822 bytes)
    %Program Files%\SafetySearch\framework\invoke.js (505 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_browseraction.js (822 bytes)
    %Program Files%\SafetySearch\framework\userscript_engine.js (3 bytes)
    %Program Files%\SafetySearch\FrameworkBHO.dll (9500 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\System.dll (23 bytes)
    %Program Files%\SafetySearch\framework\timer.js (934 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke.js (406 bytes)
    %Program Files%\SafetySearch\framework-ui\notification.html (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\installer.js (898 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\bootstrap.js (1 bytes)
    %Program Files%\SafetySearch\framework\core.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExecCv.dll (15 bytes)
    %Program Files%\SafetySearch\framework\json2.js (2 bytes)
    %Program Files%\SafetySearch\icons\icon128.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B7.tmp (595 bytes)
    %Program Files%\Bench\Wd\wd.exe (2526 bytes)
    %Program Files%\SafetySearch\FrameworkBHO64.dll (9651 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd21B6.tmp (274 bytes)
    %Program Files%\SafetySearch\framework\io.js (2 bytes)
    %Program Files%\SafetySearch\framework\api.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\md5dll.dll (14 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\ns21C7.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (18662 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\storage.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\background.html (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\button.png (517 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\messaging.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsDownloadCv.dll (3577 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_installer.js (6 bytes)
    %Program Files%\SafetySearch\framework-ui\theme\bubble\tail-right.png (304 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss1851.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_common.js (6 bytes)
    %Program Files%\SafetySearch\framework\storage.js (3 bytes)
    %Program Files%\SafetySearch\framework\invoke_async.js (1 bytes)
    %Program Files%\SafetySearch\framework\updater.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\migrate.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas_content.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (5016 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systeminfo.js (4 bytes)
    C:\Windows\Tasks\bench-sys.job (328 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (79 bytes)
    %Program Files%\Bench\NmHost\data\installer\fjnoekdlmmjagmmlchagfonjgbioomoo (1 bytes)
    C:\Windows\System32\drivers\etc\hosts (1823 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\browser.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\api.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\userscript_engine.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas.js (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\chrome.manifest (57 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\xhr.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\bootstrap.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\browser_button.js (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\background.html (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_loader.js (906 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\extension_info.js (613 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\context_menu.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\timer.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_bg.js (892 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_common.js (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon32.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon48.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke_async.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\i18n.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\framework_api.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_messaging.js (730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\loader.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke.js (406 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\md5.js (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_webrequest.js (129 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\chrome_windows.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\io.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\core.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon100.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\console.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\install.rdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon128.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\uninstall.js (76 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\lang.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\messaging.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\message_target.js (870 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\registry.js (707 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas_content.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\backgroundscript_engine.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\options.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\storage.js (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_browseraction.js (822 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\extension_info.json (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\jquery.min.js (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\notifications.js (797 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\button.png (517 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\utils.js (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\webrequest.js (6 bytes)
    C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (328 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\BenchUpdater\products.xml (497 bytes)
    %Program Files%\Bench\Updater\products.xml (431 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SafetySearch" = ""

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BService" = "%Program Files%\Bench\BService\1.1\bservice.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FService" = "%Program Files%\Bench\FService\1.1\fservice.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SafetySearch-repairJob" = "wscript.exe C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js SafetySearch-repairJob"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WD" = "%Program Files%\Bench\Wd\wd.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CService" = "%Program Files%\Bench\CService\1.0\cservice.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now