Trojan.NSIS.StartPage_0e0f9413ed

by malwarelabrobot on April 9th, 2018 in Malware Descriptions.

Gen:Variant.Graftor.461601 (BitDefender), not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Adware.Downware.18220 (DrWeb), Gen:Variant.Graftor.461601 (B) (Emsisoft), GenericRXDW-SK!A7DA7C7238C2 (McAfee), PUA.OpenSUpdater (Ikarus), Gen:Variant.Graftor.461601 (FSecure), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 0e0f9413edfe985b212126c0f8346956
SHA1: 2cb115d02b6756689be4faab1da34923d3d69196
SHA256: 487af607d4332ea641edf78690f195a3db485c086415ba78bec7b1a0618aecbc
SSDeep: 24576:ebHnzpQF4qnyCqHc1/kDV2vbpEtV7Oap35u7HpRvaAUlO/6r5y1Ekyx nXXWZosZ:2CuC31/kubpEfpu3yAJ6ohyxe2FUDvBc
Size: 1726392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-04-02 06:20:13
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2060

The Trojan injects its code into the following process(es):

%original file name%.exe:2940

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5F7E.tmp (0 bytes)

The process %original file name%.exe:2940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\921.txt (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1965.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\LCLogo.bmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[8].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0QZQ51Z4.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\33.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[6].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[8].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\23.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_2BD85C712A72CD147177B036ACBEE38C (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\p[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1974.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[1].htm (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7E2.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1763.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9D8B.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\find[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1956.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\914.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[9].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Image2.bmp (494 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Fusion.dll (31413 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\fUtil.dll (9076 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Image.bmp (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[6].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Dialogs.dll (1118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1543.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\decline.ico (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F (792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pixel[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\915.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1802.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1804.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\accept.ico (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1953.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1533.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1488.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\postdata4[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\4.txt (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1891.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Banner.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[6].htm (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1803.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1973.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\postdata3[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[9].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb605B.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\fuser.dll (3487 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1720.txt (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\eula3.rtf (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\BrowserSafer.ico (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA52A.tmp (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1957.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\2.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1914.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1747.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ipb[1].htm (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1838.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_2BD85C712A72CD147177B036ACBEE38C (764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\3.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9D8A.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\371.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1975.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1.txt (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb605B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5FBD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[6].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9D8B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9D8A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA52A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7E2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:2940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\0e0f9413edfe985b212126c0f8346956_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0e0f9413edfe985b212126c0f8346956_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0e0f9413edfe985b212126c0f8346956_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0e0f9413edfe985b212126c0f8346956_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0e0f9413edfe985b212126c0f8346956_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0e0f9413edfe985b212126c0f8346956_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0e0f9413edfe985b212126c0f8346956_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0e0f9413edfe985b212126c0f8346956_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
a748a0a7a7eb56ad356cce710968a380	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Banner.dll
68e124e38182aed9034e6e59a732cbdb	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Dialogs.dll
c54f2edc4fffeacd9f2dd22e5d88bbb6	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Fusion.dll
56a321bd011112ec5d8a32b2f6fd3231	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\System.dll
cb427df9a446cf9d7ac0b7fd27daefe6	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\fUtil.dll
46b64f5baea4e0230e0604f1344a8f9b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\fuser.dll
e541458cfe66ef95ffbea40eaaa07289	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\inetc.dll
0745ff646f5af1f1cdd784c06f40fce9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\md5dll.dll
f832e4279c8ff9029b94027803e10e1b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\nsDialogs.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: PRUpdater
Product Version:
Legal Copyright: Copyright.(C) 2014 PRUpdater
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.01.24.1
File Description: PRUpdater
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	24166	24576	4.46432	d22b359417726295d1d61eaac63c3d95
.rdata	28672	4770	5120	3.50617	68295528d67e59e0536c9d80519cbe96
.data	36864	154904	1536	2.90272	82232fd09381275af53acb18fd24a88b
.ndata	192512	192512	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	385024	22872	23040	2.37784	b42ce6a6cf44552d66db588303dc9440

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEAYN1sHQZ5AbVHX8/8KeMTc=
hxxp://cs9.wac.phicdn.net/Omniroot2025.crl
hxxp://stp-1014845532.us-east-1.elb.amazonaws.com/p.gif?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=0&adm=1&quant=1362553800	54.243.250.185
ocsp.digicert.com	93.184.220.29
savesetup.com	104.28.2.254
crl3.digicert.com	93.184.220.29

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /p.gif?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=0&adm=1&quant=1362553800 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: stp-1014845532.us-east-1.elb.amazonaws.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Type: image/gif

Date: Sun, 08 Apr 2018 01:58:59 GMT

Expires: Mon, 09 Apr 2018 01:58:59 GMT

Last-Modified: Sun, 08 Apr 2018 01:58:59 GMT

Pragma: no-cache

Server: nginx

Content-Length: 43

Connection: keep-alive

GIF89a.............!.......,..............;HTTP/1.1 200 OK..Cache-Cont
rol: max-age=86400..Content-Type: image/gif..Date: Sun, 08 Apr 2018 01
:58:59 GMT..Expires: Mon, 09 Apr 2018 01:58:59 GMT..Last-Modified: Sun
, 08 Apr 2018 01:58:59 GMT..Pragma: no-cache..Server: nginx..Content-L
ength: 43..Connection: keep-alive..GIF89a.............!.......,.......
.......;..

GET /Omniroot2025.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl3.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=172800

Content-Type: application/x-pkcs7-crl

Date: Sun, 08 Apr 2018 01:58:51 GMT

Etag: "4018833143"

Expires: Tue, 10 Apr 2018 01:58:51 GMT

Last-Modified: Tue, 27 Mar 2018 21:15:17 GMT

Server: ECS (waw/17D3)

X-Cache: HIT

Content-Length: 4221

0..y0..a...0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..180327215608Z..18062
2215608Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEAYN1sHQZ5AbVHX8/8KeMTc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=167657

Content-Type: application/ocsp-response

Date: Sun, 08 Apr 2018 01:58:46 GMT

Etag: "5ac95931-1d7"

Expires: Tue, 10 Apr 2018 00:27:32 GMT

Last-Modified: Sat, 07 Apr 2018 23:50:09 GMT

Server: ECS (waw/17C1)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0........Y0.GX....T6.{:..M...2017111
5203433Z0s0q0I0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
......g..Tu....17....20171115203433Z....20180514203433Z0...*.H........
.......CS.,e".}o?=.Spv.'U.rout.@....X...._[..f]..h._%.f....?...b..1..a
.SJ.N....|......g.4.?e%'....'c.....v.[.<ErJ.uVDT.z.L9.r....7...jI..
 >.-{.... .a~.O........!n.....2..4.......i.M.u..;6@5........:....$.
..L.N..,.<.'......vLx...)...Ch.TM.A..Rm..zL..K..s...`P..~HTTP/1.1 2
00 OK..Accept-Ranges: bytes..Cache-Control: max-age=167657..Content-Ty
pe: application/ocsp-response..Date: Sun, 08 Apr 2018 01:58:46 GMT..Et
ag: "5ac95931-1d7"..Expires: Tue, 10 Apr 2018 00:27:32 GMT..Last-Modif
ied: Sat, 07 Apr 2018 23:50:09 GMT..Server: ECS (waw/17C1)..X-Cache: H
IT..Content-Length: 471..0..........0..... .....0......0...0........Y0
.GX....T6.{:..M...20171115203433Z0s0q0I0... ........./Ev..Y..].....x.#
......Y0.GX....T6.{:..M........g..Tu....17....20171115203433Z....20180
514203433Z0...*.H...............CS.,e".}o?=.Spv.'U.rout.@....X...._[..
f]..h._%.f....?...b..1..a.SJ.N....|......g.4.?e%'....'c.....v.[.<Er
J.uVDT.z.L9.r....7...jI.. >.-{.... .a~.O........!n.....2..4.......i
.M.u..;6@5........:....$...L.N..,.<.'......vLx...)...Ch.TM.A..Rm..z
L..K..s...`P..~..<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2940:

.text

`.rdata

@.data

.ndata

.rsrc

Vj%SSS

uDSSh

hu2.iu

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

%s%s.dll

ers\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp

s\UrlAssociations\http\UserChoice

\par \hich\af38\dbch\af31505\loch\f38 You may not use the database portion of the Software Product in connection with any s\hich\af38\dbch\af31505\loch\f38 oftware other than the Software Product.

s. You may not alter any files or libraries in any portion of the Software Product. You may not reproduce the database portion or create any tables or reports relating to the database portion.

r requirements or operate under your specific conditions of use. InstallerTech makes no warranty that operation of the Software Product will be secure, error free, or free from interruption. YOU MUST DETERMINE WHETHER THE SOFTWARE PRODUCT SUFFICIENTLY MEE

ITIVE, OR EXEMPLARY DAMAGES OF ANY KIND (INCLUDING LOST REVENUES OR PROFITS OR LOSS OF BUSINESS) RESULTING FROM THIS AGREEMENT, OR FROM THE FURNISHING, PERFORMANCE, INSTALLATION, OR USE OF THE SOFTWARE PRODUCT, WHETHER DUE TO A BREACH OF CONTRACT, BREACH

.WT#w

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7E2.tmp

nsrB7E2.tmp

13160660

\"%CurrentUserName%"\AppData\Local\Temp\nsrB7E2.tmp

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB5AF.tmp

"c:\%original file name%.exe" /start=1 /path=

C:\Users\"%CurrentUserName%"\AppData\Local\PRUpdaterFiles

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsb5FBD.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

c:\%original file name%.exe

1362553800

savesetup.com

pproduction.com

hXXps://savesetup.com/installer.php?CODE=PUTGQ&UID=6461260B-EEB4-4A6E-BEC4-8433B531AAFB&quant=1362553800&action=

-687209051

-1039531109

-821427714

1158284395

AAjcM0WrUSlfbBR5EtcPS1b1d67LEhdHndovnNfbsp4dMHIEUAyU3KoPgrWUjsrAK1td7V69yPJhPpePm9dzzaCLAc1VCD3BE5KY3sfKXNNn/FVXtQg28uSgPFS40iXt/3S5hr1gY7yZNFYKBxqCv0X6wRPg6ftjUqzsmrkR9G/2KoXUC8paxjLqLRq64tiNkhqPwr8HI8/JiksVrkWN9t43Cd98W7yZmeOKncET2qTjBLPxYbZUQu6c48xiJwSQGioaZ4I8G4Qt7JGv2dAvWegidM28UMuK2ZKlmb1Rxo7EW83iqYE Vq8RS78lHZBjTPC5HMBZtscKNbmPvcGQvQ==

1326056504

822739907

1191838811

1258947578

1158284432

520749620

52035584

hXXps://savesetup.com/info.php?&quant=1362553800

hXXp://stp-1014845532.us-east-1.elb.amazonaws.com/p.gif?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=0&adm=1&quant=1362553800

6.1:7601:0

hXXps://savesetup.com/pixel.php?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=0&adm=1&quant=1362553800&cpu=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&gpu=VMware SVGA 3D (Microsoft Corporation - WDDM)

6461260B-EEB4-4A6E-BEC4-8433B531AAFB

hXXps://savesetup.com/ipb.php?ID=5E4845F47C07&ID2=9DC49B997895&icount=23&rcount=43&ucount=1&m=60aeaf94d99b4f65bb00edf1d4446f11

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.51</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

3.01.24.1

%original file name%.exe_2940_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:2060
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\921.txt (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1965.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\LCLogo.bmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[8].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0QZQ51Z4.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\33.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[6].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[8].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\23.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_2BD85C712A72CD147177B036ACBEE38C (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\p[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1974.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[1].htm (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB7E2.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1763.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9D8B.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\find[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1956.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\914.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[9].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Image2.bmp (494 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Fusion.dll (31413 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\fUtil.dll (9076 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Image.bmp (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[6].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Dialogs.dll (1118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1543.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\decline.ico (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F (792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pixel[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\915.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1802.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1804.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\accept.ico (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1953.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1533.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1488.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\postdata4[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\4.txt (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1891.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\Banner.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[6].htm (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1803.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1973.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\postdata3[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[9].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb605B.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\fuser.dll (3487 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1720.txt (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\eula3.rtf (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\BrowserSafer.ico (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA52A.tmp (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1957.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\2.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1914.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1747.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ipb[1].htm (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1838.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_2BD85C712A72CD147177B036ACBEE38C (764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\3.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9D8A.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\371.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1975.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq5FCD.tmp\1.txt (3 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.NSIS.StartPage_0e0f9413ed

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.NSIS.StartPage_0e0f9413ed

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet