Trojan.NSIS.StartPage_1d6a5a848a

by malwarelabrobot on July 1st, 2017 in Malware Descriptions.

not-a-virus:Downloader.Win32.DownloAdmin.gen (Kaspersky), DownloadAdmin (fs) (VIPRE), Trojan.Vittalia.81 (DrWeb), Application.Downloader (A) (Emsisoft), Trojan.Gen.2 (Symantec), Win32:Adware-gen [Adw] (AVG), Win32:Adware-gen [Adw] (Avast), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1d6a5a848a8a89e6a78e0a3e3d1672bc
SHA1: f76cbee00192124a2076c9694be6443ed8951116
SHA256: b768bb6cae7b177b6781dfdc0574699b85a3cb23641f8c95624383bbd8ad53e2
SSDeep: 12288:jxpJZ2pMfvpryP1 MWHKHjLX75apSuLen4lHS2711vmIT51C2xeZWfuW:dp/GMfv4d DHQLX7ULblHv71UI9c2xFR
Size: 784080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-22 21:07:51
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

un.package.exe:3524

The Trojan injects its code into the following process(es):

%original file name%.exe:2748

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\close.gif (510 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\offers.css (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\DALogo2.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\decline_offer_btn.gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\acceptBlue.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\mod.css (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\version.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\9\dyncombo2.mht (33004 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\truste.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\133\opera_490.mht (1444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\DownloadList.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\progress.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\bg4.gif (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\wbk7294.tmp (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaXml_lib.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\bg.gif (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\ok.gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\UiState.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\ButtonEvent.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\Events.lua (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\NotifyIcon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaXml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\BundleInstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\DALogo.jpg (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\winclose_button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\res\common.js (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\Env.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\next.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\mime\core.dll (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\135\Update_Admin_490_1.mht (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\back.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\skip_all_offers_btn.gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\Downloads.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\cancel_button.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaBridge.dll (1592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\decline.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\lua51.dll (6527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\1\Clear_Browser_TEST_TR_628.mht (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBE.tmp (32637 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\extension.tlb (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\CallbackProxy.lua (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\79\eshield_nocheckboxes_490_3.mht (1444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\cancel.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\bg2.gif (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\back_button.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\headerBG.gif (366 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\stepBG.gif (946 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\un.package.exe (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\IntegratedOffer-Truste-Steps.html.pack (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\definitions.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\DownloadThread.lua (581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\luacom.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\GuiInit.lua (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\step_off.gif (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\customNsWeb.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\wbk72B5.tmp (740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\acceptGreen.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\ProcessFreeFile.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\accept.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\__localxml.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017063020170701\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\uninstall.gif (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\winmin_button.png (792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\cancel.css (578 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\AdvancedTests.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\CustomBrandingURL.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\Sandbox.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\step_on.gif (142 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\134\onesystemcare_490.mht (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\__web.xml (8000 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wbk72B4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wbk7293.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)

The process un.package.exe:3524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\IntegratedOffer-Truste-Steps.html (4152 bytes)

Registry activity

The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017063020170701]
"CacheRepair" = "0"
"CachePrefix" = ":2017063020170701:"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017063020170701]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017063020170701]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017063020170701]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017063020170701"

[HKLM\SOFTWARE\Microsoft\Tracing\1d6a5a848a8a89e6a78e0a3e3d1672bc_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
fad9d09fc0267e8513b8628e767b2604 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\ButtonEvent.dll
e4c1b74859c17671ffe1c0602fd56b44 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\CustomBrandingURL.dll
1dcfa038b79b3df456a3c584d96b639c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\FloatingProgress.dll
9549658654405da510d1151430adc030 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\System.dll
d02a497be5f89c44827f142c4662f591 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\UACInfo.dll
876f1eb34f5a03a38b3341985012576f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\customNsWeb.dll
13c3a33c1f6e43f38de533fd0b766c98 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\lua51.dll
ed7f7857933b38e5d10daf828e79af19 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\luacom.dll
5694e7daf20c47c8d5e73d4a838c2ee6 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\version.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23294 23552 4.47651 ad2ebf079e89cd95e3fda4bd0b869620
.rdata 28672 5272 5632 3.56156 45097a769b809e006a7e5c1f08e7cba2
.data 36864 109756 512 0.972488 4b5dfd97899e385b2193064eb045da6b
.ndata 147456 176128 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 323584 191872 192000 2.9928 a676f65c8a1be28a885ad385efc72e27
.reloc 516096 2680 3072 0 d2a70550489de356a2cd6bfc40711204

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3414
6d3bbc565043d7929cd81a783602d884
f416a4f21fabf51c5e70a4c644cc3df4
0a0b2553810a029a9e41e6d6aaebfa12
d8cb13a8fc9c3d86f313130b018f9faf
97c04f2da5a335e60a83054f23289e49
e8b54295226a8819f34a512ca4142dfe
71f48b1987326478f593613fc55dac6e
cdc7bce0bcb3ea1de92719ccfc8799ee
491e01c4912298f33643e032588ecda0
35be922fa0a0baa6c5fa48b8552ac159
e4f1b94416d4d74da7e53148c07013bc
72935213af88b678e33a9932e0f4ceff
1a26ed11520bbc3d3e16b6bd0d274a3e
13cc9e697b0e8ac9c44ae130806338f1
3dd7741ccae93a5c5fa51f5a5ed9fd30
5492c65df42134582488cfc3fc6b7c90
512c2f245700b4f8989a26a7361b0622
45e1b061f1742ab3f12614f3dd6816ff
1e405ca66514ce7eaa52d822e5d0eb11
9aa7135423c252e21ffa335acee031b7
03a640774bf98b8240e2721859ce1a66
2de7402ce7b47754c94163508c0366fc
325898ab61b992fba50f112df8624887
86d7f2db9f64af85d3b88873e6c8177f
f060ebb6793369e986668d96b5d9ee3a

URLs

URL IP
hxxp://service.downloadadmin.com/install?s=msn&c=playfin_multigames&variation=TB10365&brand=playfin.com&pid=TR&bc=563779&country=US 50.22.63.138
hxxp://service.downloadadmin.com/env?productKey=&s=msn&c=playfin_multigames&variation=TB10365&brand=playfin.com&pid=TR&bc=563779&country=UA 50.22.63.138
hxxp://a728.g.akamai.net/ipage/Clear_Browser_TEST/Clear_Browser_TEST_TR_628.mht
hxxp://a728.g.akamai.net/products/BM2/combos/dynamic/dyncombo2.mht
hxxp://a728.g.akamai.net/products/BM2/eshield/ipage/eshield_nocheckboxes_490_3.mht
hxxp://a728.g.akamai.net/products/BM2/opera_490.mht
hxxp://a728.g.akamai.net/products/BM2/onesystemcare/ipage/onesystemcare_490.mht
hxxp://a728.g.akamai.net/products/BM2/updateadmin/ipage/Update_Admin_490_1.mht
hxxp://e8296.g.akamaiedge.net/do/getSDMGW?sId=freegame001&gameId=598050&type=NO_TB
hxxp://e8296.g.akamaiedge.net/do/getSDMOffersNSISGW?sId=freegame001&gameId=598050&Otype=NO_TB
hxxp://e8296.g.akamaiedge.net/do/installEXEtenderOffersNSIS/598050/Default/Default/freegame001/SDM/Mahjong-World.exe
hxxp://a728.g.akamai.net/tnt2/eShield/eShieldToolbar.exe
hxxp://eu.net.opera.com/opera/stable?utm_medium=cb&utm_source=tri&edition=TRI&utm_campaign=tri_yahoo
hxxp://vd.onesystemhost.net/331002110/OneSystemCare.exe 104.24.119.133
hxxp://a728.g.akamai.net/products/BM2/findwidetoolbar/ff_lua/tnt_variables.lua
hxxp://a728.g.akamai.net/products/BM2/updateadmin/exe/Updateadmin_Setup13.msi
hxxp://net.geo.opera.com/opera/stable?utm_medium=cb&utm_source=tri&edition=TRI&utm_campaign=tri_yahoo 82.145.215.19
hxxp://mirror.valormall.info/products/BM2/combos/dynamic/dyncombo2.mht 62.140.236.155
hxxp://mirror.astrointercom.info/tnt2/eShield/eShieldToolbar.exe 62.140.236.155
hxxp://mirror.astrointercom.info/products/BM2/findwidetoolbar/ff_lua/tnt_variables.lua 62.140.236.155
hxxp://mirror.valormall.info/ipage/Clear_Browser_TEST/Clear_Browser_TEST_TR_628.mht 62.140.236.155
hxxp://mirror.valormall.info/products/BM2/opera_490.mht 62.140.236.155
hxxp://www.freeridegames.com/do/installEXEtenderOffersNSIS/598050/Default/Default/freegame001/SDM/Mahjong-World.exe 2.23.133.29
hxxp://mirror.valormall.info/products/BM2/eshield/ipage/eshield_nocheckboxes_490_3.mht 62.140.236.155
hxxp://mirror.astrointercom.info/products/BM2/updateadmin/exe/Updateadmin_Setup13.msi 62.140.236.155
hxxp://www.freeridegames.com/do/getSDMGW?sId=freegame001&gameId=598050&type=NO_TB 2.23.133.29
hxxp://mirror.valormall.info/products/BM2/updateadmin/ipage/Update_Admin_490_1.mht 62.140.236.155
hxxp://www.freeridegames.com/do/getSDMOffersNSISGW?sId=freegame001&gameId=598050&Otype=NO_TB 2.23.133.29
hxxp://mirror.valormall.info/products/BM2/onesystemcare/ipage/onesystemcare_490.mht 62.140.236.155


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

HEAD /tnt2/eShield/eShieldToolbar.exe HTTP/1.1
host: mirror.astrointercom.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 404 Not Found
Server: Apache
Content-Type: text/html; charset=iso-8859-1
Content-Length: 0
Date: Fri, 30 Jun 2017 11:57:14 GMT
Connection: close



GET /products/BM2/combos/dynamic/dyncombo2.mht HTTP/1.1
host: mirror.valormall.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
ETag: "ba78ab3be3ac410ba42856f1b7f0acf8:1461786475"
Last-Modified: Wed, 27 Apr 2016 19:47:55 GMT
Accept-Ranges: bytes
Content-Length: 250501
Content-Type: text/plain
Date: Fri, 30 Jun 2017 11:57:07 GMT
Connection: close
From: <Saved by Windows Internet Explorer 8>..Subject: Search.co
m 490 x 450..Date: Wed, 27 Apr 2016 15:36:16 -0400..MIME-Version: 1.0.
.Content-Type: multipart/related;...type="text/html";...boundary="----
=_NextPart_000_0011_01D1A09A.89C67EF0"..X-MimeOLE: Produced By Microso
ft MimeOLE V6.00.2900.5512..This is a multi-part message in MIME forma
t...------=_NextPart_000_0011_01D1A09A.89C67EF0..Content-Type: text/ht
ml;...charset="utf-8"..Content-Transfer-Encoding: quoted-printable..Co
ntent-Location: file://C:\dyncombo.html..=EF=BB=BF<!DOCTYPE HTML PU
BLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML><HEAD
><TITLE>Search.com 490 x 450</TITLE>..<META content=
3DIE=3D5.0000 http-equiv=3DX-UA-Compatible>..<META content=3D"te
xt/html; charset=3Dutf-8" http-equiv=3DContent-Type>..<SCRIPT ty
pe=3Dtext/javascript =..src=3D"file:///C:/knockout-2.0.0.js"></S
CRIPT>..<SCRIPT type=3Dtext/javascript =..src=3D"file:///C:/Auto
FeatureModel.js"></SCRIPT>..<SCRIPT type=3Dtext/javascript
=20..src=3D"file:///C:/OfferScreenParameters3.js"></SCRIPT>..
<SCRIPT type=3Dtext/javascript src=3D"file:///C:/json2.js"></
SCRIPT>..<STYLE>BODY {...POSITION: relative; PADDING-BOTTOM: 
0px; BACKGROUND-COLOR: #e3e3e3; =..MARGIN: 0px; PADDING-LEFT: 0px; WID
TH: 490px; PADDING-RIGHT: 0px; =..FONT-FAMILY: arial, verdana, sans se
rif; HEIGHT: 450px; COLOR: #222; =..PADDING-TOP: 0px..}..TABLE {...BAC
KGROUND-REPEAT: no-repeat..}..H1 {...MARGIN-TOP: 0px; MARGIN-BOTTO
<<< skipped >>>


GET /do/installEXEtenderOffersNSIS/598050/Default/Default/freegame001/SDM/Mahjong-World.exe HTTP/1.1
host: VVV.freeridegames.com
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
ETag: W/"1175296-1498823829831"
Last-Modified: Fri, 30 Jun 2017 11:57:09 GMT
Content-Length: 1175296
P3P: CP="IDC CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV"
Content-Type: application/octet-stream
Expires: Fri, 30 Jun 2017 11:57:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 30 Jun 2017 11:57:10 GMT
Connection: close
Set-Cookie: JSESSIONID=F1BCCADE760D3045ED7819FC282A1F63; Path=/; HttpOnly
Set-Cookie: downloadFileStarted-598050=true; Expires=Fri, 30-Jun-2017 11:57:14 GMT; Path=/
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....
oS.................^...|.......0.......p....@.........................
.................................................t.......p...N........
......x............................................................p..
.............................text....].......^.................. ..`.r
data.......p.......b..............@..@.data....T...........v..........
....@....ndata...................................rsrc....N...p...P...z
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...B..H.P.u..u..u....r@..B...SV.5..B..E.WP.u....r@..e...E..E.P.u....r@
..}..e....Lp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@..E...E.P.E.P.u....r@..u
....E..9}...w....~X.te.v4..Dp@....E.tU.}.j.W.E......E.......@p@..vXW..
Hp@..u..5<p@.W...E..E.h ...Pj.h..B.W...r@..u.W...u....E.P.u...\r@._
^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


HEAD /products/BM2/findwidetoolbar/ff_lua/tnt_variables.lua HTTP/1.1
host: mirror.astrointercom.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
ETag: "f480fa995bd188f810c779bbb9d449eb:1429041858"
Last-Modified: Tue, 14 Apr 2015 20:04:18 GMT
Accept-Ranges: bytes
Content-Length: 210
Content-Type: text/plain
Date: Fri, 30 Jun 2017 11:57:15 GMT
Connection: close
X-N: S



GET /products/BM2/eshield/ipage/eshield_nocheckboxes_490_3.mht HTTP/1.1
host: mirror.valormall.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
ETag: "8e16ed2689df1377e73f527f522d4a96:1421779509"
Last-Modified: Tue, 20 Jan 2015 18:45:09 GMT
Accept-Ranges: bytes
Content-Length: 19938
Content-Type: text/plain
Date: Fri, 30 Jun 2017 11:57:07 GMT
Connection: close
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Tue, 20 Jan 2015 13:42:16 -0500..MIME-Version: 1.0.
.Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding
: quoted-printable..Content-Location: hXXp://install.downloadadmin.com
/bm2.5_ALL_OFFERS/advertisers/tnt/findwide_nocheckboxes.php..X-MimeOLE
: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE
 HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w
3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HE
AD><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META 
content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type>
;<!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template N
ame: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {..
.PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEF
T: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif
; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relat
ive; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGH
T: 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#t
oolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eu
la {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#
baselineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px;
 HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGH
T: 145px; TOP: 260px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGH
<<< skipped >>>


GET /install?s=msn&c=playfin_multigames&variation=TB10365&brand=playfin.com&pid=TR&bc=563779&country=US HTTP/1.1
connection: close, TE
x-exename: %original file name%.exe
x-webinstallurl: hXXp://service.downloadadmin.com/install?s=msn&c=playfin_multigames&variation=TB10365&brand=playfin.com&pid=TR&bc=563779&country=US
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)
x-webinstallcode: complete url:hXXp://service.downloadadmin.com/install?s=msn&c=playfin_multigames&variation=TB10365&brand=playfin.com&pid=TR&bc=563779&country=US
te: trailers
host: service.downloadadmin.com


HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 30 Jun 2017 11:57:02 GMT
Age: 0
Connection: close
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <LinkBelowEula>fals
e</LinkBelowEula>.        <OptInDefault>false</OptInDef
ault>.        <ProductBinary embed="false" msioptions="" options
="">hXXp://VVV.freeridegames.com/do/getSDMGW?sId=freegame001&ga
meId=598050&type=NO_TB</ProductBinary>.        <ProductEu
la comboPrimary="false" embed="false">hXXp://mirror.valormall.info/
ipage/Clear_Browser_TEST/Clear_Browser_TEST_TR_628.mht</ProductEula
>.        <Primary>true</Primary>.        <ProductId
>563725</ProductId>.        <ProductName>Mahjong World 
(Exent Powered)</ProductName>.        <Scramble>false</
Scramble>.    </Bundle>.    <Bundle>.        <Catego
ry>toolbar, search, home</Category>.        <If>.      
      <Or>.                <Not>.                    <E
nv property="custom.invm" op="=" value="true"/>.                <
;/Not>.                <Env property="custom.partner" op="=" val
ue="test"/>.            </Or>.            <Or>.        
        <Env property="custom.region" op="=" value="US"/>.      
          <Env property="custom.region" op="=" value="us"/>.    
        </Or>.            <Not>.                <Or>
.                    <Env property="custom.browserName" op="=" valu
e="Chrome"/>.                    <Env property="custom.brows
<<< skipped >>>


HEAD /331002110/OneSystemCare.exe HTTP/1.1
host: vd.onesystemhost.net
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Date: Fri, 30 Jun 2017 11:57:15 GMT
Content-Type: application/octet-stream
Content-Length: 4417064
Connection: close
Set-Cookie: __cfduid=dd337184ec436c636b86c60f093fe754c1498823834; expires=Sat, 30-Jun-18 11:57:14 GMT; path=/; domain=.onesystemhost.net; HttpOnly
Last-Modified: Fri, 30 Jun 2017 10:26:41 GMT
ETag: "59562761-436628"
Content-Disposition: attachment; filename=OneSystemCare.exe
Server: cloudflare-nginx
CF-RAY: 3770f26844bc8213-KBP



GET /ipage/Clear_Browser_TEST/Clear_Browser_TEST_TR_628.mht HTTP/1.1
host: mirror.valormall.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
ETag: "572d026394f7d7c2040ade96770a0336:1438812953"
Last-Modified: Wed, 05 Aug 2015 22:15:53 GMT
Accept-Ranges: bytes
Content-Length: 5963
Content-Type: text/plain
Date: Fri, 30 Jun 2017 11:57:07 GMT
Connection: close
Content-Type: multipart/related;...boundary="------------0803010102010
30000030600_.REL"..MIME-Version: 1.0..Date: Wed, 05 Aug 2015 17:15:52 
-0500..--------------080301010201030000030600_.REL..Content-Type: text
/html; charset=utf-8..Content-Transfer-Encoding: quoted-printable..Con
tent-Location: hXXp://install.downloadadmin.com/BM_OFFERS_628/Products
/Revo/jn_primary.php?name=Clear Browser&filename=Clear.exe&size=4.79
MB&version=1.0&license=FREE&group=TR&link=hXXp://VVV.cuda-soft.com/fre
e_cuda_video_converter.exe&learnmore=hXXp://VVV.wave-max.com/..<!DO
CTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://www
.=..w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">=0A<head>=0
A<title>Download M=..anager Offer Screen</title>=0A<met
a http-equiv=3D"Content-Type" content=3D"=..text/html; charset=3Dutf-8
">=0A=0A<STYLE TYPE=3D"text/css">=0A<!--=0A.conta=..iner{w
idth:628px; height:282px; padding:16px 0 0 0;}=0Ah1 {color: #000000;f=
..ont-family: "Helvetica Neue","Helvetica","Arial",sans-serif;font-siz
e: 17px=..;letter-spacing: -0.6px;line-height: 17px;margin: 0 22px 5px
;padding: 0;}=..=0A#copy h1, #specs h1{color:#888;}=0Ap {color: #39434
d;font-family: "Helve=..tica Neue","Helvetica","Arial",sans-serif;font
-size: 12px;font-weight: norm=..al;line-height: 14px;margin: 0 22px 16
px 22px ;}=0A.divider{border-top: 1px=.. dotted #d9d9d9;margin:5px 22p
x;}=0Aa {text-decoration: underline; color: #=..428bca; }=0Abody {widt
h: 628px;background-color:#fff;} =0Ap img{float:left;=.. margin:0 
<<< skipped >>>


GET /do/getSDMOffersNSISGW?sId=freegame001&gameId=598050&Otype=NO_TB HTTP/1.1
host: VVV.freeridegames.com
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 301 Moved Permanently
Server: Apache
P3P: CP="IDC CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV"
Location: hXXp://VVV.freeridegames.com/do/installEXEtenderOffersNSIS/598050/Default/Default/freegame001/SDM/Mahjong-World.exe
Content-Length: 0
Content-Type: text/html
Expires: Fri, 30 Jun 2017 11:57:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 30 Jun 2017 11:57:09 GMT
Connection: close
Set-Cookie: JSESSIONID=180606FE3C4AD9AD058A874C10CF2A71; Path=/; HttpOnly
Set-Cookie: 143_userName=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 143_password=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: 143_TURNKEY=Default-651498823829317277; Expires=Sat, 30-Jun-2018 11:57:09 GMT; Path=/
Set-Cookie: 143_CAMPAIGN_SERIAL_ID=Default-freegame001; Expires=Thu, 28-Sep-2017 11:57:09 GMT; Path=/
Set-Cookie: 143_FIRST_BROWSER="Default-MSIE 7.0"; Version=1; Max-Age=7776000; Expires=Thu, 28-Sep-2017 11:57:09 GMT; Path=/
Set-Cookie: 143_CT=1; Expires=Fri, 07-Jul-2017 11:57:09 GMT; Path=/



HEAD /opera/stable?utm_medium=cb&utm_source=tri&edition=TRI&utm_campaign=tri_yahoo HTTP/1.1
host: net.geo.opera.com
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: nginx/1.11.10
Content-Type: application/octet-stream
Content-Length: 1156592
Connection: keep-alive
Content-Disposition: attachment; filename=OperaSetup.exe
Date: Fri, 30 Jun 2017 11:57:14 GMT



GET /products/BM2/opera_490.mht HTTP/1.1
host: mirror.valormall.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
ETag: "8faba3fd56da7f95089f9efb37fc8619:1421954841"
Last-Modified: Thu, 22 Jan 2015 19:27:21 GMT
Accept-Ranges: bytes
Content-Length: 17967
Content-Type: text/plain
Date: Fri, 30 Jun 2017 11:57:08 GMT
Connection: close
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Thu, 22 Jan 2015 14:28:00 -0500..MIME-Version: 1.0.
.Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding
: quoted-printable..Content-Location: hXXp://install.downloadadmin.com
/bm2.5_ALL_OFFERS/advertisers/opera/uniform_eula.php..X-MimeOLE: Produ
ced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE HTML P
UBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c.org/
TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD>&
lt;TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META content
=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type><!-
- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Name: 45
0_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...PADDIN
G-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT: =..0
px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; COLOR
: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relative; BA
CKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT: 450p
x; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#toolbar 
{...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula {...
POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#baselin
eCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; HEIGHT
: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT: 145p
x; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGHT: 200p
<<< skipped >>>


GET /products/BM2/updateadmin/ipage/Update_Admin_490_1.mht HTTP/1.1
host: mirror.valormall.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
ETag: "51943c10df43f524c8a34441c5bd6023:1418079573"
Last-Modified: Mon, 08 Dec 2014 22:59:33 GMT
Accept-Ranges: bytes
Content-Length: 24576
Content-Type: text/plain
Date: Fri, 30 Jun 2017 11:57:08 GMT
Connection: close
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Thu, 4 Sep 2014 13:57:27 -0400..MIME-Version: 1.0..
Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding:
 quoted-printable..Content-Location: hXXp://install.downloadadmin.com/
bm2.5_ALL_OFFERS/advertisers/UpdateAdmin/uniform_eula.php..X-MimeOLE: 
Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYPE H
TML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.w3c
.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><HEAD
><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META co
ntent=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type>&
lt;!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template Nam
e: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {...P
ADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LEFT:
 =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans serif; 
COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: relativ
e; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIGHT:
 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#too
lbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#eula
 {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..#ba
selineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px; H
EIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIGHT:
 145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIGHT:
<<< skipped >>>


GET /env?productKey=&s=msn&c=playfin_multigames&variation=TB10365&brand=playfin.com&pid=TR&bc=563779&country=UA HTTP/1.1
connection: close, TE
x-exename: %original file name%.exe
x-webinstallurl: hXXp://service.downloadadmin.com/install?s=msn&c=playfin_multigames&variation=TB10365&brand=playfin.com&pid=TR&bc=563779&country=US
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)
x-webinstallcode: complete url:hXXp://service.downloadadmin.com/install?s=msn&c=playfin_multigames&variation=TB10365&brand=playfin.com&pid=TR&bc=563779&country=US
te: trailers
host: service.downloadadmin.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 30 Jun 2017 11:57:04 GMT
Age: 0
Connection: close
X-Cache: MISS
00746..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&l
t;Installer><Environment><Entry name="over-threshold:Syste
mHealer (US)">true</Entry><Entry name="over-threshold:NowU
SeeIt (US)">true</Entry><Entry name="over-threshold:GeekBu
ddy (US)">true</Entry><Entry name="over-threshold:Pro PC C
leaner (US)">true</Entry><Entry name="over-threshold:PC Cl
ean Plus (US)">true</Entry><Entry name="over-threshold:PC 
Health Aid (US)">true</Entry><Entry name="over-threshold:P
CBackup360 (US)">true</Entry><Entry name="over-threshold:P
C Health Aid (US)">true</Entry><Entry name="over-threshold
:SystemHealer (US)">true</Entry><Entry name="over-threshol
d:NowUSeeIt (US)">true</Entry><Entry name="over-threshold:
Pro PC Cleaner (US)">true</Entry><Entry name="over-thresho
ld:GeekBuddy (US)">true</Entry><Entry name="over-threshold
:SystemHealer (GB)">true</Entry><Entry name="over-threshol
d:Super Optimizer (GB)">true</Entry><Entry name="over-thre
shold:SystemHealer (CA)">true</Entry><Entry name="over-thr
eshold:PlayThru Player (CA)">true</Entry><Entry name="over
-threshold:Super Optimizer (CA)">true</Entry><Entry name="
over-threshold:SystemHealer (FR)">true</Entry><Entry name=
"over-threshold:PlayThru Player (FR)">true</Entry><Entry n
ame="over-threshold:Findwide Toolbar (Icon Drop) [TNTTB] (AU)">
<<< skipped >>>


GET /products/BM2/onesystemcare/ipage/onesystemcare_490.mht HTTP/1.1
host: mirror.valormall.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
ETag: "fbf24e88e7a942bf9651dda851b4739b:1431544513"
Last-Modified: Wed, 13 May 2015 19:15:13 GMT
Accept-Ranges: bytes
Content-Length: 15917
Content-Type: text/plain
Date: Fri, 30 Jun 2017 11:57:08 GMT
Connection: close
From: "Saved by Windows Internet Explorer 8"..Subject: 490 x 450 Icy O
ffer w/EULA..Date: Wed, 13 May 2015 15:15:06 -0400..MIME-Version: 1.0.
.Content-Type: text/html;...charset="utf-8"..Content-Transfer-Encoding
: quoted-printable..Content-Location: hXXp://install.downloadadmin.com
/bm2.5_ALL_OFFERS/advertisers/onesystemcare/uniform_eula.php..X-MimeOL
E: Produced By Microsoft MimeOLE V6.1.7601.17514..=EF=BB=BF<!DOCTYP
E HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" =.."hXXp://VVV.
w3c.org/TR/1999/REC-html401-19991224/loose.dtd">..<HTML><H
EAD><TITLE>490 x 450 Icy Offer w/EULA</TITLE>..<META
 content=3D"text/html; charset=3DUTF-8" =..http-equiv=3DContent-Type&g
t;<!-- =0A=..=0A=..Edited by: Insert Initials & Date=0A=..Template 
Name: 450_Icy_toolbar_EULA.php=0A=..=0A=..-->..<STYLE>BODY {.
..PADDING-BOTTOM: 0px; BACKGROUND-COLOR: #fff; MARGIN: 0px; PADDING-LE
FT: =..0px; PADDING-RIGHT: 0px; FONT-FAMILY: arial, verdana, sans seri
f; COLOR: =..#707271; PADDING-TOP: 0px..}..#content {...POSITION: rela
tive; BACKGROUND-COLOR: #ebeef0; WIDTH: 490px; DISPLAY: =..block; HEIG
HT: 450px; OVERFLOW: hidden..}..#headline {...POSITION: absolute..}..#
toolbar {...POSITION: absolute..}..#copy {...POSITION: absolute..}..#e
ula {...POSITION: absolute..}..#disclaimer {...POSITION: absolute..}..
#baselineCheckbox {...POSITION: absolute..}..#toolbar {...WIDTH: 450px
; HEIGHT: 26px; TOP: 15px; LEFT: 20px..}..#copy {...WIDTH: 450px; HEIG
HT: 145px; TOP: 230px; LEFT: 20px..}..#eula {...WIDTH: 450px; HEIG
<<< skipped >>>


HEAD /do/getSDMGW?sId=freegame001&gameId=598050&type=NO_TB HTTP/1.1
host: VVV.freeridegames.com
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 301 Moved Permanently
Server: Apache
Location: hXXp://VVV.freeridegames.com/do/getSDMOffersNSISGW?sId=freegame001&gameId=598050&Otype=NO_TB
Content-Type: text/html; charset=iso-8859-1
Expires: Fri, 30 Jun 2017 11:57:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 30 Jun 2017 11:57:09 GMT
Connection: close



HEAD /products/BM2/updateadmin/exe/Updateadmin_Setup13.msi HTTP/1.1
host: mirror.astrointercom.info
te: trailers
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)


HTTP/1.1 200 OK
Server: Apache
ETag: "2f2153b7248d0d4d76ae7367393b99d2:1489232500"
Last-Modified: Sat, 11 Mar 2017 11:41:40 GMT
Accept-Ranges: bytes
Content-Length: 372736
Content-Type: text/plain
Date: Fri, 30 Jun 2017 11:57:15 GMT
Connection: close







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_2748:




.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
uDSSh
hu2.iu
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
%s=%s
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
ers\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaBridge.dll
offce_1.lua
\Local\Temp\nsh2EBF.tmp\IntegratedOffer-Truste-Steps.html.pack" "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\IntegratedOffer-Truste-Steps.html" "B"
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaBridge.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp
s\UrlAssociations\http\UserChoice
e-Steps.html.pack
$r.ZO
$###*)**
$%)#*# (
%#$% #) $'
$#)*$ &(
$%%,#*)*
%#$$ $$ $,
$#%$$& '
$%*) &$$
FbYgjTeXQC%C
%#$% $# $#
shell32.dll
NotifyIcon.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
.reloc
8kc_beXe
%#$%$#%%
[ggc-""fbYgjTeX Y\_Xf T!VaXg!Vb`"f"fbYgjTeX""$%"*#"* ",&"9eXXLbhGhUX7bja_bTWXe<afgT__Xe!XkX2gb^Xa0$&(#$ #&''RW$T,#,)X(X*#%UT#X, %*$ U' '$Y&  
*(%$,'&'
$%*#* ,&
%#$% #, $)
nsh2EBF.tmp
-exec
n-Pagination/production/setup.exe.nsi:Line 1159.2
.nsi:Line 1694.2
BINARIES/DownloadAdmin-Pagination/production/setup.exe.nsi:Line 2793.2
.html" "B"
rope Bundle Manager(ref=[dcc234e99b68e5dd95d361552c8596b735549ea6-v2 refs/heads/master];windows=6.1;uac=false;elevated=true;dotnet=4)
38669528
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\85
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBD.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin
IE.HTTP
mahjong_world_playfin__exent,bc=563779,pid=tr,brand=playfincom,s=msn,c=playfin_multigames,country=ua,variation=tb10365
Downloading Mahjong World (Exent Powered)
hXXp://mirror.astrointercom.info/products/BM2/comscore/lua/comscore_newsurvey.lua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\85\comscore_newsurvey.lua
comscore_newsurvey.lua
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\85\
5334543
8664755
8760876
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System vtightrope</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
com.build.date
1/31/2013
com.build.dir
C:\BM\2.5\WebTemplates
com.build.id
com.build.machine
com.build.time
com.build.user
$%USER%

%original file name%.exe_2748_rwx_10004000_00001000:




callback%d






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    un.package.exe:3524
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\close.gif (510 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\offers.css (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\DALogo2.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\decline_offer_btn.gif (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\acceptBlue.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\mod.css (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\version.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\9\dyncombo2.mht (33004 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\truste.gif (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\133\opera_490.mht (1444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\DownloadList.lua (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\progress.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\bg4.gif (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\wbk7294.tmp (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaXml_lib.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\bg.gif (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\ok.gif (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\UiState.lua (310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\ButtonEvent.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\Events.lua (912 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\NotifyIcon.lua (302 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaXml.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\BundleInstall.lua (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\DALogo.jpg (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\winclose_button.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\res\common.js (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\res\common.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\Env.lua (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\next.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\mime\core.dll (1909 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\System.dll (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\135\Update_Admin_490_1.mht (1924 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\back.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\skip_all_offers_btn.gif (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\Downloads.lua (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\cancel_button.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaBridge.dll (1592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\UACInfo.dll (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\decline.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\mime.lua (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\lua51.dll (6527 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\1\Clear_Browser_TEST_TR_628.mht (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBE.tmp (32637 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\extension.tlb (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\CallbackProxy.lua (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\79\eshield_nocheckboxes_490_3.mht (1444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\cancel.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\bg2.gif (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\IntegratedOffer.lua (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\back_button.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\headerBG.gif (366 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\res\jquery.js (6360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\stepBG.gif (946 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\un.package.exe (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\IntegratedOffer-Truste-Steps.html.pack (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\definitions.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\socket\core.dll (2473 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\DownloadThread.lua (581 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\luacom.dll (10136 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\GuiInit.lua (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\BrowserControl.lua (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\utils.lua (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\step_off.gif (138 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\customNsWeb.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\wbk72B5.tmp (740 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\acceptGreen.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\ProcessFreeFile.lua (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\FloatingProgress.dll (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\accept.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\__localxml.xml (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017063020170701\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\json.lua (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\uninstall.gif (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\winmin_button.png (792 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\cancel.css (578 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\AdvancedTests.lua (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\CustomBrandingURL.dll (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\Sandbox.lua (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\skin\step_on.gif (142 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\134\onesystemcare_490.mht (676 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2EBF.tmp\__web.xml (8000 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now