Adware.Win32.Downware_6f87864d1e
not-a-virus:Downloader.Win32.Lickone.gdnq (Kaspersky), Iminent (fs) (VIPRE), Adware.Downware.509 (DrWeb), Adware-SweetIM (McAfee), SAPE.Iminent.3 (Symantec), NSIS:Oneclick-Z [PUP] (Avast), Adware.Win32.Downware.FD, Trojan.NSIS.StartPage.FD, AdwareDownware.YR (Lavasoft MAS)
Behaviour: Trojan, PUP, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 6f87864d1ed2ff6dde2e95609180cbaf
SHA1: 915c266e4f15952b8d6ceab1aa0ffcd9c9e73adb
SHA256: d8a3ddfd910e19d9dd32d4ec1207e17df63d0d8a02b007caf0c2f0928f43b21c
SSDeep: 6144:Asi1Y0tlq Cc71GsV6WXOfbqhBsqeXna3n:K1/n5r71G06WXOW/spnE
Size: 261392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit
Summary:
Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):
No processes have been created.
The Adware injects its code into the following process(es):
%original file name%.exe:1564
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1564 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\skip.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\accept3.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\accept2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\accept.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\inetc3.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\decline.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\save.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp (13544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\accept1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\1clogo.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\MainPackFA2703[1].htm (598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\anon.bmp (2 bytes)
The Adware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsa1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\gC0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1564 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\1ClickDownload]
"LastInstall0" = "30536221"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\1ClickDownload]
"UID" = "282948265"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 B3 AC 4A 9A 3F A6 86 24 AA 0B 32 E4 2A 21 A2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Adware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Adware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk3.tmp\System.dll |
| 9d8ce05f532dc7b5742831ec8a63c2d8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk3.tmp\inetc3.dll |
| c10e04dd4ad4277d5adc951bb331c777 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk3.tmp\nsDialogs.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
| .rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
| .data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
| .ndata | 147456 | 372736 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 520192 | 16592 | 16896 | 4.13874 | 8091b1378d82973015f802c93eb88bab |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 172
69a0a458647b3436892cf9f2f126c252
fcf3f72034103255ca8908a3b6940b1e
1b5e2a9ac884f70a9b5bf57168f46c03
105de6d397b346d35cb8727967ac4166
76ad5eeaab560dd2d1f76b54dc04fd56
941a27735bf1456e2d131a205b70b64a
cf69b8dbd1ecf0527c80de87857be126
d9459843556d52dc5180866a70a43718
c9e064073c5d151e45b5ad605da18f4b
41573ec1db262b21b6fd508536ae1e60
dd1a77a6e6653dced7e50774783e3018
39f941c348c799ba8445b5778e887532
5a577d58933f1269788124031010b404
c30a0b81d684f989439c099cd30c4e4f
14d0120f6850c0240d61166214881385
5697f7ed6ff881ef864cb83f7b1a0c1e
167c694a52acb524c5f9e1e088e635fc
f82e67024da639c73ed3d2adbd3f7aa4
c4f1bea769a99be823de9d5b0aebe8dd
5e25ed7b15978b2ac1c8bd2998cffb09
4ea42632fca9d16efcc7cc8bde850416
25ee75763dce067d4d0d05bd2112d830
0e918a00be71884acafa8bda1155c2e3
2908233ce6b3ff590ff2a6674b3b75f0
f7ce1fab1a9926d954e850fd07dbd9d0
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Adware connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\nsDialogs.dll
_Exclusive~~~CooL_GuY_{{a2zRG}}.magnet}.torrent
rrent,Shreks_Thrilling_Tales_(2012)_DvDRip_x264_125MB_Exclusive~~~CooL_GuY_{{a2zRG}}.exe,esC:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp
264 125MB Exclusive~~~CooL GuY {{a2zRG}}.torrentling Tales (2012) DvDRip x264 125MB Exclusive~~~CooL GuY {{a2zRG}}.torrent[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[^[[
^[[_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\
`]]`]]`]]`]]`]]`]]`]]`]]_\\`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]
`]]`]]`]]`]]`]]`]]`]]_\\_\\`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]`]]
6T.vPj@
d.Itmd5
*o%Ui
Nt%uI}
&^%sP
G.BQn
{8.cnWINDOWS
1507576
iles\1ClickDownload\1ClickDownloader.exe
DRip x264 125MB Exclusive~~~CooL GuY {{a2zRG}}.torrent,Shreks_Thrilling_Tales_(2012)_DvDRip_x264_125MB_Exclusive~~~CooL_GuY_{{a2zRG}}.exe,es282948265
125MB Exclusive~~~CooL GuY {{a2zRG}}.torrent21776510
1ed2ff6dde2e95609180cbaf.exe
2829482
06406250
1900786
-1861942281
ownload.sweetpacks.com/simsdm/bundle/
2031950
ve~~~CooL GuY {{a2zRG}}.torrentB Exclusive~~~CooL GuY {{a2zRG}}.torrent2359552
am Files\Internet Explorer\iexplore.exe
hrilling Tales (2012) DvDRip x264 125MB Exclusive~~~CooL GuY {{a2zRG}}.torrentExclusive~~~CooL GuY {{a2zRG}}.torrentc:\%original file name%.exe
%Documents and Settings%\%current user%\Desktop
%Program Files%\1ClickDownload
k3.tmp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
hXXp://files.download1click.ws/MainPackFA2703.exe
hXXp://files.download1click.ws/gzip2.exe
hXXp://data.downloadstarter.net/
hXXp://files.download1click.ws/ARURUSetup.exe
hXXp://files.download1click.ws/ARUARSetup.exe
hXXp://files.download1click.ws/BTB0612.exe
hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe
hXXp://files.download1click.ws/FmoodsV21.exe
hXXp://files.download1click.ws/IminentSetup5.exe
hXXp://files.download1click.ws/.exe
hXXp://files.download1click.ws/weatherbugsetup.msi
hXXp://files.download1click.ws/IWantThisSetupRS.exe
hXXp://files.download1click.ws/ciuvoSetup.exe
hXXp://files.download1click.ws/incredibar_install3.exe
hXXp://download.sterkly.com/yontoo-c4.exe
hXXp://download.sterkly.com/yontoo-c2.exe
hXXp://download.sterkly.com/yontoo-b2.exe
hXXp://download.sterkly.com/yontoo-c3.exe
hXXp://download.sterkly.com/yontoo-c5.exe
hXXp://files.download1click.ws/GophotoExtSetup.exe
hXXp://files.download1click.ws/OneClickExt1_filter03.exe
hXXp://files.download1click.ws/OneClickExt1_filter13.exe
ocmainpack.exe
Inetc3 (Mozilla; FW 4; WinNT 5.1; msi 3.1.4001.5512; dbw ie; yo ;)
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
2228562
34211074
2097440
1769712
1769792
1835286
2425154
1704236
1900838
3131649
extr1,hXXp://extratorrent.com/download/2783813/Shreks Thrilling Tales (2012) DvDRip x264 125MB Exclusive~~~CooL GuY {{a2zRG}}.torrent,Shreks_Thrilling_Tales_(2012)_DvDRip_x264_125MB_Exclusive~~~CooL_GuY_{{a2zRG}}.exe,esShreks Thrilling Tales (2012) DvDRip x264 125MB Exclusive~~~CooL GuY {{a2zRG}}.torrenthXXp://extratorrent.com/download/2783813/Shreks Thrilling Tales (2012) DvDRip x264 125MB Exclusive~~~CooL GuY {{a2zRG}}.torrent1900638
1900824
1900644
402982272
436536705
369427830
1835258
2031712
906298736
1966362
1835242
2162964
1704182
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
218760590
218760595
218760591
352978300
218760581
285869431
218760593
403309956
319423875
453641606
1359611202
Shreks_Thrilling_Tales_(2012)_DvDRip_x264_125MB_Exclusive~~~CooL_GuY_{{a2zRG}}.exe30536221
VVV.oneclickdownloader.com
sbiectrl.exe
vmtoolsd.exe
prl_cc.exe
coherence.exe
VirtualBox.exe
VBoxSVC.exe
DrWeb
%Program Files%\1ClickDownload\Shreks_Thrilling_Tales_(2012)_DvDRip_x264_125MB_Exclusive~~~CooL_GuY_{{a2zRG}}.magnet)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
%original file name%.exe_1564_rwx_10004000_00001000:
callback%d
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\skip.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\accept3.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\accept2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\accept.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\inetc3.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\decline.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\save.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp (13544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\accept1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\1clogo.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\MainPackFA2703[1].htm (598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\anon.bmp (2 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
