Adware.DealDropper.A_b4f6b6a713

by malwarelabrobot on May 24th, 2014 in Malware Descriptions.

Adware.DealDropper.A (AdAware)
Behaviour: PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b4f6b6a713d3f1e3d80edf566e6137af
SHA1: 37c05f2b176aac0e20a53dc2e36e482e45aef0af
SHA256: 9ed4a64a3c4d367a4a32cc689afa3e7567932e85c94205a4f0def79f1e5317ad
SSDeep: 24576:ktaa80KkBQBfFUgk6msA10/8IkeSnLpC3YKIudmdn0cOY7fFJYcyqzF:kJNKkBQBfFgNOBkeSnLpCoKIomdnQEfR
Size: 1211056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Smart Apps
Created at: 2012-02-19 17:01:49
Analyzed on: WindowsAda SP3 32-bit


Summary:

Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.
Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The program creates the following process(es):

net1.exe:1692
FrameworkEngine.exe:3632
storageedit.exe:4076
net.exe:1932
gpedit.exe:3428
Updater.exe:1368
regsvr32.exe:548
regsvr32.exe:2216
regsvr32.exe:2228
%original file name%.exe:3848
cscript.exe:2964
cscript.exe:1224
cscript.exe:600
cscript.exe:1188
cscript.exe:1080
cscript.exe:4004
cscript.exe:1364
cscript.exe:2180
cscript.exe:492
updater.exe:1200
updater.exe:208
updater.exe:2796
updater.exe:232
msfeedssync.exe:2192

The program injects its code into the following process(es):
No processes have been created.

File activity

The process gpedit.exe:3428 makes changes in the file system.
The program creates and/or writes to the following file(s):

%System%\GroupPolicy\gpt.ini (315 bytes)
%System%\GroupPolicy\Machine\Registry.pol (1192 bytes)

The process Updater.exe:1368 makes changes in the file system.
The program creates and/or writes to the following file(s):

%WinDir%\Tasks\bench-sys.job (328 bytes)

The process %original file name%.exe:3848 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\contentNotificationStyle.tmpl (3 bytes)
%Program Files%\Deal-Dropper\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\notifications.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\timer.js (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ping.js (382 bytes)
%Program Files%\Deal-Dropper\framework\storage.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\SoftwareDetector.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\browser_button.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\common.js (12 bytes)
%Program Files%\Deal-Dropper\framework\initialize.js (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\migrate.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_settings.js (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns33.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst28.tmp (74961 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\uninstall.exe (3471 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\icon.ico (784 bytes)
%Program Files%\Deal-Dropper\icons\icon128.png (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files%\Bench\Updater\updater.exe (2392 bytes)
%Program Files%\Bench\NmHost\manifest.json (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\projectInstaller.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\storage.js (6 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_bg.js (2 bytes)
%Program Files%\Deal-Dropper\FrameworkBHO64.dll (16944 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox_installer.js (6 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files%\Deal-Dropper\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2B.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\browser.js (12 bytes)
%Program Files%\Deal-Dropper\AppFramework\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\console.js (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\options.js (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\contentNotification.tmpl (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2C.tmp (278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\bootstrap.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\notification.html (6 bytes)
%Program Files%\Deal-Dropper\FrameworkEngine.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon128.png (3 bytes)
%Program Files%\Deal-Dropper\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_common.js (9 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\webrequest.js (4 bytes)
%Program Files%\Deal-Dropper\framework-ui\ui_base.js (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files%\Deal-Dropper\background.html (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_bg.js (2 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\registry.js (908 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files%\Bench\BService\bhelper.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\ui_base.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\io.js (976 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\utils.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\framework_api.js (1 bytes)
%Program Files%\Deal-Dropper\icons\icon48.png (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\middle-right.png (234 bytes)
%Program Files%\Deal-Dropper\framework\timer.js (409 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\base.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\middle-left.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\sqlite3.exe (33888 bytes)
%Program Files%\Deal-Dropper\framework\i18n.js (1 bytes)
%Program Files%\Deal-Dropper\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_webrequest.js (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2A.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns30.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\lang.js (1 bytes)
%Program Files%\Deal-Dropper\framework\messaging.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\webrequest.js (5 bytes)
%Program Files%\Deal-Dropper\framework\base.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\lang.js (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\notifications.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\chrome_gp_update.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\main_installer.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\extension_info.json (1 bytes)
%Program Files%\Deal-Dropper\framework\global.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\invoke_async.js (2 bytes)
%Program Files%\Deal-Dropper\framework\invoke_async.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsExec.dll (8 bytes)
%Program Files%\Deal-Dropper\framework-ui\context_menu.js (738 bytes)
%Program Files%\Deal-Dropper\framework\console.js (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns31.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\legacy.js (1 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_webrequest.js (138 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-top.png (315 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-left.png (310 bytes)
%Program Files%\Deal-Dropper\framework\xhr.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\info.xml (351 bytes)
%Program Files%\Deal-Dropper\framework-ui\browser_button.js (5 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\xhr.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\framework.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\gpedit.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns32.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\message_target.js (854 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\legacy.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\chrome_installer.js (5 bytes)
%Program Files%\Deal-Dropper\framework\io.js (1 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\canvasscript_engine.js (437 bytes)
%Program Files%\Deal-Dropper\config.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\background.html (157 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_common.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\content_notifications.js (9 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\md5.js (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-middle.png (240 bytes)
%Program Files%\Bench\NmHost\nmhost.exe (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\content_proxy.js (502 bytes)
%Program Files%\Deal-Dropper\framework\updater.js (2 bytes)
%Program Files%\Deal-Dropper\icons\icon32.png (1 bytes)
%Program Files%\Deal-Dropper\framework\utils.js (2 bytes)
%Program Files%\Deal-Dropper\extension_info.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess2.dll (1552 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_settings.js (83 bytes)
%Program Files%\Deal-Dropper\framework\browser.js (11 bytes)
%Program Files%\Bench\BService\bservice.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns34.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\md5.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\framework_api.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\i18n.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2E.tmp (8 bytes)
%Program Files%\Deal-Dropper\FrameworkBHO.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\canvasscript_engine.js (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2F.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (6 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-right.png (304 bytes)
%Program Files%\Bench\Wd\wd.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\uninstall.js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\chrome.manifest (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\chrome_windows.js (2 bytes)
%Program Files%\Deal-Dropper\framework\message_target.js (854 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-left.png (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns35.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\json2.js (2 bytes)
%Program Files%\Deal-Dropper\icons\button.png (602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\messaging.js (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\context_menu_item_handler.html (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon48.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\context_menu.js (2 bytes)
%Program Files%\Deal-Dropper\framework\framework.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2D.tmp (603 bytes)
%Program Files%\Deal-Dropper\framework-ui\options.js (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\ie_installer.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\button.png (602 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-right.png (311 bytes)
%Program Files%\Bench\Updater\1.7.0.0\updater.exe (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\registry.js (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\storageedit.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\installer.js (774 bytes)

The program deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\pz_info (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ping.js (0 bytes)

The process cscript.exe:600 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Program Files%\Deal-Dropper\extension_info.json (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair_data.json (4 bytes)

The process cscript.exe:1188 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon48.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\legacy.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\background.html (157 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\button.png (602 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\extension_info.json (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\xhr.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon128.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\content_proxy.js (502 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_settings.js (83 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\framework.js (4 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_bg.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\browser.js (12 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\framework_api.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions.json (4 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\timer.js (977 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotification.tmpl (836 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\webrequest.js (5 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\storage.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\registry.js (796 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\content_notifications.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\options.js (934 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvasscript_engine.js (437 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair_data.json (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\extension_info.json (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\utils.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon32.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\i18n.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\chrome_windows.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\lang.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotificationStyle.tmpl (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\messaging.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\chrome.manifest (57 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\context_menu.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\md5.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\invoke_async.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\uninstall.js (73 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\bootstrap.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\io.js (976 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\notifications.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\browser_button.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\ui_base.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\console.js (540 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_browseraction.js (799 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\base.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\message_target.js (854 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_common.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_webrequest.js (138 bytes)

The process cscript.exe:1080 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\pz_info (386 bytes)

The process cscript.exe:1364 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (106 bytes)
%Program Files%\Bench\NmHost\manifest.json (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair_data.json (1 bytes)
%Program Files%\Bench\NmHost\data\installer\epjpfmkiegfpfhiaohimeiamofnpdkgj (955 bytes)
%System%\drivers\etc\hosts (781 bytes)

The process updater.exe:1200 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\BenchUpdater\products.xml (497 bytes)

The program deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\info.xml (0 bytes)

The process updater.exe:208 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Program Files%\Bench\Updater\products.xml (435 bytes)

The program deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp2D.tmp (0 bytes)

The process updater.exe:2796 makes changes in the file system.
The program creates and/or writes to the following file(s):

%WinDir%\Tasks\bench-S-1-5-21-1844237615-1960408961-1801674531-1003.job (326 bytes)

The process updater.exe:232 makes changes in the file system.
The program creates and/or writes to the following file(s):

%WinDir%\Tasks\bench-S-1-5-21-1844237615-1960408961-1801674531-1003.job (328 bytes)

The process msfeedssync.exe:2192 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (3114 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
%WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes)

Registry activity

The process net1.exe:1692 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C A8 FD 0D 32 2F F9 04 31 59 5F CA CD 12 28 84"

The process FrameworkEngine.exe:3632 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 5A 62 CB F8 4F C9 C0 39 FE 14 79 B0 5A 2B B2"

[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\TypeLib]
"(Default)" = "{15DF158E-43BC-45E4-BDBA-42C8D61067E1}"

[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}]
"(Default)" = "Deal-Dropper"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"AppPath" = "%Program Files%\Deal-Dropper\"

[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\0\win32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkEngine.exe"

[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\LocalServer32]
"ServerExecutable" = "%Program Files%\Deal-Dropper\FrameworkEngine.exe"

[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0]
"(Default)" = "EngineLib"

[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Deal-Dropper"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"AppName" = "FrameworkEngine.exe"
"Policy" = "3"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}]
"(Default)" = "IKangoEngine"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\TypeLib]
"(Default)" = "{15DF158E-43BC-45E4-BDBA-42C8D61067E1}"

[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\LocalServer32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkEngine.exe"

[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\Version]
"(Default)" = "1.0"

The process storageedit.exe:4076 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 87 9D 03 73 97 AF 1B 4C 18 82 58 B0 9C 31 EB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process net.exe:1932 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 69 81 AE AF A2 5E 18 C4 3A 74 63 FB 83 60 B1"

The process gpedit.exe:3428 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 A1 F5 B5 AF 60 51 A9 E2 21 91 B4 39 5C 69 CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
"1" = "epjpfmkiegfpfhiaohimeiamofnpdkgj;http://epjpfmkiegfpfhiaohimeiamofnpdkgj/check/.eJwNyUEOgCAMAMG_9EyMXvmMIVKkQCmBakyMf5fjzr6gbmSwcMQujGDgxj5I6qRtWWdTHepKwQ5W-4UG8NGd_PzYUgucCc_QQiQnkRjJsYTafD4TfD_fXyE-.m60tajgmPM8_2vDqWW4qUCE_47Q"

The program deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]

The process Updater.exe:1368 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 0D E7 66 53 8A 32 CC AE 9D 19 CE E9 49 74 3E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process regsvr32.exe:548 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A CC 88 17 7D 60 34 A7 F6 E5 01 A9 82 8E ED F0"

The process regsvr32.exe:2216 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\InprocServer32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkBHO.dll"

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}]
"(Default)" = "Deal-Dropper BHO"

[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}]
"(Default)" = "IKangoToolbar"

[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0]
"(Default)" = "Framework 1.0 Type Library"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\0\win32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkBHO.dll"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}]
"(Default)" = "Deal-Dropper"

[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}]
"(Default)" = "IKangoBHO"

[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7F3A1B6B-BF72-46F6-81BC-891F6744D124}" = "Deal-Dropper"

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD C3 CD 54 9A 15 AE 0A A2 2C 72 1E 58 9B BE 9F"

[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\TypeLib]
"Version" = "1.0"
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\InprocServer32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkBHO.dll"

[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Deal-Dropper"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41708E47-E97E-4051-A609-B88B398BCC94}]
"(Default)" = "Deal-Dropper BHO"

"NoExplorer" = "1"

The process regsvr32.exe:2228 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B D1 6C C6 34 5E 52 19 99 C2 01 3E F4 CB 1B A3"

The process %original file name%.exe:3848 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "10000"

[HKLM\SOFTWARE]
"38902" = "Deal-Dropper"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj29.tmp\nsProcess.dll,"

[HKLM\SOFTWARE\Bench\NmHost]
"(Default)" = "%Program Files%\Bench\NmHost\nmhost.exe"

[HKLM\SOFTWARE\AdvertisingSupport]
"Seen" = "1"

[HKLM\SOFTWARE\Deal-Dropper]
"ZoneId" = "446810"

[HKLM\SOFTWARE\Bench\Updater\38902]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"NoRepair" = "1"

[HKLM\SOFTWARE\Deal-Dropper]
"InstallTime" = "1400924522"

[HKLM\SOFTWARE\Bench\NmHost\38902]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Bench\BService\38902]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper/icon.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Deal-Dropper]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"DisplayName" = "Deal-Dropper"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper"

[HKLM\SOFTWARE\Bench\Updater]
"Path" = "%Program Files%\Bench\Updater\updater.exe"

[HKLM\SOFTWARE\Deal-Dropper]
"SeenDate" = "1400913722"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "10000"

[HKLM\SOFTWARE\Deal-Dropper]
"CDN" = "contentcache-a.akamaihd.net"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"DisplayVersion" = "1.0"
"Publisher" = "Smart Apps"

[HKLM\SOFTWARE\Deal-Dropper]
"UTCInstallTime" = "1400913722"

[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.bench.nmhost]
"(Default)" = "%Program Files%\Bench\NmHost\manifest.json"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 75 A0 1D 15 EC 61 44 70 3E 6D 80 01 30 AD 4F"

[HKLM\SOFTWARE\Deal-Dropper]
"SystemId" = "4433e0bcf600ea79ca332930e87765a0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\AdvertisingSupport]
"SeenDate" = "1400913722"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Deal-Dropper]
"PID" = "1779"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"NoModify" = "1"

[HKLM\SOFTWARE\Deal-Dropper]
"Seen" = "1"

To automatically run itself each time Windows is booted, the program adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files%\Bench\BService\bservice.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper-repairJob" = "wscript.exe %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair.js Deal-Dropper-repairJob"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files%\Bench\Wd\wd.exe"

The program deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Deal-Dropper]
"Seen"

[HKLM\SOFTWARE\AdvertisingSupport]
"Seen"

The program disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Deal-Dropper-repairJob"

The process cscript.exe:2964 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D C0 6D 50 A4 46 D8 87 AC 0D C2 4D DE 16 19 BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process cscript.exe:1224 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB AF D1 7A 62 6C 30 7C FB 7E A3 5F A4 A9 38 A0"

[HKLM\SOFTWARE\Bench\InstalledExtensions]
"38902" = ""

The process cscript.exe:600 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 33 03 03 AD EF 64 BB 92 17 31 CE B4 08 9A 45"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{41708E47-E97E-4051-A609-B88B398BCC94}]
"Flags" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{41708E47-E97E-4051-A609-B88B398BCC94}" = "1"

The program deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7F3A1B6B-BF72-46F6-81BC-891F6744D124}"

The process cscript.exe:1188 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 3E 11 8D 51 C9 BF D0 75 57 43 C3 8B 0F A4 64"

The process cscript.exe:1080 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 89 E3 CF 2C E9 17 17 BB 28 FB A4 F2 C6 D0 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 01 00 00 00 00 00 00 00"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process cscript.exe:4004 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 AB 75 7D 26 11 E4 42 B7 FB D7 AA E3 A5 1A FC"

[HKLM\SOFTWARE\Deal-Dropper]
"czoneid" = "12199"

The process cscript.exe:1364 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 0A 6D E2 92 D0 DB FC C4 AF 34 2A 62 3C 86 D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process cscript.exe:2180 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 41 A4 10 B3 C6 75 40 86 81 49 17 3E 51 A0 61"

The process cscript.exe:492 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 A2 40 A7 22 7C 29 B7 75 3E CA D8 1F 59 B9 9F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 01 00 00 00 00 00 00 00"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process updater.exe:1200 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 C9 C7 90 10 A4 F6 7D 8D 18 2D AC 4E DD C7 6F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process updater.exe:208 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 8A C1 2E 7B 9D E2 57 8E 50 9A 8B 21 5E A2 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process updater.exe:2796 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 97 61 13 2B 41 5A 29 B7 A8 0D 34 73 7A 0E 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process updater.exe:232 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 06 FF 8A C5 8E 55 80 02 AD C4 CA 16 FE 58 8F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process msfeedssync.exe:2192 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 8F 0F D5 52 52 62 35 C0 7D C6 FA 15 0C F6 0E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\Suggested Sites]
"DeletePending" = "0"
"UploadDiagInfo" = "1C 5C 00 00 71 17 00 08 80 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5 File path
da94d940c994714a8be8361d3469b3a2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\SoftwareDetector.exe
150e5904c772ce4ad3c2d81b18aed6cb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\gpedit.exe
82771129b12517cf5c6e2244d14e8360 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\sqlite3.exe
e1b66274f8a51758e25bb285864a444f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\storageedit.exe
fc522beb39d25b66ebf5c40c301f83c1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\uninstall.exe
05450face243b3a7472407b999b03a72 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj29.tmp\nsProcess.dll
72b1a3d56f812839ae5ba3420a5ed812 c:\Program Files\Bench\BService\bhelper.dll
07ee628bdcdb9a09988febdd15e2196c c:\Program Files\Bench\BService\bservice.exe
89bb8b1dc6e5849bfc2c8f7396da4f5b c:\Program Files\Bench\NmHost\nmhost.exe
34203663acf7b6a074b4ee892fea1398 c:\Program Files\Bench\Updater\1.7.0.0\updater.exe
83f9fd1fd4b72219901cd9004ad06804 c:\Program Files\Bench\Updater\updater.exe
a366d38c2d5c1879a9d5b3fe6794b33e c:\Program Files\Bench\Wd\wd.exe
953f35a6fb42ed3c9780ec34c009f159 c:\Program Files\Deal-Dropper\FrameworkBHO.dll
b297099289b4b59e9868d22324e4e927 c:\Program Files\Deal-Dropper\FrameworkBHO64.dll
c6382e297af7f249be51152f539e441d c:\Program Files\Deal-Dropper\FrameworkEngine.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Smart Apps
Product Name: Deal-Dropper
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 34884 35328 4.14077 49b0a05e59cfe2eb146863465a7f35bb
.data 40960 140 512 0.818128 df0ef3a0da7e22c790a62c5869d70520
.rdata 45056 9108 9216 4.08895 91271e59f4470886a512444b74613d7b
.bss 57344 109520 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 167936 4868 5120 3.63012 5f39890d9696ebf98517ebe318287e41
.ndata 176128 73728 1024 0 0f343b0931126a20f133d67c2b018a3b
.rsrc 249856 35200 35328 3.19635 2394746b531639903751050a9dbd5de8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 9
e69abe473b2d53fa926523b8ac8c13d4
b447ea8d07bd37f7adf1b18a49a28dcf
b0bd1cc9cb26b028c593d9a98d0979f8
4f14310ea6fd79372b6efdc599270ecb
5049c1ff8862c19e0eda2f1016082740
84610b9d362cec452e827f53017082ce
d57f220ab3644c660b28813f37d05c79
0c97ec9189030a038e6a5a56c5cb078f
27a3f0e00ca535a39d08501922ce65f1

URLs

URL IP
hxxp://d2rx3wo6u6259k.cloudfront.net/installer-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87765a0/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779
hxxp://d2rx3wo6u6259k.cloudfront.net/tbi-ping/4433e0bcf600ea79ca332930e87765a0/5cc36c09d3851c4f9c6368cf0331e90b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779
hxxp://www.installping5.info/tbi-ping/4433e0bcf600ea79ca332930e87765a0/5cc36c09d3851c4f9c6368cf0331e90b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 54.230.200.5
hxxp://www.installping5.info/installer-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87765a0/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 54.230.200.5
time.windows.com 65.55.56.206


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /tbi-ping/4433e0bcf600ea79ca332930e87765a0/5cc36c09d3851c4f9c6368cf0331e90b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.installping5.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Server: nginx/1.4.5
Date: Sat, 24 May 2014 06:42:12 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 24 May 2014 06:42:12 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 f96185b1d69d6f85635bc2b5554da639.cloudfront.net (CloudFront)
X-Amz-Cf-Id: wVA018OHhrkU8n9Y3TddN8Bs4yB4OqfQV-QIpUVq5vYwbxV1l97e2w==
HTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Content-Lengt
h: 0..Connection: keep-alive..Server: nginx/1.4.5..Date: Sat, 24 May 2
014 06:42:12 GMT..X-Powered-By: PHP/5.3.3..Expires: Mon, 26 Jul 1997 0
5:00:00 GMT..Last-Modified: Sat, 24 May 2014 06:42:12 GMT..Cache-Contr
ol: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, 
pre-check=0..Pragma: no-cache..X-Cache: Miss from cloudfront..Via: 1.1
 f96185b1d69d6f85635bc2b5554da639.cloudfront.net (CloudFront)..X-Amz-C
f-Id: wVA018OHhrkU8n9Y3TddN8Bs4yB4OqfQV-QIpUVq5vYwbxV1l97e2w==..



GET /installer-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87765a0/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.installping5.info
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Content-Type: text/html; charset=iso-8859-1
Content-Length: 386
Connection: keep-alive
Server: nginx/1.4.5
Date: Sat, 24 May 2014 06:42:03 GMT
X-Cache: Error from cloudfront
Via: 1.1 e4438a14707a01f6102dc21875d75080.cloudfront.net (CloudFront)
X-Amz-Cf-Id: EyswnoY8I1J9gAEvWxNr0AQr3huYvWmBBXe2efMxvMeduQqaQcn7wg==
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea7
9ca332930e87765a0/xriderexe/446810/ was not found on this server.</
p>.<hr>.<address>Apache/2.2.3 (CentOS) Server at gamepl
aylabs.com Port 80</address>.</body></html>.HTTP/1.1
 404 Not Found..Content-Type: text/html; charset=iso-8859-1..Content-L
ength: 386..Connection: keep-alive..Server: nginx/1.4.5..Date: Sat, 24
 May 2014 06:42:03 GMT..X-Cache: Error from cloudfront..Via: 1.1 e4438
a14707a01f6102dc21875d75080.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 
EyswnoY8I1J9gAEvWxNr0AQr3huYvWmBBXe2efMxvMeduQqaQcn7wg==..<!DOCTYPE
 HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.
<title>404 Not Found</title>.</head><body>.<
;h1>Not Found</h1>.<p>The requested URL /installer-run/
4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87
765a0/xriderexe/446810/ was not found on this server.</p>.<hr
>.<address>Apache/2.2.3 (CentOS) Server at gameplaylabs.com P
ort 80</address>.</body></html>...
<<< skipped >>>

The program connects to the servers at the folowing location(s):

wuauclt.exe_2068:

.text
`.data
.rsrc
@.reloc
wuauclt.pdb
GetProcessHeap
KERNEL32.dll
_wcmdln
_amsg_exit
msvcrt.dll
ntdll.dll
ole32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
USER32.dll
OLEAUT32.dll
SHLWAPI.dll
zcÁ
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
true
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
wuaueng.dll
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to load wuaueng
/ReportNow
/ShowWindowsUpdate
/CloseWindowsUpdate
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
wucltui.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
wuauclt.exe is exiting with code 0xX
wuauclt.exe launched with command line %s
kernel32.dll
WUWeb
Report
7.6.7600.256
Global\WindowsUpdateTracingMutex
WindowsUpdate.log
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Windows
shell32.dll
%s: %s [
%s: %s
%s\%s
= Module: %s
= Module: 
= Process: %s
= Process: 
=========== Logging initialized (build: %s, tz: %s) ===========
wups2.dll
wups.dll
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
%hs %ls page "%ls", hr=%X
Microsoft.WindowsUpdate
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Window %d is NOT a WU window
Done enumerating windows
Quit for window %d failed: 0xlX
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0xlX
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Found %d explorer windows
Closing WU explorer windows
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
WUAppNotificationWindows
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
%chdhd
hd-hd-hd%chd:hd:hd:hd
%WinDir%
Windows Update
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
wuauclt.exe
Windows
Operating System

bservice.exe_2108:




.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
D:\WORK\mercurial\50onred\misc\ChromeHook\Release\bservice.pdb
KERNEL32.dll
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
SHLWAPI.dll
GetProcessHeap
GetCPInfo
0 0$0(0,0004080<0
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
bhelper.dll
kGlobal\{4B5DC379-ED06-4552-A736-414A1570C24F}_bhelper_mutex0
%Program Files%\Bench\BService\bservice.exe

wd.exe_3132:




.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
D:\WORK\mercurial\50onred\misc\Watchdog\Release\wd.pdb
KERNEL32.dll
USER32.dll
ShellExecuteW
SHELL32.dll
GetProcessHeap
GetCPInfo
1*2024282<2
> >$>(>,>0>
kernel32.dll
%d.%d.%d%s %s
%PROGRAMFILES%\Bench\BService\bservice.exe
bservice.exe
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_watchdog_mutex0
KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
%Program Files%\Bench\Wd\wd.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    net1.exe:1692
    FrameworkEngine.exe:3632
    storageedit.exe:4076
    net.exe:1932
    gpedit.exe:3428
    Updater.exe:1368
    regsvr32.exe:548
    regsvr32.exe:2216
    regsvr32.exe:2228
    %original file name%.exe:3848
    cscript.exe:2964
    cscript.exe:1224
    cscript.exe:600
    cscript.exe:1188
    cscript.exe:1080
    cscript.exe:4004
    cscript.exe:1364
    cscript.exe:2180
    cscript.exe:492
    updater.exe:1200
    updater.exe:208
    updater.exe:2796
    updater.exe:232
    msfeedssync.exe:2192
    

    2. 

  2. Delete the original program file.
    3. 

  3. Delete or disinfect the following files created/modified by the program:
    

    %System%\GroupPolicy\gpt.ini (315 bytes)
    %System%\GroupPolicy\Machine\Registry.pol (1192 bytes)
    %WinDir%\Tasks\bench-sys.job (328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\contentNotificationStyle.tmpl (3 bytes)
    %Program Files%\Deal-Dropper\framework\backgroundscript_engine.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\notifications.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\timer.js (977 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ping.js (382 bytes)
    %Program Files%\Deal-Dropper\framework\storage.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\SoftwareDetector.exe (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\install.rdf (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\browser_button.js (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\common.js (12 bytes)
    %Program Files%\Deal-Dropper\framework\initialize.js (316 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\migrate.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_settings.js (83 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns33.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst28.tmp (74961 bytes)
    %Program Files%\Deal-Dropper\CanvasFramework\canvas_bg.js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\canvas_bg.js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\uninstall.exe (3471 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\icon.ico (784 bytes)
    %Program Files%\Deal-Dropper\icons\icon128.png (3 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-right.png (308 bytes)
    %Program Files%\Bench\Updater\updater.exe (2392 bytes)
    %Program Files%\Bench\NmHost\manifest.json (117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\projectInstaller.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\storage.js (6 bytes)
    %Program Files%\Deal-Dropper\AppFramework\appAPI_bg.js (2 bytes)
    %Program Files%\Deal-Dropper\FrameworkBHO64.dll (16944 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox_installer.js (6 bytes)
    %Program Files%\Deal-Dropper\AppFramework\appAPI_browseraction.js (799 bytes)
    %Program Files%\Deal-Dropper\framework\userscript_client.js (310 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2B.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\browser.js (12 bytes)
    %Program Files%\Deal-Dropper\AppFramework\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\console.js (540 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\options.js (934 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\contentNotification.tmpl (836 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz2C.tmp (278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\bootstrap.js (2 bytes)
    %Program Files%\Deal-Dropper\framework-ui\notification.html (6 bytes)
    %Program Files%\Deal-Dropper\FrameworkEngine.exe (11048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon128.png (3 bytes)
    %Program Files%\Deal-Dropper\icons\icon100.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_common.js (9 bytes)
    %Program Files%\Deal-Dropper\CanvasFramework\webrequest.js (4 bytes)
    %Program Files%\Deal-Dropper\framework-ui\ui_base.js (1 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-left.png (307 bytes)
    %Program Files%\Deal-Dropper\background.html (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_bg.js (2 bytes)
    %Program Files%\Deal-Dropper\CanvasFramework\registry.js (908 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_browseraction.js (799 bytes)
    %Program Files%\Bench\BService\bhelper.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\ui_base.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\io.js (976 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_content.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\utils.js (2 bytes)
    %Program Files%\Deal-Dropper\framework-ui\framework_api.js (1 bytes)
    %Program Files%\Deal-Dropper\icons\icon48.png (1 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\middle-right.png (234 bytes)
    %Program Files%\Deal-Dropper\framework\timer.js (409 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\base.js (2 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\middle-left.png (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\sqlite3.exe (33888 bytes)
    %Program Files%\Deal-Dropper\framework\i18n.js (1 bytes)
    %Program Files%\Deal-Dropper\framework\userscript_engine.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_webrequest.js (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2A.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns30.tmp (8 bytes)
    %Program Files%\Deal-Dropper\framework\lang.js (1 bytes)
    %Program Files%\Deal-Dropper\framework\messaging.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\webrequest.js (5 bytes)
    %Program Files%\Deal-Dropper\framework\base.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\lang.js (3 bytes)
    %Program Files%\Deal-Dropper\framework-ui\notifications.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\chrome_gp_update.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\main_installer.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\extension_info.json (1 bytes)
    %Program Files%\Deal-Dropper\framework\global.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\invoke_async.js (2 bytes)
    %Program Files%\Deal-Dropper\framework\invoke_async.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsExec.dll (8 bytes)
    %Program Files%\Deal-Dropper\framework-ui\context_menu.js (738 bytes)
    %Program Files%\Deal-Dropper\framework\console.js (489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns31.tmp (8 bytes)
    %Program Files%\Deal-Dropper\framework\legacy.js (1 bytes)
    %Program Files%\Deal-Dropper\AppFramework\appAPI_webrequest.js (138 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-top.png (315 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-left.png (310 bytes)
    %Program Files%\Deal-Dropper\framework\xhr.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\info.xml (351 bytes)
    %Program Files%\Deal-Dropper\framework-ui\browser_button.js (5 bytes)
    %Program Files%\Deal-Dropper\AppFramework\appAPI_content.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\xhr.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\framework.js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\userscript_engine.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\gpedit.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns32.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\message_target.js (854 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\legacy.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\chrome_installer.js (5 bytes)
    %Program Files%\Deal-Dropper\framework\io.js (1 bytes)
    %Program Files%\Deal-Dropper\CanvasFramework\canvasscript_engine.js (437 bytes)
    %Program Files%\Deal-Dropper\config.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\background.html (157 bytes)
    %Program Files%\Deal-Dropper\AppFramework\appAPI_common.js (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\content_notifications.js (9 bytes)
    %Program Files%\Deal-Dropper\CanvasFramework\md5.js (3 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-middle.png (240 bytes)
    %Program Files%\Bench\NmHost\nmhost.exe (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\content_proxy.js (502 bytes)
    %Program Files%\Deal-Dropper\framework\updater.js (2 bytes)
    %Program Files%\Deal-Dropper\icons\icon32.png (1 bytes)
    %Program Files%\Deal-Dropper\framework\utils.js (2 bytes)
    %Program Files%\Deal-Dropper\extension_info.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess2.dll (1552 bytes)
    %Program Files%\Deal-Dropper\AppFramework\appAPI_settings.js (83 bytes)
    %Program Files%\Deal-Dropper\framework\browser.js (11 bytes)
    %Program Files%\Bench\BService\bservice.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns34.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\md5.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon100.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\backgroundscript_engine.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\userscript_client.js (310 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\framework_api.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\i18n.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2E.tmp (8 bytes)
    %Program Files%\Deal-Dropper\FrameworkBHO.dll (13584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\canvasscript_engine.js (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2F.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon32.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (6 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-right.png (304 bytes)
    %Program Files%\Bench\Wd\wd.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\uninstall.js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\chrome.manifest (57 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\chrome_windows.js (2 bytes)
    %Program Files%\Deal-Dropper\framework\message_target.js (854 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-left.png (316 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns35.tmp (8 bytes)
    %Program Files%\Deal-Dropper\framework\json2.js (2 bytes)
    %Program Files%\Deal-Dropper\icons\button.png (602 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\messaging.js (1 bytes)
    %Program Files%\Deal-Dropper\framework-ui\context_menu_item_handler.html (225 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon48.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\context_menu.js (2 bytes)
    %Program Files%\Deal-Dropper\framework\framework.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2D.tmp (603 bytes)
    %Program Files%\Deal-Dropper\framework-ui\options.js (660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\ie_installer.js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\button.png (602 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
    %Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-right.png (311 bytes)
    %Program Files%\Bench\Updater\1.7.0.0\updater.exe (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\registry.js (796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\storageedit.exe (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\installer.js (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair_data.json (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon48.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\legacy.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\background.html (157 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\button.png (602 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\xhr.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvas_bg.js (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon128.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\content_proxy.js (502 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\backgroundscript_engine.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_settings.js (83 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\framework.js (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_bg.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\browser.js (12 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\framework_api.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions.json (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\timer.js (977 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotification.tmpl (836 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\webrequest.js (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\storage.js (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\registry.js (796 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\content_notifications.js (9 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\options.js (934 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvasscript_engine.js (437 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_content.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\extension_info.json (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\utils.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_client.js (310 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon32.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\i18n.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\chrome_windows.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\lang.js (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotificationStyle.tmpl (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\messaging.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\chrome.manifest (57 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\context_menu.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\md5.js (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\invoke_async.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon100.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\uninstall.js (73 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\bootstrap.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\io.js (976 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\notifications.js (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\browser_button.js (9 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\ui_base.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_engine.js (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\install.rdf (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\console.js (540 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_browseraction.js (799 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\base.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\message_target.js (854 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_common.js (9 bytes)
    %Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_webrequest.js (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\pz_info (386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (106 bytes)
    %Program Files%\Bench\NmHost\data\installer\epjpfmkiegfpfhiaohimeiamofnpdkgj (955 bytes)
    %System%\drivers\etc\hosts (781 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\BenchUpdater\products.xml (497 bytes)
    %Program Files%\Bench\Updater\products.xml (435 bytes)
    %WinDir%\Tasks\bench-S-1-5-21-1844237615-1960408961-1801674531-1003.job (326 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (3114 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1080 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
    %WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Deal-Dropper" = ""

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BService" = "%Program Files%\Bench\BService\bservice.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Deal-Dropper-repairJob" = "wscript.exe %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair.js Deal-Dropper-repairJob"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WD" = "%Program Files%\Bench\Wd\wd.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now