MemScan.Application.Bundler.Outbrowse.E_c3de5b7159

by malwarelabrobot on July 27th, 2014 in Malware Descriptions.

MemScan:Application.Bundler.Outbrowse.E (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: c3de5b7159f4329d2a54bc4d17a69272
SHA1: ae860389d7535e02aa70f063fca349dcf4acd74c
SHA256: 500349a1fc9bf8edd041c4a0419754eec12a47d4730a78e084307503d241b067
SSDeep: 24576:LNBIojYmkcdOgilOk/ROJBzZItQP8FIQ/rSQaN0ToNVZ/oT:UO4cAleBVIuPQIiHaGT VZ/oT
Size: 1168081 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2013-12-01 10:08:23
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The MemScan creates the following process(es):

wmic.exe:2128
6_Offer_5.exe:2432
MSASCuix86.exe:2072
%original file name%.exe:944
regedit.exe:2064

The MemScan injects its code into the following process(es):

Setup.exe:2500
ins.exe:2096

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wmic.exe:2128 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)

The MemScan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)

The process 6_Offer_5.exe:2432 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

C:\16e02c320a655cf2cb3a1e8b57f92e\1033\eula.rtf (4 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SetupEngine.dll (7173 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1030\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1028\eula.rtf (9 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\SysReqMet.ico (1 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1049\LocalizedData.xml (826 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\SysReqNotMet.ico (1 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1029\SetupResources.dll (809 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1042\LocalizedData.xml (463 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\DisplayIcon.ico (875 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1046\LocalizedData.xml (833 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1041\LocalizedData.xml (596 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1033\LocalizedData.xml (211 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SplashScreen.bmp (41 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate6.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1028\LocalizedData.xml (282 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate2.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\watermark.bmp (1212 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate5.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1032\SetupResources.dll (639 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1031\LocalizedData.xml (154 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate1.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1035\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SetupUi.dll (2323 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\header.bmp (3 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\3082\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1042\SetupResources.dll (538 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\3082\SetupResources.dll (30 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1025\LocalizedData.xml (883 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1045\eula.rtf (830 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate8.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1055\eula.rtf (6 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1043\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Print.ico (1 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1044\LocalizedData.xml (616 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1043\SetupResources.dll (30 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1041\eula.rtf (15 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1038\SetupResources.dll (722 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate3.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1045\LocalizedData.xml (423 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1040\SetupResources.dll (751 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1032\eula.rtf (15 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1030\LocalizedData.xml (640 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1040\LocalizedData.xml (670 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1055\SetupResources.dll (531 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2070\eula.rtf (6 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\3082\LocalizedData.xml (593 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1038\LocalizedData.xml (925 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1043\LocalizedData.xml (105 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1040\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Save.ico (1 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1041\SetupResources.dll (26 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate7.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1044\eula.rtf (4 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1025\eula.rtf (332 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1033\SetupResources.dll (28 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1053\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\sqmapi.dll (1059 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1045\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1053\LocalizedData.xml (274 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SetupUtility.exe (1429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dd_6_Offer_5_decompression_log.txt (2292 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1053\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2052\SetupResources.dll (24 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1025\SetupResources.dll (663 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\stop.ico (10 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1035\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1029\eula.rtf (6 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1049\eula.rtf (16 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1046\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1030\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1037\eula.rtf (11 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2052\eula.rtf (9 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SetupUi.xsd (30 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2070\LocalizedData.xml (232 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Setup.exe (498 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\DHtmlHeader.html (16 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1055\LocalizedData.xml (1153 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1037\LocalizedData.xml (524 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1032\LocalizedData.xml (655 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1042\eula.rtf (14 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1038\eula.rtf (210 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1036\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1049\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1036\SetupResources.dll (30 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1035\LocalizedData.xml (287 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Strings.xml (14 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1031\SetupResources.dll (805 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1028\SetupResources.dll (25 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1029\LocalizedData.xml (538 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\ParameterInfo.xml (10589 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1044\SetupResources.dll (842 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2052\LocalizedData.xml (658 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1031\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2070\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate4.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Setup.ico (394 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1046\SetupResources.dll (693 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1037\SetupResources.dll (143 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1036\LocalizedData.xml (748 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\UiInfo.xml (963 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\warn.ico (10 bytes)

The MemScan deletes the following file(s):

C:\6a3e7fea-5f14-4e27-b052-47c2070e4403 (0 bytes)

The process MSASCuix86.exe:2072 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ins.exe (148088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\Convert1.dll (4656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ins.dat (25991 bytes)

The MemScan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ins.dat (0 bytes)

The process %original file name%.exe:944 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Program Files%\Windows Defender\MSASCui.bat (638 bytes)
%Program Files%\Windows Defender\malware-def.reg (660 bytes)
%Program Files%\Windows Defender\MSASCuix86.exe (6428 bytes)

The MemScan deletes the following file(s):

%Program Files%\Windows Defender\__tmp_rar_sfx_access_check_275828 (0 bytes)

The process Setup.exe:2500 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Setup_20140726_045838466.html (194950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI4.tmp.html (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft .NET Framework 4.5.1 Setup_20140726_045839779.html (448258 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup_2014072 (404 bytes)

The MemScan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HFI3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI4.tmp (0 bytes)

The process ins.exe:2096 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXEJSTYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXEJSTYF\bottomLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPUZC96J\jquery-ui.min[1].js (16411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXEJSTYF\jquery-ui[1].css (860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\topComp[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXEJSTYF\jquery-ui-1.8.19.custom[1].css (10277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPUZC96J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPUZC96J\bgImg[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\jquery.min[1].js (6604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\Setup_product_6761[1].exe (209330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\topLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\DynamicOfferScreen[1].htm (1517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_5.exe (160504 bytes)

The MemScan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)

Registry activity

The process wmic.exe:2128 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 6D C8 3E 1B 45 E3 CB D1 6F A0 E9 08 8C B9 F4"

The process 6_Offer_5.exe:2432 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 66 F1 38 11 36 BC CA B0 F0 A8 FE 49 C2 62 E1"

The process MSASCuix86.exe:2072 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 A1 C9 38 65 4A 8D 5C 33 C7 47 08 69 2B 1D A7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:944 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 E8 22 F2 0A 1D E2 3C 76 C8 CD 53 AA 29 13 FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Windows Defender]
"MSASCui.bat" = "MSASCui"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The MemScan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The MemScan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The MemScan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process regedit.exe:2064 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD D5 A1 6A 8D 39 9D A5 B8 3F E5 82 FC F3 C4 87"

To automatically run itself each time Windows is booted, the MemScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSASCuix86" = "%Program Files%\Windows Defender\MSASCuix86.exe -s"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MSASCuix86" = "%Program Files%\Windows Defender\MSASCuix86.exe -s"

The process Setup.exe:2500 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 FD 40 DD C9 1F AE 6B F5 E7 D6 7A 15 00 CE FA"

The process ins.exe:2096 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072620140727]
"CachePrefix" = ":2014072620140727:"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072620140727]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014072620140727\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072620140727]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072620140727]
"CacheLimit" = "8192"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ins.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 6C 67 D3 8D CD 48 3E A4 04 90 5F D0 17 F0 B2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014072620140727]
"CacheRepair" = "0"

The MemScan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The MemScan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The MemScan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The MemScan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The MemScan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
38526d8c73c2d45f45569d6779f664b3	c:\16e02c320a655cf2cb3a1e8b57f92e\1025\SetupResources.dll
76c7817f8de484b5c1eb1b9017507a89	c:\16e02c320a655cf2cb3a1e8b57f92e\1028\SetupResources.dll
1b371018bce419ade19671638b5c2165	c:\16e02c320a655cf2cb3a1e8b57f92e\1029\SetupResources.dll
c11cc38139792f9f3fbf592c5c177f78	c:\16e02c320a655cf2cb3a1e8b57f92e\1030\SetupResources.dll
d2b9d59949f07283212dd20a0687f937	c:\16e02c320a655cf2cb3a1e8b57f92e\1031\SetupResources.dll
1aff229d9ba311eab520275947d67450	c:\16e02c320a655cf2cb3a1e8b57f92e\1032\SetupResources.dll
ff75a900a93fe5b559ad5bb85844fba2	c:\16e02c320a655cf2cb3a1e8b57f92e\1033\SetupResources.dll
c7db148edcb6ae144452db3eb8f36cd4	c:\16e02c320a655cf2cb3a1e8b57f92e\1035\SetupResources.dll
e02fe9c07fb8d379f3863677b9c0598b	c:\16e02c320a655cf2cb3a1e8b57f92e\1036\SetupResources.dll
608b7e148de003331f33c2de7c185c58	c:\16e02c320a655cf2cb3a1e8b57f92e\1037\SetupResources.dll
c3ea47f91d08d0b6824e6807d436bee8	c:\16e02c320a655cf2cb3a1e8b57f92e\1038\SetupResources.dll
4eec0d923736655dce6d49585923d0ca	c:\16e02c320a655cf2cb3a1e8b57f92e\1040\SetupResources.dll
d53c363e304785860808886fbee28d66	c:\16e02c320a655cf2cb3a1e8b57f92e\1041\SetupResources.dll
828365808a7b72895708e00fa0c2ddec	c:\16e02c320a655cf2cb3a1e8b57f92e\1042\SetupResources.dll
7bb1e88d59601f58dd3556e641e30a22	c:\16e02c320a655cf2cb3a1e8b57f92e\1043\SetupResources.dll
24bbcd9053f8a694fa283c781609ba6b	c:\16e02c320a655cf2cb3a1e8b57f92e\1044\SetupResources.dll
6727d9f60a7bce4e876c60ff870af2d4	c:\16e02c320a655cf2cb3a1e8b57f92e\1045\SetupResources.dll
290862fd1dde56ac3328ff5f1842f09b	c:\16e02c320a655cf2cb3a1e8b57f92e\1046\SetupResources.dll
3be6d24fc3814b1dabc43a6277f9f2f6	c:\16e02c320a655cf2cb3a1e8b57f92e\1049\SetupResources.dll
c6ebc7dc84b2f7ff5f6f6982f7aedd59	c:\16e02c320a655cf2cb3a1e8b57f92e\1053\SetupResources.dll
56b184e7e9bf0829d65d35009801cfa9	c:\16e02c320a655cf2cb3a1e8b57f92e\1055\SetupResources.dll
41c4d55395d6508663074b95f11dd5c0	c:\16e02c320a655cf2cb3a1e8b57f92e\2052\SetupResources.dll
6d8e1466e0c8911bb6a0ab5efb7b396f	c:\16e02c320a655cf2cb3a1e8b57f92e\2070\SetupResources.dll
2a74b3afd16ee7f379b8a2f613dd1978	c:\16e02c320a655cf2cb3a1e8b57f92e\3082\SetupResources.dll
1da103f2cf6bbf961ff51e8a1c01c725	c:\16e02c320a655cf2cb3a1e8b57f92e\Setup.exe
5b9d9c13ca9c6b7ee1d359bf21c810db	c:\16e02c320a655cf2cb3a1e8b57f92e\SetupEngine.dll
d30752d61408c87c8e3aa42330c5556f	c:\16e02c320a655cf2cb3a1e8b57f92e\SetupUi.dll
3dde1e8c61f96df3505b8a010d7c61ac	c:\16e02c320a655cf2cb3a1e8b57f92e\SetupUtility.exe
d475bbd6fef8db2dde0da7ccfd2c9042	c:\16e02c320a655cf2cb3a1e8b57f92e\sqmapi.dll
24281f84c5521204e4454207f3becf96	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6_Offer_5.exe
f0a022cb25a69b54d9da803815848ff1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ins.exe
9c4ae1dfce62915891855bbca9deaa13	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl2.tmp\Convert1.dll
24281f84c5521204e4454207f3becf96	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\Setup_product_6761[1].exe
6f7ea5e3601350ad7d5fb6f0d7b64de6	c:\Program Files\Windows Defender\MSASCuix86.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	152808	153088	4.64164	22ced87f8cfbeec19f10ea768b9f5033
.rdata	159744	20275	20480	3.68225	9aea8072fe8459f1fb075382c5799ef0
.data	180224	136672	5120	1.76573	5aafebbc10957e661762e0e7fadc057b
.rsrc	319488	17962	18432	3.23141	29230ade1122c629437ac2648189aa66

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
234166252162812212c8daf6a0a58f5b
b35c870be3d0108780b5dfc9c15e8ee6

URLs

URL	IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=5115&distid=7187&productid=6761&subpubid=0&campaignid=0&networkid=&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&ds1=&hb=0&systembit=32&vm=1&version=4.0
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/Files//Setup_product_6761.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=7187&leadp=6761&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/topLine.jpg
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/bgImg.jpg
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/topComp.png
hxxp://dlrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme7/bottomLine.jpg
hxxp://static.revenyou.com/offers/images/Theme7/topComp.png	198.232.124.224
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png	74.125.201.95
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=7187&leadp=6761&countryid=262&sysbit=32&dfb=0&hb=0&external=0&	50.19.221.149
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png	74.125.201.95
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js	74.125.201.95
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css	74.125.201.95
hxxp://static.revenyou.com/offers/images/Theme7/bottomLine.jpg	198.232.124.224
hxxp://installer.ppdownload.com/Installer/Flow?pubid=5115&distid=7187&productid=6761&subpubid=0&campaignid=0&networkid=&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&ds1=&hb=0&systembit=32&vm=1&version=4.0	50.19.221.149
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js	74.125.201.95
hxxp://static.revenyou.com/offers/images/Theme7/bgImg.jpg	198.232.124.224
hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css	198.232.124.224
hxxp://dl.revenyou.com/Files//Setup_product_6761.exe	198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme7/topLine.jpg	198.232.124.224

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /offers/images/Theme7/topComp.png HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=7187&leadp=6761&countryid=262&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: static.revenyou.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 26 Jul 2014 01:58:31 GMT

Content-Type: image/png

Content-Length: 1684

Connection: keep-alive

Cache-Control: max-age=604800

Last-Modified: Tue, 12 Mar 2013 18:06:58 GMT

ETag: "08db634c1fce1:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Sat, 02 Aug 2014 01:58:31 GMT

X-Cache: HIT

Accept-Ranges: bytes
.PNG........IHDR...*...0.....g.......tEXtSoftware.Adobe ImageReadyq.e&
lt;...6IDATx..Y{LSW....mK_.....,.....%..q.....23...9..1....p.7..h.3c&g
t;..2g.5f3Q.=..8.M.5....V..[.S...}_[..-m!n....s.wO..........OB...i1.1.
..........`.=8"../..]c....4..=.o=n..^.....d4X.w.AAvF...R......a..-...J
...od......#\.~{.....Y.\.\[email protected].!m..D.S...VSKOE..C....k.."PmXg.{uJ
.....i..B..%......P.........5^*C.i7/.)..p...<.....=........[.P.x.j[
9..h.:E.]wg,..$U}(.....B.p..D.3q....u. ..T......_.....w =3.=.#..`b8fB3
.<`D)~...Z...3......!:U....&..L.NZ.......5...`en{.y..8VD.......v.v.
Y....?[;?*....S.7.....u.......P4-....k...x.....A6#.|......%E..........
.....h..8r........R.g..:.WV.;..d..V....n...h.*.}....!t.A.1....o.N.^..S
C..#[email protected]\p#.p..k...9..).:m).J;.z...#a6z.R........01/'..J...1.0..
..S....\..nJ..a.....q\.....d....W2......B....."T|..q..>.p...9E|....
AF.!..([email protected] ......?]lD..H.E....2.g.$P..*&.]..l.z.&....`O..Y.[W8.
.....T.92\!..8..4.*.dN.......d20..E.8....:..u...2.....-.W.O..0...W...s
....\[^...5.aw5.....es.f.`...P....j..P}........P..A8 ...1g.uw...;P..}.
.f.FTw../~..n.e.7Wl..U)u.6.....N..B..4\5...V.w..M.6......k..E.h<>
;...........uU....w..><F.O.k...... >^...d2.D.6J...j]{F..K..6.
...J3.................N..s........r.]T`...k.Q.*.2/9A.G.....{G..B....X.
8.f.jil.>..O....#...U.5...==.`w.=..A.....;,..bH.R9..*X4.5.auEr.....
=1a.G...M.J*6..=,..p2.y.....p..M.mh........,[email protected].:.......U
....D..M .JBL&..."....J....0(@...a.&...a..........._....X.F..0..!....9
...Y}.}.6..P(.......&.`....`......9|[email protected].&....L.<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=7187&leadp=6761&countryid=262&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/css; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Sat, 26 Jul 2014 01:29:17 GMT

Expires: Sat, 26 Jul 2014 02:29:17 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 6091

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 1753

Alternate-Protocol: 80:quic
[email protected]..~...e.#K.$.#A..=.!%J|iz...
;@Z.:...y..}..........X.H~{G...O~......-.M^[email protected]........
....!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.W
O8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h
.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ....
....... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}..
.t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>.....
.|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8
a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}[email protected]^...S2.gn.h......;V.
yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or
..%X...78.I.>[email protected].<.W 
EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M..
. ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k
:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<
;._.. J.YK.:9.H}3....U.B..$..W..f$l]^[email protected].,(."
......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V
.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l
..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v.
.~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4..
.1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!
pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t..
.M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/jquery-ui.min.js HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=7187&leadp=6761&countryid=262&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Sat, 26 Jul 2014 01:03:00 GMT

Expires: Sat, 26 Jul 2014 02:03:00 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 51558

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 3331

Alternate-Protocol: 80:quic
............iw...0....d...-.@......."...x{,y.<....n.M....ZB...w...A
P...9.L,.k_n..n.{.......V..G..<........}......n.........l..Y....z3.
.................E1.-.uz..........ZXI..rZm....../[email protected].....
.yUlB..U#..L...1p.>...2...].....M(...J.....e..I......5...9...e.....
&.........W..y...f./..j..}^....r...n.._7.j.o..v.i./a.7uq......r.%.,...
...j9..Y.s......@..$...... \...H...=....?....y...}W..b].G..|-....wG.N.
O<.H.Q...'w......H.....*.....?..Uo..n..Z=..U...I...*..,[email protected]...
..l.[@E1.....jq<..V.d.=.n......,..o... .gY.G....N%$f..u..."J.....xv
rR..$.q..i....l..m7....p...]./!.......JF0..^.. ...Q.....H..q...._wr"9.
.S].I/_.....~M...Z..U5..^q.z..U...k..........Q.........v...[.v..`:UJvI
o^-...........n.;..{o....p.CliS-J..w27...F.....v .{...t..........g._._
...~z......wz.......gP.K.....W....w/.ym......B.cH....?~..~/.~..../....
_.........4..s........x..z|...^|.../.._..?.z..............?.......?=..
....N......_<...3.n..I/..../ e.Rd../U...|...O.....Pi.~.....=.5..%~z
...oh..?.._~J.?.?.....0....g.. ....0....W...x....W.k|)....h....n...7Y.
...c..l.Y..._...3.D.f.,n..G?.'h...*.l...ZN...R...q..F.;.*/f6T.q-3.....
...Z.n..y\&.].......*.C..p..I.U.Z/....`..W..k<.Pn]....OtJR...P...j.
n...z]W''..z.o.b.....m...K...u.)..%.v{.8p9..T....4U......X..U.o'...T..
...D...G.tc.3o....8./.a.NK^...........q?I.0.....)-..m.\[email protected]......
\..{.>........D..n..Gp..)R:...>.D ....d.nV.......C....pWe.?Xl.B.
....6} .Q.4...j....^.6q..3..>5w\.....'.@....&6...?ok..$.;....[...!V
o........vx}{s.L.dA...6......8.r......bt.>"a........0...I~;....<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1

Accept: */*

Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=7187&leadp=6761&countryid=262&sysbit=32&dfb=0&hb=0&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Sat, 26 Jul 2014 01:41:02 GMT

Expires: Sat, 26 Jul 2014 02:41:02 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3457

X-XSS-Protection: 1; mode=block

Age: 1049

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B.
...6...._.d.c.......*...V......|U.......w-...p..>Z..........`......
......`............`............`............`............`...........
.`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.
x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1
..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."..
.-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C....
.y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ
..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH
...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._&l
t;....p.p....`............`..b.......:............:.............Xj)...
w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7...
..;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:
.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O..
...m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....
3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD.
.M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;
....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n
.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x....
.].?/..9r......h...]^}M....<....;..........p.p....`........}.....n.
.~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M...
...j..4.%..x......!ij....bXcT..^ file.
Delete or disinfect the following files created/modified by the MemScan:%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1033\eula.rtf (4 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SetupEngine.dll (7173 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1030\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1028\eula.rtf (9 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\SysReqMet.ico (1 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1049\LocalizedData.xml (826 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\SysReqNotMet.ico (1 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1029\SetupResources.dll (809 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1042\LocalizedData.xml (463 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\DisplayIcon.ico (875 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1046\LocalizedData.xml (833 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1041\LocalizedData.xml (596 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1033\LocalizedData.xml (211 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SplashScreen.bmp (41 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate6.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1028\LocalizedData.xml (282 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate2.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\watermark.bmp (1212 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate5.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1032\SetupResources.dll (639 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1031\LocalizedData.xml (154 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate1.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1035\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SetupUi.dll (2323 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\header.bmp (3 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\3082\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1042\SetupResources.dll (538 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\3082\SetupResources.dll (30 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1025\LocalizedData.xml (883 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1045\eula.rtf (830 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate8.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1055\eula.rtf (6 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1043\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Print.ico (1 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1044\LocalizedData.xml (616 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1043\SetupResources.dll (30 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1041\eula.rtf (15 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1038\SetupResources.dll (722 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate3.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1045\LocalizedData.xml (423 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1040\SetupResources.dll (751 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1032\eula.rtf (15 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1030\LocalizedData.xml (640 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1040\LocalizedData.xml (670 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1055\SetupResources.dll (531 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2070\eula.rtf (6 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\3082\LocalizedData.xml (593 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1038\LocalizedData.xml (925 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1043\LocalizedData.xml (105 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1040\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Save.ico (1 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1041\SetupResources.dll (26 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate7.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1044\eula.rtf (4 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1025\eula.rtf (332 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1033\SetupResources.dll (28 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1053\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\sqmapi.dll (1059 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1045\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1053\LocalizedData.xml (274 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SetupUtility.exe (1429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dd_6_Offer_5_decompression_log.txt (2292 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1053\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2052\SetupResources.dll (24 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1025\SetupResources.dll (663 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\stop.ico (10 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1035\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1029\eula.rtf (6 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1049\eula.rtf (16 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1046\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1030\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1037\eula.rtf (11 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2052\eula.rtf (9 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\SetupUi.xsd (30 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2070\LocalizedData.xml (232 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Setup.exe (498 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\DHtmlHeader.html (16 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1055\LocalizedData.xml (1153 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1037\LocalizedData.xml (524 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1032\LocalizedData.xml (655 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1042\eula.rtf (14 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1038\eula.rtf (210 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1036\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1049\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1036\SetupResources.dll (30 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1035\LocalizedData.xml (287 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Strings.xml (14 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1031\SetupResources.dll (805 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1028\SetupResources.dll (25 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1029\LocalizedData.xml (538 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\ParameterInfo.xml (10589 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1044\SetupResources.dll (842 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2052\LocalizedData.xml (658 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1031\eula.rtf (5 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\2070\SetupResources.dll (29 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Rotate4.ico (894 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\Setup.ico (394 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1046\SetupResources.dll (693 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1037\SetupResources.dll (143 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\1036\LocalizedData.xml (748 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\UiInfo.xml (963 bytes)
C:\16e02c320a655cf2cb3a1e8b57f92e\Graphics\warn.ico (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ins.exe (148088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\Convert1.dll (4656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ins.dat (25991 bytes)
%Program Files%\Windows Defender\MSASCui.bat (638 bytes)
%Program Files%\Windows Defender\malware-def.reg (660 bytes)
%Program Files%\Windows Defender\MSASCuix86.exe (6428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup_20140726_045838466.html (194950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI4.tmp.html (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft .NET Framework 4.5.1 Setup_20140726_045839779.html (448258 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup_2014072 (404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXEJSTYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXEJSTYF\bottomLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPUZC96J\jquery-ui.min[1].js (16411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXEJSTYF\jquery-ui[1].css (860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\topComp[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXEJSTYF\jquery-ui-1.8.19.custom[1].css (10277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPUZC96J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPUZC96J\bgImg[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\jquery.min[1].js (6604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\Setup_product_6761[1].exe (209330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W9ARKTYB\topLine[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD2FCHQJ\DynamicOfferScreen[1].htm (1517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_5.exe (160504 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSASCuix86" = "%Program Files%\Windows Defender\MSASCuix86.exe -s"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MSASCuix86" = "%Program Files%\Windows Defender\MSASCuix86.exe -s"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12

No thanks, continue to lavasoft.com

close x

Discover the new adaware antivirus 12

Our best antivirus yet