SearchProtectToolbar_ce8175edae

by malwarelabrobot on March 20th, 2016 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, SearchProtectToolbar.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ce8175edae3083eb4b45b61903f3c576
SHA1: 67ceedb4a5906f9409977c8115de5147d7d2e395
SHA256: d6edcd44cc3f1559871522a8de94e10c42262d5976c7debc82eab188eb4d2245
SSDeep: 12288:OAqtbewmmiaxpH3zIbozBH5r i jg7Tyk:OjKh6xR3zF1x ioyH
Size: 491520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:556

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex
OpenSoftwareUpdaterInstaller

File activity

The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\Banner.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\Utilites.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\TopLogo1.bmp (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\helper.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\Dialogs.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\registry.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\ipbhelper.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (26657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\nsDialogs.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\1.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\2.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\quid.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\3.txt (0 bytes)

Registry activity

The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 5B 21 55 2D F0 75 4C B0 53 F5 DD B1 2F AD 70"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
0116a50101c4107a138a588d1e46fca5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\Banner.dll
23a0898382109b22429075e5daa2423d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\Dialogs.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\System.dll
925ac752d01df960a14b3e6233211509 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\Utilites.dll
a97e514ad0d2d564903e9dddaa455cee c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\helper.dll
59bbc376ffbc74150be756b5f6a50e00 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\inetc.dll
230886d5d6fd343b3a9d9382129146eb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\ipbhelper.dll
c10e04dd4ad4277d5adc951bb331c777 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\nsDialogs.dll
69806691d649ef1c8703fd9e29231d44 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\nsisos.dll
f3c4d4abece227de0b4b0dfe85a207f4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nso3.tmp\registry.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: OSU
Product Version:
Legal Copyright: Copyright 2015
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.1.0.0
File Description: Open Software Updater
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 204800 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 352256 17112 17408 1.71267 140beefc86b981de5edf3c52519ad710

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=930
hxxp://protecteddownload.com/ipb.php?ID=3B21035248B3&ID2=7B84A336535D&icount=20&rcount=28&ucount=2
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=914
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=920
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=350
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=371
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=915
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=927
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=921
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=712
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=714
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=4
hxxp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=880


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:13 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:13 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:13 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:13 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:13 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:13 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:13 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&action=1 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=930 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:14 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.HTTP/1.1 404 Not Found..Dat
e: Sat, 19 Mar 2016 08:49:14 GMT..Server: Apache/2.4.7 (Ubuntu)..Conte
nt-Length: 297..Keep-Alive: timeout=5, max=88..Connection: Keep-Alive.
.Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC
 "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>
;404 Not Found</title>.</head><body>.<h1>Not F
ound</h1>.<p>The requested URL /installer.php was not foun
d on this server.</p>.<hr>.<address>Apache/2.4.7 (Ub
untu) Server at protecteddownload.com Port 80</address>.</bod
y></html>.....


GET /ipb.php?ID=3B21035248B3&ID2=7B84A336535D&icount=20&rcount=28&ucount=2 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 291
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ip
b.php was not found on this server.</p>.<hr>.<address&g
t;Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80</ad
dress>.</body></html>.....


GET /ipb.php?ID=3B21035248B3&ID2=7B84A336535D&icount=20&rcount=28&ucount=2 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 291
Keep-Alive: timeout=5, max=86
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ip
b.php was not found on this server.</p>.<hr>.<address&g
t;Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80</ad
dress>.</body></html>.....


GET /ipb.php?ID=3B21035248B3&ID2=7B84A336535D&icount=20&rcount=28&ucount=2 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 291
Keep-Alive: timeout=5, max=85
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ip
b.php was not found on this server.</p>.<hr>.<address&g
t;Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80</ad
dress>.</body></html>.....


GET /ipb.php?ID=3B21035248B3&ID2=7B84A336535D&icount=20&rcount=28&ucount=2 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 291
Keep-Alive: timeout=5, max=84
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ip
b.php was not found on this server.</p>.<hr>.<address&g
t;Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80</ad
dress>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=914 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=83
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=920 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=82
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=350 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:16 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=81
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=371 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:16 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=915 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:16 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=79
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=927 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:16 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=78
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=921 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:16 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=77
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=712 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:16 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=76
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=714 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:16 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=4 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:17 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=74
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body></html>.....


GET /installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=880 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: protecteddownload.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Sat, 19 Mar 2016 08:49:17 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 297
Keep-Alive: timeout=5, max=73
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
staller.php was not found on this server.</p>.<hr>.<add
ress>Apache/2.4.7 (Ubuntu) Server at protecteddownload.com Port 80&
lt;/address>.</body>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_556:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp
@.reloc
GetProcessHeap
comdlg32.dll
nsDialogs.dll
All Files|*.*
yFTP
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp\quid.txt
nso3.tmp
quid.txt
helper.dll
explore.exe" -nohome
76.exe
1179926
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp\quid.txt
%Program Files%\Internet Explorer\iexplore.exe" -nohome
c:\%original file name%.exe
%Program Files%\OpenSoftwareUpdater
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
1900836
protecteddownload.com
hXXp://protecteddownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=
3080430
889848924
1107952729
889848905
-2012610197
856294480
1426719123
1175061581
755631187
-368442388
470418510
386532442
822739659
738853957
487195730
537527380
-1878391543
84542152
-1660288356
HKEY_LOCAL_MACHINE\SOFTWARE\SearchProtect
hXXp://mysafedownload.com/installer.php?CODE=OSUTGQ&UID=AB803810-9779-4688-8AF6-F56F0CD39FAE&quant=8923&action=
2556136
671745100
hXXp://protecteddownload.com/info.php?&quant=8923
AB803810-9779-4688-8AF6-F56F0CD39FAE
hXXp://protecteddownload.com/ipb.php?ID=3B21035248B3&ID2=7B84A336535D&icount=20&rcount=28&ucount=2
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
lorer\iexplore.exe" -nohome
3.1.0.0

%original file name%.exe_556_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\Banner.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\Utilites.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\TopLogo1.bmp (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\helper.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\Dialogs.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\registry.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\ipbhelper.dll (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (26657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp\nsDialogs.dll (9 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now