SearchProtectToolbar_pcap_2f21390313

by malwarelabrobot on March 10th, 2016 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2f21390313e04d84dfe161b9a5abf843
SHA1: eb60a5c937e02683a9f90bfbe8d5581d8e873dec
SHA256: 05add3edd35426a901cc7b172f5949cef2ec8d40540c73b9cb77c5b683044a33
SSDeep: 12288:YN4qLl6RO4yUpWGK7YkXYhHZE8eApPQ1 dLALqC5oCQ:YFlOO4yUpJKOmTAp04gC3
Size: 712744 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:468

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\progress.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\winmin_button.png (792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\close.gif (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\lua51.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\step_on.gif (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (26633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\DALogo2.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\res\common.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\extension.tlb (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\offers.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\cancel.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\truste.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\accept.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\stepBG.gif (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\back_button.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\IntegratedOffer.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\DownloadThread.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\mod.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\back.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\AdvancedTests.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\bg.gif (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\headerBG.gif (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\definitions.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaXml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\luacom.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\bg2.gif (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\__localxml.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\winclose_button.png (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\DALogo.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaBridge.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\step_off.gif (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\__web.xml (33635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\decline.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\vlcmediaplayer-128x128.png (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\cancel.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\cancel_button.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\BrowserControl.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\GuiInit.lua (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\version.dll (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 D1 B5 7F 03 78 78 1A 0B 4D 50 0F 73 60 E5 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Dropped PE files

MD5 File path
5f11bfefee27008b9ac247aa401605d5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\FloatingProgress.dll
67048decd7ff72b9a96d3b211ec2660b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\LuaXml_lib.dll
d02a497be5f89c44827f142c4662f591 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\UACInfo.dll
bbc9ac3211f07e45510861ae429996c3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\lua51.dll
ed7f7857933b38e5d10daf828e79af19 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\luacom.dll
5694e7daf20c47c8d5e73d4a838c2ee6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy3.tmp\version.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 491520 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 495616 20480 17920 5.45789 2b6668d8ed7a28049f399add635fd1da
.rsrc 516096 192512 192000 2.99213 71f352ad80a6e8962d4b6b504554992b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
464078b3fbcf8961b293e115018bfdb7

URLs

URL IP
hxxp://service.downloadadmin.com/install?s=msn&c=playfin_multigames&brand=playfin.com&pid=TR&bc=4699&country=US 50.22.63.138


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /install?s=msn&c=playfin_multigames&brand=playfin.com&pid=TR&bc=4699&country=US HTTP/1.1
connection: close, TE
user-agent: Tightrope Bundle Manager(ref=[90daf87f2d18ce4ffda95993d1be3c72f20e3528 refs/heads/master];windows=5.1;uac=false;elevated=true;dotnet=4)
x-webinstallcode: complete url:hXXp://service.downloadadmin.com/install?s=msn&c=playfin_multigames&brand=playfin.com&pid=TR&bc=4699&country=US
te: trailers
host: service.downloadadmin.com


HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 09 Mar 2016 11:16:43 GMT
Age: 0
Connection: close
X-TVAR: 
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <LinkBelowEula>fals
e</LinkBelowEula>.        <OptInDefault>false</OptInDef
ault>.        <ProductBinary embed="false" msioptions="" options
="/S">hXXp://mirror.ramtransmission.info/binstallers/deerdrive/deer
drive.exe</ProductBinary>.        <ProductEula comboPrimary="
false" embed="false">hXXp://mirror.downloadnet1210.com/binstallers/
BM2/deerdrive/ipage/deerdrive-bm25.mht</ProductEula>.        <
;Primary>true</Primary>.        <ProductId>31</Produ
ctId>.        <ProductName>Deer Drive</ProductName>.   
     <Scramble>false</Scramble>.    </Bundle>.    &l
t;Bundle>.        <Category>opinion</Category>.        
<CustomParameter Name="requires-click">true</CustomParameter&
gt;.        <CustomParameter Name="advertisername">Premier Opini
on</CustomParameter>.        <If>.            <Or>. 
               <Not>.                    <Env property="custo
m.invm" op="=" value="true"/>.                </Not>.        
        <Env property="custom.partner" op="=" value="test"/>.   
         </Or>.            <Or>.                <Env pr
operty="custom.region" op="=" value="US"/>.                <Env 
property="custom.region" op="=" value="us"/>.            </Or>
;.            <Not>.                <Or>.             
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_468:

`.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp\LuaBridge.dll
ss.dll
28.png
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp
ns\UrlAssociations\http\UserChoice
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
SHELL32.dll
comdlg32.dll
ole32.dll
nsDialogs.dll
All Files|*.*
_XYg-$%(ck.gbc-#ck.Ubggb`-#ck.e\Z[g-#ck.
j\Wg[-%%ck.[X\Z[g-%%ck.
`TeZ\a e\Z[g-%ck.
dhbg.UTV^
dhbg.WXV_\aX
dhbg.VTaVX_
.text
`.rdata
@.data
.reloc
shell32.dll
NotifyIcon.dll
.rsrc
@.reloc
ShellExecuteA
CustomBrandingURL.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
#-,.mT:
!$"'(!((!$&
##-,#1.#0- !%
!  .76:76:*),
#" *#1.#1.!#&
5I.vS#2
.ojl1_
u{.vo
nsy3.tmp
e]],0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin/production/setup.exe.nsi:Line 895.2
tion/setup.exe.nsi:Line 2372.2
1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp\skin
GetWindowsDirectoryA
RegEnumKeyA
RegOpenKeyExA
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
SHFileOperationA
ExitWindowsEx
.ndata
O [rKey
NEL \*.*
umKey
5334543
8664755
8760876
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
VERSION.dll
com.build.date
6/1/2012
com.build.dir
C:\BM\2.5\WebTemplates
com.build.id
com.build.machine
com.build.time
com.build.user
$%USER%

%original file name%.exe_468_rwx_00401000_0007C000:

uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp\LuaBridge.dll
ss.dll
28.png
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp
ns\UrlAssociations\http\UserChoice
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
SHELL32.dll
comdlg32.dll
ole32.dll
nsDialogs.dll
All Files|*.*
_XYg-$%(ck.gbc-#ck.Ubggb`-#ck.e\Z[g-#ck.
j\Wg[-%%ck.[X\Z[g-%%ck.
`TeZ\a e\Z[g-%ck.
dhbg.UTV^
dhbg.WXV_\aX
dhbg.VTaVX_
.text
`.rdata
@.data
.reloc
shell32.dll
NotifyIcon.dll
.rsrc
@.reloc
ShellExecuteA
CustomBrandingURL.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
#-,.mT:
!$"'(!((!$&
##-,#1.#0- !%
!  .76:76:*),
#" *#1.#1.!#&
5I.vS#2
.ojl1_
u{.vo
nsy3.tmp
e]],0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin/production/setup.exe.nsi:Line 895.2
tion/setup.exe.nsi:Line 2372.2
1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp\skin
GetWindowsDirectoryA
RegEnumKeyA
RegOpenKeyExA
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
SHFileOperationA
ExitWindowsEx
.ndata
O [rKey
NEL \*.*


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\progress.css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\winmin_button.png (792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\close.gif (510 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\utils.lua (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\lua51.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\step_on.gif (142 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\res\common.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (26633 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\DALogo2.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\UACInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\res\common.js (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\extension.tlb (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\mime.lua (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\socket\core.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\offers.css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\cancel.css (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\truste.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\FloatingProgress.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\accept.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\stepBG.gif (946 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\back_button.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\IntegratedOffer.lua (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\DownloadThread.lua (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\mod.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\Events.lua (912 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\back.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\res\jquery.js (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\AdvancedTests.lua (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\mime\core.dll (1856 bytes)
    %Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\bg.gif (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\headerBG.gif (366 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\definitions.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaXml.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\luacom.dll (10136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\json.lua (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\bg2.gif (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\__localxml.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\winclose_button.png (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\DALogo.jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaBridge.dll (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\step_off.gif (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\un.package.exe (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\__web.xml (33635 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\decline.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\vlcmediaplayer-128x128.png (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaXml_lib.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\cancel.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\skin\cancel_button.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\BrowserControl.lua (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\GuiInit.lua (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp\version.dll (6 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now