SearchProtectToolbar_pcap_3646819e56

by malwarelabrobot on April 5th, 2016 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3646819e562b6eff842e1ebc880d203b
SHA1: 3ee3e33af7094145ef00fbf92f6c72ed035efe85
SHA256: 8d949986257b14c8fc3b1206ecc8901a76efb163d89f890beca3a85544bceb9a
SSDeep: 12288:GvWoBObcObcSkP CVuVX1HxUMWtC7uVB9:W5IcI7s 1VFRzt7uV7
Size: 471568 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-07-11 10:40:11
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

spidentifierimpl.exe:1080

The Trojan injects its code into the following process(es):

%original file name%.exe:772

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process spidentifierimpl.exe:1080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\SPtool.dll (180359 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\inetc.dll (30 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\inetc.dll (0 bytes)

The process %original file name%.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\e0ed048e90a6cd1636f19b7a343cf5600.12176183264327789 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\progress.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\index.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\last.zip (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\uifile.zip (6740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\progress.png (784 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\progress[1].zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\spidentifierimpl[1].exe (303947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\progress-bar.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\cfg.txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\css\style.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\base.zip (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\base[1].zip (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\last[1].zip (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\config-from-production[1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\progress.html (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\requirements\spidentifierimpl.exe (303947 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\css\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\css\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\noconnection.html (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\soft32-flow-5-text-en-us[1].zip (6740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\css\style.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\progress[1].zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\soft32-flow-5-text-en-us[1].zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\spidentifierimpl[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\last[1].zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\error[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\config-from-production[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\error[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\error[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\base[1].zip (0 bytes)

Registry activity

The process spidentifierimpl.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA DB 31 3A 80 19 D6 EC 3B 40 CA D4 4F BC A2 06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DLG\requirements]
"spidentifierimpl.exe" = "Search Protect Identifier by conduit"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016040420160405]
"CacheRepair" = "0"

"CachePrefix" = ":2016040420160405:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016040420160405]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016040420160405\"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 7B 5A 24 DA 9F 6E 71 29 B2 19 AE 86 B8 92 EF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016040420160405]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016040420160405]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
484003524ef2000db83cb16ced0a48a1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\DLG\requirements\spidentifierimpl.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 174705 175104 4.5853 b11564b9a66cc14556c1fb6b27fc44cd
.rdata 180224 61868 61952 3.29895 c5d3ef72250fda3ae79eeab4d2067f72
.data 245760 24096 15360 3.34806 55c8ef91dfc32b1f66b2a27ef426eb41
.rsrc 270336 193368 193536 5.1131 979ac1d6303f700668d678d6df4175bf
.reloc 466944 21524 22016 3.47792 10c466d9b71044c843cf08b399008926

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 6
b291fc7a9931280d887b05f90c515a69
2b1dcb9e32b6aac471b3d93af8313a69
85aa416ae581b5784403bd5337216c56
8b1d518011e9f6d27182ea3cafbb916d
083344c3ecc91f885dfda259aad4916d
111c1af1ccaf646a235ca3e903ce01a8

URLs

URL IP
hxxp://dlg-configs-eus.cloudapp.net/config-from-production
hxxp://e6337.g.akamaiedge.net/spidentifier/1.0.2.0/spidentifierimpl.exe
hxxp://dlg-messages-weu.cloudapp.net/1/dg/3
hxxp://e9287.g.akamaiedge.net//spidentifier/1.0.2.0/spidentifierimpl.exe
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://cs3.wpc.v0cdn.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/base.zip
hxxp://cs3.wpc.v0cdn.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/soft32-flow-5-text-en-us.zip
hxxp://dlg-messages-weu.cloudapp.net/1/dg/3/error
hxxp://cs3.wpc.v0cdn.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/progress.zip
hxxp://cs3.wpc.v0cdn.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/last.zip
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/progress.zip 93.184.221.200
hxxp://dlg-configs.buzzrin.de/config-from-production
hxxp://dlg-messages.buzzrin.de/1/dg/3/error
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/soft32-flow-5-text-en-us.zip 93.184.221.200
hxxp://dlg-messages.buzzrin.de/1/dg/3
hxxp://sp-storage.spccinta.com//spidentifier/1.0.2.0/spidentifierimpl.exe 23.43.143.98
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/base.zip 93.184.221.200
hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/last.zip 93.184.221.200
hxxp://sp-storage.conduit-services.com/spidentifier/1.0.2.0/spidentifierimpl.exe 23.43.131.152
hxxp://sp-installer.conduit-data.com/ 23.23.99.139
www.google.com 173.194.113.211
www.google.com.ua 173.194.113.223
wac.wac.b0f4.edgecastcdn.net 93.184.220.43


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/last.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content-MD5: CdWKjo25ViQq30NolnCXKg==
Content-Type: application/octet-stream
Date: Sun, 03 Apr 2016 22:57:46 GMT
Etag: 0x8D1E7FA33CE34EB
Last-Modified: Wed, 17 Dec 2014 10:20:23 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: fd6750c6-0001-0026-71fc-8dfe84000000
x-ms-version: 2009-09-19
x-ms-write-protection: false
Content-Length: 37780
Connection: close
PK.........[.E.\......-.......index.html.Wmo.6.......[.2Z.K1.."....[..
.6.#E.,&.....#............X...9>.;R..o.X^....)]%....tw.WR.........H
...'..1....|n.:.K..([email protected]....=...%3.\...../..L.uK..v..ZJ...Z..`K.G
Ii.H)..a4.Z.............o>7`6......M\...X.si..p2Iz...Q.(..V..<..
...b.uY.$%....ZA..2.q..La.t...76.^........!LDA........|...Mj......-.t.
.j2..*.w1z....Y]..\bX#...b 0q.l../.......F..w.*_Jm..&..]..-...8..&..z{
...RS.X.U...Y....bB]...X....$...Nv8.....R...."..L..92<%.... r:.....
.= .E.'.J#.s.D.S...t,.d.J{..h..R`|N.j..Z......OO.C..y}c.8...e(B..4....
..`.0I.8.E.F.(99R.o{.|2.L}..i4}.a..f..G.}B?......8.<..oh~t........9
|%Vh..i......I.P..m.;o.4..%5........n....zlN...{..L...g......6.m.I....
.....c..Y..1...(Js.Vc..;...Ts(m..\........$...... z*..GD.:?T..( "Oi..a
M..L..?...bU..<d~....vH._.....$3#.W5.....[.#.1..I.X.... .g.a.d.a/..
..=7.....'...._].B.. ..H5S..C..C...g*..E.q@PO`.)7.=..O.#Q]c({.]|mXN..n
..-...:%%.$...#~=.x,..p.....6..B..%lI...N@............_.D.....N...z...
<.. [email protected]!Y...\.. d..^...........&.[
.GQ.fY..PK.........`nE-.b.....C.......css\style.css.V...0.]'R..mT.]..y
4%......Xq.e...^..;~....TP..3...9.'.. z[-.\..U...ipI...O....."..bqG...
.....{..eI...'$p.....W....j.=~....Z..r...U...K.(......M*.B....{.s"....
....r..}.M...c..$..:....RI(.'....o..h...dcn....!xC-?N.....\n4WU....s.h
{..N......;p..qU..?q.$n..c"I...2 .n.-.g. ..([email protected]..."
..`.5A..%.R...I.....$.;..|....I...w...K..A.....^=...BY.u.....A}v......
..A..*z.x.]...y|...).....W...h#.....` . X.L....7p..$.`...?..'.....
<<< skipped >>>


POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 587
Connection: Close

{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:46 03:00","ExceptionName":"","Message":"cpp: {P:0772 T:1932 S:1 D:57.46.415} - fail connect, hr=0x80070057","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0



GET /public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/progress.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content-MD5: GbHVwCUrfRP/evGXlYdWmg==
Content-Type: application/octet-stream
Date: Sun, 03 Apr 2016 22:57:46 GMT
Etag: 0x8D1E7FA33C8B687
Last-Modified: Wed, 17 Dec 2014 10:20:23 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 4cb7ad3f-0001-0041-36fc-8d4d23000000
x-ms-version: 2009-09-19
x-ms-write-protection: false
Content-Length: 85600
Connection: close
PK.........[.E...R............index.html..mO.8.s'.?x.m..&... .icLB....
.t...I..%u2.i.P..=v...).l."..~....O..q|......<.?~.WO..?.$....d2.c. 
....J..d6........K....:............#..D.T...x;...........>.s..MF8..
..cJ%F.....3O........`.D..Gx.{.O.....;.w..9..,..K.....o.{O.I.C.R......
..=.e"....( ..\.....gs")...Irzd..r../).j..n..b.....4s.G..@E.&..y..../.
.k.T..6......,..._...?....Z.... .j..QK......5.....M..V.>..*.....&.m
)).c.^S..P#f.m...~......1N.....F.! -e...i.e.~.d|`3.M..h...G...........
.r.'3..v...i.......W..f.I p....I..,........$qI..eZ.s..y..Ry\..9}......
QM0.DH...4N'.a.GOF#......4...s..Yku.......P7(:\[email protected]. e8.Q...G.....r
n.-.t.@6..........$.R...~......" q........L.....'[..W1...}.t.{....C.:.
4...Z..../..E......d.jv., ..14UX4.|...U.6..bMq.(.md.u.....a.".4.H.!.O.
.._f....a....{..{]H..x..6R.......w.C...D..,...6.o.%OR....^ ...V..:%..[
h..v........L.y.....|.........4s.g..U.EE(9.S......~./.L....<K..{ bx
......._T.`@..t..a[e'...{.q...b..-..........).30Y.3............=.....(
'.."..0zH....{9....>[email protected].&.I*...t.....^L.t...2...] ..jT..-.
~`...B.K......8..z.a.M.h./n ..mG{~..........U...u...W..{...u.w.Z]...Jw
...C..CD..y..[... ....!S.OU...Fd....Fh?!.M.>.Y!.....m.;.tp....4....
..{....`.,..`8T..)..xg.".fSu...Qt|...........:....=V.l...4(....Ma,.Q..
.......-...U.{[email protected])"..Z..12gm....RgfYM..y.t....8....m......3.
..3kT........f.>vo|@...i.........J.Um.....Q....1....8...k.....bC...
.....]w.aS%...O.&.e....Y`....k.... ...^i..u..7.|3...(...q......}.;N...
qu...zZ.l.f..... ....#Mh(....W.^..1.F.L7.....rNy.>-o.".@aB.|..B
<<< skipped >>>


GET /spidentifier/1.0.2.0/spidentifierimpl.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: sp-storage.conduit-services.com
Connection: Close


HTTP/1.1 301 Moved Permanently
Location: hXXp://sp-storage.spccinta.com//spidentifier/1.0.2.0/spidentifierimpl.exe
Server: BigIP
Content-Length: 0
Cache-Control: private, max-age=900
Expires: Sun, 03 Apr 2016 23:12:39 GMT
Date: Sun, 03 Apr 2016 22:57:39 GMT
Connection: close



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 402
Connection: Close

{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:45 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"RequirementsCheckSuccessful","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"clickmein ltd/vuupc soft32/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 408
Connection: Close

{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:45 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"RequirementsCheckSuccessful","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"conduit ltd/ultra search protect/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0



POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 587
Connection: Close

{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:47 03:00","ExceptionName":"","Message":"cpp: {P:0772 T:1584 S:1 D:57.47.868} - fail connect, hr=0x80070057","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:48 GMT
Connection: close
Content-Length: 0



POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 587
Connection: Close

{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:45 03:00","ExceptionName":"","Message":"cpp: {P:0772 T:1616 S:1 D:57.45.868} - fail connect, hr=0x80070057","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0



POST /config-from-production HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-configs.buzzrin.de
Content-Length: 209
Connection: Close

{"os":"WinNT","osver":"5.1.2600 (Service Pack 3) SP: 3.0","lang":"en-US","uid":"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03","prod":"soft32/1.0/campaigns/paid content/","expiresOn":"2114-07-12T09:08:46.150774 00:00"}
HTTP/1.1 200 OK
Content-Type: text/plain
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:38 GMT
Connection: close
Content-Length: 6540
{"certificate":"cyberservices","productSetup":"downloadguide/temp/89ca
aac7-fda7-4fd8-b3b0-944bf51fd3ae/DoNothing.exe","windowHeight":389,"wi
ndowWidth":506,"product":{"version":"1.0","displayName":"Soft32","inst
allCodeJs":"","installTest":"true","files":[{"url":"hXXp://az687722.vo
.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/p
aid content/exe/DoNothing.exe","localFile":"DoNothing.exe","cmdParamet
ersJs":"''","fileType":{"name":"Product","assemblyQualifiedName":"Free
mium.Domain.Campaign.Product, Freemium.Domain"},"etag":null,"hash":nul
l,"isExternalFile":false,"region":"default","version":"1.0","id":"soft
32/1.0/default","name":"Soft32","isEncoded":false}],"uiFile":"hXXp://a
z687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/c
ampaigns/paid content/ui/soft32-flow-5-text-en-us.zip","logo":"hXXp://
az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/
campaigns/paid content/ui/DoNothing.png","installationPath":"","infoTe
xt":"<p>We will not save either your IP address or other user da
ta. We will only evaluate anonymised statistics for the optimization o
f the usability and our product. By using the downloader you agree to 
the usage of such data according to our strict privacy policy guidelin
es. Please read our detailed licence agreement (EULA) as well.</p&g
t;<p>In order to finance our service we permit software producer
s to advertise their products in the downloader. Before the integratio
n every product of our advertising partners has to pass a security
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 401
Connection: Close

{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:48 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"LoadingPrerequisitesFailed","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"clickmein ltd/vuupc soft32/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:49 GMT
Connection: close
Content-Length: 0



POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 587
Connection: Close

{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:48 03:00","ExceptionName":"","Message":"cpp: {P:0772 T:1852 S:1 D:57.48.447} - fail connect, hr=0x80070057","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:49 GMT
Connection: close
Content-Length: 0



POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 730
Connection: Close

{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:47 03:00","ExceptionName":"","Message":"Can't load the file: errorCode=2147942487  url=[cdnUrl]/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/search-protect-single-text-en-us.zip","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"conduit ltd/ultra search protect/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:49 GMT
Connection: close
Content-Length: 0



GET /public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/base.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content-MD5: yfeb6HeSX7QcohHPlnHtCg==
Content-Type: application/octet-stream
Date: Sun, 03 Apr 2016 22:57:46 GMT
Etag: 0x8D1E7FA33C226AC
Last-Modified: Wed, 17 Dec 2014 10:20:23 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 8499791d-0001-0003-30fc-8d6637000000
x-ms-version: 2009-09-19
x-ms-write-protection: false
Content-Length: 34496
Connection: close
PK.........`nEP...............index.html.VQ..8.~...a..........&=q.Ew.`
.....M..wS;........N....p.....=.?.3cO...W..O....y1~.(n.A.#..F.[a.....&
gt;~.....r2...?W.!a.%-J;.Y.. ......F5...9..m.........B..%.f~j...E..].h
rD. .8M..E.7.gE. pDM.Ei..4aw&..\.^....a.,.....F.......k..*[.AL5.#|u].B
d6...g......Q.r;....}..}kW.,.r6.ac5.z&.h.1..v..../.V2.BI.R....k.3.Vs.5
...,.n...;.1......H`!d..!I.Z.".e..5.9...o.....0...{ga..5.m&U.q.. ..z.k
)..Z...I..RQ.It..jN......."#....zwRM.v...B.\-...bo..%uk.@......}....l1
[email protected]..#.w...........G.:9P.X.-......
......>4.........;.............g} p..G5O._...d.t#`..e..|O.H.vE..VZ.
...[?...@#................Ai......q#..*....,j.wY.......O....).0.i....H
...e........v..N.o.J.7.gn..\U.;3... v7....Y..Eu......H.n.].T...P.....g
...1au..|9.Jb.N.........-l0B....\...*.9n...Q.JSp..{.z..Q9...%.....0..W
..ug......q.G.L....]%lg6.<qD<v............k%_j....TMc.....2...G.
...{.T7..k...C2.'.9....T..Tj...:N.C.M..?..C.DD=...mR:.uD.Ymd9..qYp..qS
z.J&_>.J.>.V.-?......U:C..!...*..$B..uA.5...PK.........`nE....m.
..5.......css\style.css...n.0...C... [email protected]..&..H.(...../M...]......
.......4q.......n..YXL...x4k....g<z..v..X.,.(...q3*.7&./M.2T..P.,-H
.....L)YT.....y].>.p......)Y.....|.) U.oCp&..Y./....EL...q..m......
..C....s..;[email protected]....>..=5..".....9...5O.d.;d7K..h;.aUH.'.. .
.K-.u.s4nX'. ...W.|...6.W.W........?#...............Q.^..y.h.m...n.4L_
.i=.....................R._A....W.... sC.1]V...PK.........`nE.H}.1....
k......js\jquery-1.10.2.min.js..i....0.}[email protected]...'.]....N....;
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 407
Connection: Close

{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:47 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"LoadingPrerequisitesFailed","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"conduit ltd/ultra search protect/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:48 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 399
Connection: Close

{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:45 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"RequirementsCheckStarted","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"clickmein ltd/vuupc soft32/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0



GET /public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/soft32-flow-5-text-en-us.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content-MD5: rToHOmlZfbh7Kn10hOCSFg==
Content-Type: application/octet-stream
Date: Sun, 03 Apr 2016 22:57:45 GMT
Etag: 0x8D1E7FA33F9D9E9
Last-Modified: Wed, 17 Dec 2014 10:20:23 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: f3a05e8d-0001-001f-51fc-8dbe20000000
x-ms-version: 2009-09-19
x-ms-write-protection: false
Content-Length: 49236
Connection: close
PK........}d.D-.b.....C.......css/style.css.V...0.]'R..mT.]..y4%......
Xq.e...^..;~....TP..3...9.'.. z[-.\..U...ipI...O....."..bqG........{..
eI...'$p.....W....j.=~....Z..r...U...K.(......M*.B....{.s"........r..}
.M...c..$..:....RI(.'....o..h...dcn....!xC-?N.....\n4WU....s.h{..N....
..;p..qU..?q.$n..c"I...2 .n.-.g. ..([email protected]..."..`.5A..
%.R...I.....$.;..|....I...w...K..A.....^=...BY.u.....A}v........A..*z.
x.]...y|...).....W...h#.....` . X.L....7p..$.`...?..'......E,..i]N.N..
...=e.....^.U..._...i\do....#2.]..v..=.m...X..d....3K...3.G..4{......5
S...n...,.....Ui...x..v.m......qn.A.).!.w..:#.N.........;.....f...[.U.
..O..0.4......E...m.D....m/V.D>....P......W.bI..z..-Qg..c)....`....
......G.......4{a...n....x.$^8.7=/z.).,o....8.............).8.g..~{.h.
.MPo.wi...H..M.B..<..uv...W....2R "gOS.A.vr..PK........}d.DY.......
[email protected]/img1.png..yT........RQ^E..!T.b.dB.II..jP.,Q.meH&0..$.v..Dy
.u)..Z".....(..j...B..EZ.P.-...E.o."..s...;g.d.....~....;....._biak...
./...}......)v.Z3s..5%.......`?.... .... [email protected].\"
B.......D..rU.\A..p...\.J..p.*......JdVDD]....R..ysNP...5.k....K..n31a
..?J...t....e....>...b....::.4.K...... #.;... ..l.^19......Z...y...
.)u.eY..L..k....../..O..Ke...cB7.z...eA...A.m6..HI.N.9.....%..;.<%d
.':.l....6.7..,.. .~...l.z.M......k.}.p.tc7.j....(.H.....i....6.......
T.3#.u..^.I......s..|....t.i.9.Psqy_........^...f..o.;........B..|?.P.
u.E.H.5A........,.E..H$.....g...T."...d...D..$%.../.&..."."..g..3."j..
 ..T.......... ...E.."z.......G.D.4W.IH...............)T.L.)T..b..
<<< skipped >>>


GET //spidentifier/1.0.2.0/spidentifierimpl.exe HTTP/1.1
Host: sp-storage.spccinta.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Close


HTTP/1.1 200 OK
Last-Modified: Mon, 04 Apr 2016 01:57:39 GMT
Accept-Ranges: bytes
ETag: "bd95aafde34a6270e612f226404df5e3"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2592168
Date: Sun, 03 Apr 2016 22:57:39 GMT
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
.....................'...@.................................@..........
.0............t'. ....`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
...............@....ndata...................................rsrc...0..
.........................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.conduit-data.com
Content-Length: 225
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"SPidentifier", "environment":"",  "machine_ID":"X6DXB5LA8TCXW1SVVBM5RK8SRPSWASASMB3FBWLZVGDSK5SY8EJGP WASHJODV4YYUFBGJQOD3NWH/WF QMGXW", "result": "success", "failure_reason": "clean_machine", "SP_version": ""}
HTTP/1.1 202 Accepted
Date: Sun, 03 Apr 2016 22:57:44 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 355
Connection: Close

{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:38 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"ApplicationStarted","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:40 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 405
Connection: Close

{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:38 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"RequirementsCheckStarted","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"conduit ltd/ultra search protect/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:40 GMT
Connection: close
Content-Length: 0







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_772:




.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
9^4t.VhD
Wh,%C
RhX%C
QhX%C
operator
GetProcessWindowStation
%s [this=0x%p]
%s [this=0x%p, root=lx, path='%s', f=0xlx] -> %d
- destroy/wait %d/%d self-living objects
- cancel %d timeouts
%s '%s' [err=%d]
%s [f='%s']
%s [n=%d] -> hr=0xx
%s [f=0x%p,t=%u]->id=%u
- replace active timeout #%u!
%s [url='%s',f='%s']
- fail, hr=0xx
%s [path='%s',mode=%d]
%s -> watch for self-living object 0x%p
%s -> self-living object 0x%p has finished the work -> wait when it is done
%s -> drop self-living object 0x%p as it is done
%s -> auto quit.
<#$@@$#>
- got tag of %d bytes
%s [id=%u,call=%d]
- unknown timeout #%d!
- hr=0xx
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
F3.0.0.135
DLG ENTRY v%s WIN%d.%d.%d ÛIT IE%d.%d
!>%s [name='%s']
%s fail [f='%s',err=%d]
%s, f='%s'
- %s failed: %d
%s [f='%s',len(d)=%d]
%s [id=%s,type=%s]
- size: %d
!>%s [this=0x%p]
- call end, this=0x%p, ret=%d
JsFileExecution::JsFileExecution
JsFileExecution::~JsFileExecution
JsFileExecution::doWorkRoutine
- can't validate exe, this=0x%p, err=%d, f='%s'
- ShellExecuteEx failed, this=0x%p, err=%d
- queue #%d: %d items, add 0x%p
- queue #%d: %d items, run 0x%p
- request start: this=0x%p (v=%d)
- request end: this=0x%p, hr=0xx
- drop cache for '%s'
- request stop: this=0x%p, hr=0xx, err='%s'
- fail connect, hr=0xx
HTTP/1.1
- fail open, hr=0xx
- fail add headers, hr=0xx
- enum http_response_headers: '%s' (0xx)
- enum http_response_headers -> '%s'
%s, this=0x%p
%s, this=0x%p, auto=%d
- send, counter=%d
- fail get status, hr=0xx
- status: %d
- need auth %d, counter=%d
- decide to repeat: %d
- repeat, counter=%d
- fail create file, hr=0xx, f='%s'
- fail write file, hr=0xx
- read %lu bytes by %lu portions
- fail %s, hr=0xx [url='%s',dtTot=%lld,dtCur=%lld]
%s, this=0x%p, handle=0x%p, status=%d
^-- server IP is '%s'
^-- host is '%s'
^-- redirect to '%s'
!>%s [this=0x%p,f='%s',d='%s']
%s failed: %d
- DefWinProc -> %d
%s [this=0x%p,show=%d]
%s [file='%s']
- can't load image [e=%d,f='%s']
- bad image size (%d,%d) [e=%d,f='%s']
- bad image type [p=%d,bpp=%d,f='%s']
- fail to %s key [err=%d]
- ID:='%s'
!>%s [len(code)=%d]
- error in script, hr=0xx
!>%s [f='%s']
%s, count=%d
%s, name='%s'
- no JScript progid, hr=0xx
- no JScript object, clsid=%s, hr=0xx
- can't create typical JScript object, hr=0xx
- register JScript, hr=0xx
- can't create JScript object manually, hr=0xx [%s]
- no parse interface, hr=0xx
- can't set site, hr=0xx
- can't init parser, hr=0xx
Eval, len(expr)=%d, ns='%s', hr=0xx
- no disp '%s', hr=0xx
ScriptError [scode=0xx, desc=%s, ctx=%d, line=%d, char=%d, src=%s]
CScriptSiteObj::GetItemInfo, name='%s'
%s, start [this=0x%p]
%s, done [this=0x%p]
- unpack `this`, hr=0xx
%d.%d
{P:d T:d S:%d D:d.d.d} %s
%s [this=0x%p,main=%d,url='%s']
%s [url='%s']
%s, hwnd=0x%p
F%D,3
C:\TeamCity\BuzzrinAgent_2\work\ab5ba43f5f73927\DownloadGuide2\Release\DownloadGuide2.pdb
KERNEL32.dll
USER32.dll
GDI32.dll
COMDLG32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
DeleteUrlCacheEntryW
HttpOpenRequestA
HttpAddRequestHeadersA
HttpQueryInfoA
HttpSendRequestA
InternetCrackUrlW
WININET.dll
URLDownloadToFileW
urlmon.dll
GetProcessHeap
GetCPInfo
MsgWaitForMultipleObjects
.?AV?$CJsExportObject@VJsDllCaller@@UIJsAsyncWorkerSLO@@@@
.?AV?$CJsExportObject@VJsFileUnpacking@@UIJsAsyncWorkerSLO@@@@
.?AV?$CComCoClass@VJsFileExecution@@$1?GUID_NULL@@3U_GUID@@B@ATL@@
.?AV?$CJsExportObject@VJsFileExecution@@UIJsAsyncWorkerSLO@@@@
.?AV?$AsyncWorkerSLO@VJsFileExecution@@UIJsAsyncWorkerSLO@@@@
.?AVJsFileExecution@@
.?AV?$CComObject@VJsFileExecution@@@ATL@@
.?AV?$CJsExportObject@VJsFileRequest@@UIJsAsyncWorkerSLO@@@@
.?AUCJsExportObjectBase@@
.?AV?$CJsExportObject@VJsRegistryAccessor@@UIJsRegistryAccessor@@@@
.?AV?$CJsExportObject@VApp@@UIJsApp@@@@
.?AVDownloadStatus@?1??CallURLDownloadToFile@JsFileRequest@@AAEJABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0V?$CComPtr@UIDispatch@@@ATL@@@Z@
.?AV?$CJsExportObject@VJsImageWindow@@UIJsImageWindow@@@@
.?AV?$CJsExportObject@VJsSysInfo@@UIJsSysInfo@@@@
.?AV?$CJsExportObject@VScriptManager@@UIJsScriptGlobal@@@@
.?AV?$CJsExportObject@VHtmlWindow@@UIJsHtmlWindow@@@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IJsDispEventImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@@
zcÁ
 E60%xA
.WHH`
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
(}onlogmsg
hkeyt
/keyRootW
%ZkeyPathW
.defValWW
enumKeyW
psKeyWWWt
recurseDeleteKey
PsubKeyWW
Created by MIDL version 7.00.0555 at Fri Jul 11 09:39:56 2014
base64.js
json2.js
md5.js
scriptLib.js
scriptMain.js
FTPu
@.%U^eyB
-e}[f
.bPvK
css/style.css
noconnection.html
progress.htmluTMo
jE%dP
progress.html
loadingImage.bmp
@b.PD;e
CfU-Gn}X
A:.wH
C:.wH
B:.wH
E:.WH
Td.wu
2$2(2,2024282<2@2
3(3/34383<3]3
3&4,4044484
4 4$4(4|7
5 5<5@5`5
: :(:4:|:
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
KERNEL32.DLL
WUSER32.DLL
Advapi32.dll
@HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
This Windows system is unsupported.
Windows XP or higher and InternetExplorer 6 or higher are required.
zResData.zip
kernel32.dll
http_response_headers
http_response_status
yjscript.dll
user32.dll
c:\%original file name%.exe
ZRESDATA.ZIP
INITWINDOW.ZIP
LOADINGIMAGE.ZIP
3.0.0.135






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    spidentifierimpl.exe:1080
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\SPtool.dll (180359 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\inetc.dll (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\e0ed048e90a6cd1636f19b7a343cf5600.12176183264327789 (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\progress.zip (11948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\index.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\index.html (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\index.html (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\last.zip (5572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\uifile.zip (6740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\progress.png (784 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (381 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\progress[1].zip (11948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\spidentifierimpl[1].exe (303947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\progress-bar.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\cfg.txt (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\js\jquery-1.10.2.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\css\style.css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\base.zip (4708 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\base[1].zip (4708 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\index.html (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\img1.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\last[1].zip (5572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\config-from-production[1].txt (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\progress.html (1 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (387 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\requirements\spidentifierimpl.exe (303947 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\css\style.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\css\style.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\noconnection.html (905 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\soft32-flow-5-text-en-us[1].zip (6740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\css\style.css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now