SearchProtectToolbar_pcap_3b83355e06

by malwarelabrobot on July 27th, 2017 in Malware Descriptions.

not-a-virus:Downloader.Win32.DownloAdmin.gen (Kaspersky), WebInstall (fs) (VIPRE), Trojan.Vittalia.81 (DrWeb), Application.Downloader (A) (Emsisoft), Artemis!3B83355E0624 (McAfee), Trojan.Gen.2 (Symantec), Win32:Adware-BGE [PUP] (AVG), Win32:Adware-BGE [PUP] (Avast), Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Trojan, PUP, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 3b83355e062418a35f211e0ace53164e
SHA1: 5b6ebca72839ec2dad792122d9700c990c526a06
SHA256: dac059ad76c6096950fd5b8a372b3f0436d39f847b7ca6c4cbb41fe7e7bbb28c
SSDeep: 12288:fC XBEFsXqDunAjSvvpAIBeyGhI09OrbRHt/:fC XBk76AuXatv994bRN/
Size: 595888 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-22 21:07:51
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3400

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin\res\common.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\extension.tlb (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\GuiInit.lua (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\EagerInstall.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaBridge.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\lua51.dll (6527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc13BF.tmp (40009 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Sandbox.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\mime\core.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\CallbackProxy.lua (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\un.package.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\AdvancedTests.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\DownloadThread.lua (581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\NotifyIcon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\ProcessFreeFile.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaXml_lib.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\version.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\__web.xml (3848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\DownloadList.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\luacom.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaXml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Downloads.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\BundleInstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\UiState.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\definitions.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin.zip (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Env.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Events.lua (912 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc13BE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp (0 bytes)

Registry activity

Dropped PE files

MD5	File path
0f26c6d34d3841e93145dd00d0175651	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\FloatingProgress.dll
b31fd429994a796b9b2d7fb515849707	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\System.dll
d02a497be5f89c44827f142c4662f591	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\UACInfo.dll
13c3a33c1f6e43f38de533fd0b766c98	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\lua51.dll
ed7f7857933b38e5d10daf828e79af19	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\luacom.dll
692479f7c07a64a6a632148e382f0e22	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\nsisunz.dll
5694e7daf20c47c8d5e73d4a838c2ee6	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\version.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23294	23552	4.47651	ad2ebf079e89cd95e3fda4bd0b869620
.rdata	28672	5272	5632	3.56156	45097a769b809e006a7e5c1f08e7cba2
.data	36864	109756	512	0.972488	4b5dfd97899e385b2193064eb045da6b
.ndata	147456	176128	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	323584	37704	37888	4.24042	fbf90b6bec8d0eb3baf27327b84b7472
.reloc	364544	2680	3072	3.86498	bd33af9438036e756fe3734a5dc7bcc6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 34
ff3ab5febfe7a5e26e40000aea8c617f
1032b2e590a55608505491e989a2cdd6
9634b39467f4d7cfbd6cb95937964902
59ac35e6c4ffafff4cdc27f07b577bcf
45a40e2978902d40e70a747b98f7c326
024fa34b27946f1583261c112ee7c9e4
8daac65ff00e6d8114acf87a69324b7d
b8ccdb415eedf85b074999e827e6ecc5
e13b79c9530997665ecaa580a54cdc3d
e7a2a26396da9707892685eb713cdc54
3add21eaed7a5694faf407bbb7b3b9c6
e12de623d31b2144c32ab08aaec5948c
377d16d6955c49fcdf518e2ebaa96e81
c8346d09f3c063a25f4897864088a207
6a6cabddef4e87cc9126dfd881852582
4654c809e80cbf75df8c13e5537eef07
a2c7ef5bae1ae166289c508655006b55
55112188af9e01b58ab4c5188ded3b51
c4b3a58d4659d6f5b7ee738a322c90c4
fac95a8299f3c78b8fe5b8c0c7705996
0f746d914f204753052970c56fedf1b4
edd23eb4483475ee5ef007994fd94c66
2da0cda34b31a7e1234a80cdf6a367a1
b01ed6c228313661e5ebdc88e6b5e5fd
adef629b0bea6b7b17c788b4e7a29528

URLs

URL	IP
hxxp://download.webinstall.com/install?s=fivemill&c=SEM&variation=&brand=Download.com&pid=dlcom_sem&aid=download_brava_readerb&bc=58867&country=US	50.22.63.139
hxxp://a1742.c.akamai.net/u/tightrope/dlm/skins/04172014/Download.com-sem-wait-skipall.zip
software-files-a.cnet.com	62.140.236.154

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /install?s=fivemill&c=SEM&variation=&brand=Download.com&pid=dlcom_sem&aid=download_brava_readerb&bc=58867&country=US HTTP/1.1

connection: close, TE

x-exename: %original file name%.exe

x-webinstallurl: hXXp://download.webinstall.com/install?s=fivemill&c=SEM&variation=&brand=Download.com&pid=dlcom_sem&aid=download_brava_readerb&bc=58867&country=US

user-agent: Tightrope Bundle Manager(ref=[32799fd3eb0aafa648561ddb97f27ad36c7bdfde];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=398520;pid=3400)

x-webinstallcode: complete url:hXXp://download.webinstall.com/install?s=fivemill&c=SEM&variation=&brand=Download.com&pid=dlcom_sem&aid=download_brava_readerb&bc=58867&country=US

te: trailers

host: download.webinstall.com


HTTP/1.1 200 OK

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Wed, 26 Jul 2017 14:15:45 GMT

Age: 0

Connection: close

X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <CustomParameter Name=
"ProductSetId">76761</CustomParameter>.        <CustomPara
meter Name="ProductId">14257343</CustomParameter>.        <
;CustomParameter Name="ProductName">Brava Reader - 7.3.0.154</Cu
stomParameter>.        <CustomParameter Name="FileName">Brava
Reader.exe</CustomParameter>.        <CustomParameter Name="N
ame">Brava Reader - 7.3.0.154</CustomParameter>.        <C
ustomParameter Name="Category">Downloads^Business Software^Document
 Management Software</CustomParameter>.        <CustomParamet
er Name="CategoryId">10743</CustomParameter>.        <Cust
omParameter Name="PublishDate">2015-04-28</CustomParameter>. 
       <CustomParameter Name="FileSize">45813136</CustomParam
eter>.        <CustomParameter Name="DownloadLink">hXXp://sof
tware-files-a.cnet.com/s/software/14/25/73/43/BravaReader.exe?token=14
36684632_2a0b9266cb7d08e23c00d96a384cd9df</CustomParameter>.    
    <CustomParameter Name="License">Free</CustomParameter>
.        <CustomParameter Name="ProductVersion">7.3.0.154</Cu
stomParameter>.        <LinkBelowEula>false</LinkBelowEula
>.        <OptInDefault>false</OptInDefault>.        &l
t;ProductBinary embed="false" msioptions="" options="">hXXp://softw
are-files-a.cnet.com/s/software/14/25/73/43/BravaReader.exe?token=<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3400:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

uDSSh

hu2.iu

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

ers\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaBridge.dll

ss.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaBridge.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp

s\UrlAssociations\http\UserChoice

##-,#1.#0- !%

!  .76:76:*),

#" *#1.#1.!#&

 *.yx{

#-,.mT:

!$"'(!((!$&

.reloc

GetProcessHeap

Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb

nss13D0.tmp

-exec

e go back to Download.com and try again.]],[[CNET: Download.com]],0x00040000) -- C:/BM/2.5/BINARIES/Downloadcom-Dynamic/production/setup.exe.nsi:Line 1157.2

me=398520;pid=3400)]]}) -- C:/BM/2.5/BINARIES/Downloadcom-Dynamic/production/setup.exe.nsi:Line 960.2

Tightrope Bundle Manager(ref=[32799fd3eb0aafa648561ddb97f27ad36c7bdfde];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=398520;pid=3400)

c:\%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsc13BE.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

IE.HTTP

%.sLu&oG

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System vtightrope</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

The DownloadAdmin Installer is a certified TRUSTe Trusted Download Program.

com.build.date

8/1/2013

com.build.dir

C:\BM\2.5\WebTemplates

com.build.id

com.build.machine

com.build.skin

com.build.time

com.build.user

$%USER%

%original file name%.exe_3400_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin\res\common.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\extension.tlb (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\GuiInit.lua (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\EagerInstall.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaBridge.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\lua51.dll (6527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsc13BF.tmp (40009 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Sandbox.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\mime\core.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\CallbackProxy.lua (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\un.package.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\AdvancedTests.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\DownloadThread.lua (581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\NotifyIcon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\ProcessFreeFile.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaXml_lib.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\version.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\__web.xml (3848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\DownloadList.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\luacom.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaXml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Downloads.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\BundleInstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\UiState.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\definitions.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\skin.zip (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Env.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss13D0.tmp\Events.lua (912 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

SearchProtectToolbar_pcap_3b83355e06

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

SearchProtectToolbar_pcap_3b83355e06

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet