SearchProtectToolbar_pcap_c59998d96f

by malwarelabrobot on December 4th, 2014 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: c59998d96f94ef1b5920605694475614
SHA1: 2070cfc7f88a7e515714246abade9f3e12bbf3e3
SHA256: 5f9144c4fcec224eb26161bec6ccf26514a182da3bd83c450874a951aea850d8
SSDeep: 12288:bxpJfslZtuaVd9lpmhwQbift489IVGD4xJFl6Xqb5Kbmkg8Sz:1p9sVuaVdvgVbmgGDijyikg5z
Size: 842992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-07-15 19:29:31
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:764
%original file name%.exe:1484

The Trojan injects its code into the following process(es):

%original file name%.exe:676

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_

File activity

The process %original file name%.exe:676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\url.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\wininet_h.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\DALogo.jpg (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\progress.css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\mod.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\developer_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\install_now_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\compat.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\bit.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\offer_filters.lua (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\back.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\cancel.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\notifyicon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\luaxml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\minimise.gif (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\callbackproxy.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\DALogo2.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\offers.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\options.json (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\api_substitution.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\survey_environment.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\ffi.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\acceptGreen2x.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\wintypes.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\close.gif (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\next.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\net_utils.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\step_off.gif (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\headerBG.gif (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\offer_stats.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\decline.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\luacom.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\ftp.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\lua51.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\win32_constants.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\DownloadThread.lua (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\stepBG.gif (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\icon_folder.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\eagerinstall.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\conditional_engine.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\defs.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\data_injection.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\io.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\bundleinstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\browserutils.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\cancel.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\service_registry.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\uninstall.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\vm_details.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\uistate.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\versioninfo.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\ok.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\truste.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\scheduler.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\processfreefile.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB9.tmp (48761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\downloads.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\GuiInit.lua (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\index.html (10225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\step_on.gif (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\packaged_app.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\core.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\async_tracking.lua (799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\env.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\bg4.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\DownloadList.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\__web.xml (129187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\decline_offer_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\AdvancedTests.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\skip_all_offers_btn.gif (337 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\definitions.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\data_stores.lua (703 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\http.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\extension.tlb (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\win32_pipeserver.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\sandbox.lua (8 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nstB8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp (0 bytes)

The process %original file name%.exe:764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsmB3.tmp (6522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB4.tmp\LuaBridge.dll (1856 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nswB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB4.tmp (0 bytes)

The process %original file name%.exe:1484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nscB6.tmp (6522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB7.tmp\LuaBridge.dll (1856 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB7.tmp\LuaBridge.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB7.tmp (0 bytes)

Registry activity

The process %original file name%.exe:676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B DF 41 76 19 B2 0B D5 93 E2 BD 42 D2 EE 46 E3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-21762" = "Administrative Tools"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 EF 71 32 27 E5 3B 8E 4B B6 7C FA 91 12 51 D3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 0E 61 94 77 6E 70 9D 7E 7D A6 12 38 80 77 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshB7.tmp\LuaBridge.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
0f26c6d34d3841e93145dd00d0175651	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\FloatingProgress.dll
a990de9edf0145ca5b01761978f49432	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\System.dll
d02a497be5f89c44827f142c4662f591	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\UACInfo.dll
0a29e1b270ccea61aba7d7cdd10e0388	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\bit.dll
dd8a05024e825f75d3d151ea84bf414e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\browserutils.dll
e390287499549de31da007f7f0ae4d10	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\ffi.dll
fceee0026aafd237afdb4aea4ecd3557	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\lua51.dll
b991f57d815ca821cdb42d2792db366f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\luacom.dll
692479f7c07a64a6a632148e382f0e22	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\nsisunz.dll
5694e7daf20c47c8d5e73d4a838c2ee6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\versioninfo.dll
e626f4baffc82488c1efd873c250fb09	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsdBA.tmp\win32_pipeserver.dll
a990de9edf0145ca5b01761978f49432	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshB7.tmp\LuaBridge.dll
a990de9edf0145ca5b01761978f49432	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsrB4.tmp\LuaBridge.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23306	23552	4.47645	325c988d9f77e7ce27fe1fa6f6fd93f7
.rdata	28672	5397	5632	3.61721	64bdba47e612466214b378a9e0d4057c
.data	36864	109756	512	0.972488	c11d691b44d2912a53e6b566fedf2406
.ndata	147456	147456	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	294912	191960	192000	2.99591	27689cb0ad69a7df7e0617c8c171883d
.reloc	487424	2682	3072	0	d2a70550489de356a2cd6bfc40711204

Dropped from:

Downloaded by:

Similar by SSDeep:

74cf799d2b2e3748ac160be2de866024

Similar by Lavasoft Polymorphic Checker:

Total found: 33
74cf799d2b2e3748ac160be2de866024
30203109b1315fe9bdb6f6b3d5798d86
6cfecdd532e5a02fe6e23f48d26b2980
11f91cced7a56680764f7a11daf76102
cd666b37847371d96e5030674e4b54fd
65d015f5fafcba0c41920aabed9b2504
e24bfc473722f931906fd42c00e8aa9f
381df266f0ba75b5865984d2c9227767
0f15db7911bd0e23737fa09025e36876
24955e348ab54a2cd675b4932b8a579b
68ac5f947e533fbc208fa95233856542
3f42474d2bf31d57e6de1bf54469da50
4563c7fd2ecb119eeacdb345d898ca9d
b4d49afac88e07c9c2df6bae4c478fb2
2433df1ac0d6a7f7f2e7fdb23b20d5e9
81723ceb7e4786ce3708bb92828a9c52
5a2a721f44714b0c8f91bd9e9f38bbfb
4dfacaf752758ee251c553223ba627df
9a3ec0b57e818c09a66b3824a662e403
96f9aafdeb4e3795faef3dc087ec9190
ce366baa1b878a9ee4da37f9f6d0d012
13b269b820db3043f6540f6fcf10ad21
7e54275f20d804e6d35b027c78af6ebe
65aba2777ce3eafb06162d83f1025e81
2cfd0d956fbb9a2e8ac21232f98e6eab

URLs

URL	IP
hxxp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true	50.22.63.138
hxxp://a728.g.akamai.net/skins/da/03042014/DownloadAdmin_Google_DevInfo.zip
hxxp://service.downloadadmin.com/env?s=ZeroPaid&c=7Zip_ZeroPaid&brand=ZeroPaid.com&pid=ZeroPaid&bc=10090&country=US	50.22.63.138
hxxp://mirror.mirror-files.com/skins/da/03042014/DownloadAdmin_Google_DevInfo.zip	184.84.243.207

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true HTTP/1.1

X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true

X-Exename: %original file name%.exe

X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true

User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)

Host: service.downloadadmin.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Wed, 03 Dec 2014 06:56:16 GMT

Age: 0

X-TVAR:

X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <BrandingText></
BrandingText>.        <BrandingUrl></BrandingUrl>.     
   <BundleVisibility></BundleVisibility>.        <Categ
ory></Category>.        <CustomCss></CustomCss>. 
       <ComScoreCampaignId></ComScoreCampaignId>.        &
lt;ComScorePageBanner></ComScorePageBanner>.        <ComSc
orePartnerName></ComScorePartnerName>.        <ComScoreQue
stionnaire></ComScoreQuestionnaire>.        <CustomParamet
er Name="VerboseErrors">true</CustomParameter>.        <Li
nkBelowEula>false</LinkBelowEula>.        <OfflineEula>
</OfflineEula>.        <OptInDefault>false</OptInDefaul
t>.        <OptInText></OptInText>.        <PlainEul
a></PlainEula>.        <ProductBanner></ProductBanne
r>.        <ProductBinary embed="false" msioptions="" options="/
S">hXXp://mirror.mirror-files.com/binstallers/BM2/vlc/exe/vlc-2.0.0
-win32.exe</ProductBinary>.        <ProductEula comboPrimary=
"false" embed="false">hXXp://mirror.mirror-files.com/binstallers/BM
2/vlc/ipage/vlc-generic-bm25.mht</ProductEula>.        <Produ
ctLogo></ProductLogo>.        <Primary>true</Primary
>.        <ProductId>10</ProductId>.        <Product
Name>VLC Media Player</ProductName>.        <RegistryK<<< skipped >>>

POST /install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true HTTP/1.1

X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true

Content-Type: application/x-www-form-urlencoded

X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true

X-Exename: %original file name%.exe

Content-Length: 10

User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)

Host: service.downloadadmin.com

Connection: Keep-Alive

delta=6469
HTTP/1.1 200 OK

Transfer-Encoding: chunked

Date: Wed, 03 Dec 2014 06:56:16 GMT

Age: 0

X-Cache: MISS
0......


GET /env?s=ZeroPaid&c=7Zip_ZeroPaid&brand=ZeroPaid.com&pid=ZeroPaid&bc=10090&country=US HTTP/1.1

X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true

X-Exename: %original file name%.exe

X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=10090&pid=ZeroPaid&brand=ZeroPaid.com&s=ZeroPaid&c=7Zip_ZeroPaid&country=US&secure=true

User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)

Host: service.downloadadmin.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Expires: 0

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Wed, 03 Dec 2014 06:56:18 GMT

Age: 0

X-TVAR:

X-Cache: MISS
00884..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&l
t;Installer><Environment><Entry name="over-threshold:iTool
Box (US)">true</Entry><Entry name="over-threshold:EnhanceW
eb (US)">true</Entry><Entry name="over-threshold:LookThisU
p (US)">true</Entry><Entry name="over-threshold:RocketTab 
(US)">true</Entry><Entry name="over-threshold:PicColor (US
)">true</Entry><Entry name="over-threshold:SystemOptimizer
Pro (US)">true</Entry><Entry name="over-threshold:ShopForY
ourCause (US)">true</Entry><Entry name="over-threshold:Soc
ial Theme (US)">true</Entry><Entry name="over-threshold:Vu
uPC (ClickMeIn) (US)">true</Entry><Entry name="over-thresh
old:Yahoo Smartbar (UK)">true</Entry><Entry name="over-thr
eshold:Yahoo Smartbar (FR)">true</Entry><Entry name="over-
threshold:PicRec UK">true</Entry><Entry name="over-thresho
ld:VuuPC (ClickMeIn) (GB)">true</Entry><Entry name="over-t
hreshold:VBates (CA)">true</Entry><Entry name="over-thresh
old:VuuPC (ClickMeIn) (CA)">true</Entry><Entry name="over-
threshold:Registry Helper (SafeApp Software) (INTL)">true</Entry
><Entry name="over-threshold:PC Speed Maximizer (FR) (Avanquest)
">true</Entry><Entry name="over-threshold:LookThisUp (FR)"
>true</Entry><Entry name="over-threshold:VuuPC (ClickMeIn)
 (FR)">true</Entry><Entry name="over-threshold:Yahoo S<<< skipped >>>

GET /skins/da/03042014/DownloadAdmin_Google_DevInfo.zip HTTP/1.1

User-Agent: Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)

Host: mirror.mirror-files.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache

ETag: "1afaa98075fcb4e70a449fb2c68d2f91:1393974846"

Last-Modified: Tue, 04 Mar 2014 23:14:06 GMT

Accept-Ranges: bytes

Content-Length: 84488

Content-Type: application/zip

Date: Wed, 03 Dec 2014 06:56:18 GMT

Connection: keep-alive
PK.........ydD....k...y.......options.json%.;.. ....xf.S.. ]....E...e.
z.V....{.'.Y{..>.Br......kr.l.g..hu.2.."((\.".<j...J._..$.' .j..
....m.G........PK.........ydDj..m............skin/.DS_Store..1..0.....
.M\:2v....!x./....{t%[email protected]|?MD...
>....k<...]...V.y......f...m^.Z........e...".............0..u...
..'<.[7n......p..-le.W.."...PK.........ydD../.............skin/acce
ptGreen2x.gif.U.T....$.:...P.E..$$.$...J ...a.....zS. [email protected]".
t..t. EA......].{....[.....?........oie...........rY.~#...&..\(c..g.c.
k.W..!rq'........HHH..d..%F.....#.g.......a...op....,.~.o....3".. )..t
.......'..8.u..d....Y..c.#q.;v^.=..Z..F..y..-..2...p........b.7...R.3~
.\F]..H..._...xI.G.8.[......S...a...8.F}."../.......c...~".~vS-......P
.n...;../.....) .b......CO........t....}.=.....E.-G..l4.z.....<l...
M.l.p.s..-G.H].i<.......5.....?.XK.D.U.!....5r..L4....qjur....S8...
..GO/....c....9..S....$..{......As....@/P........ C.....t.."...M%D.Q..
..=.|<0..8#.A.6...G.q.F....c#...=..P.....pe.? !>...?6.?l...Q.:..
S..--...~.:..Z'.H......tOiicut.H=.?.... ...3f..../.*{....pxxx.f8J3 ...
..`~.@"O.#N.G...G...V.......D..P...?d....!...?C.....R......4=.....4..&
........9C.......4...%8 4....W.o..=..p...}.u?)..f...~... 3C...MO.'...E
.!.:z..ss.........,..f:.Hs..:.7........6.....s.F...L.d..0.0....Z.....{
P~r...E.[..4............H..!....4.....v........#=....D..xZ...A.q.X..b.
...?....3..;.....si...L.U.........1A................._.V?.|Z^..aqa~...
.4wjrb|ltdx........7=.]...m.._..l~....g.6>.4.?y\W..............<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_764:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

uDSSh

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

stub_lzma.exe

dm\LOCALS~1\Temp\nsrB4.tmp\LuaBridge.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp\LuaBridge.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp

LuaBridge.dll

?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z

?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z

_luabridge_exec_file@8

C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

6%6.676@6

242;2]2{2

4 4$4(4,4044484<4

.textbss

.idata

ProxyForUrl

Win32.Job

Nsis.PluginCall

Win32.Handle

Error:Unknown /state named %s

evalResp{args=%x,stateName=%x}

evalLuaFile[state=%x/%s][thread=%d](%s)

nsLua.cpp

WM_EXEC_FILE|File=

LuaRemoteLoop[state=%x/%s][thread=%d]

com.luabridge.WndProcTable

[%s]Error Handling Message(%d,%d,%d,%d):%s

[%s]Calling Global Function(%s)

checkIsChild:Failed to Get Exe Path(rc=%d)

checkIsChild:Failed to SetEnvironmentVariable(rc=%d)

checkIsChild:Failed to Create Shared Data Block(rc=%d)

checkIsChild:Create process failed(rc=%d)

checkIsChild:GetExitCodeProcess failed(rc=%d)

[%s]Error Evaluating %s

ERROR:%s

PipeName:

evalLuaString[state=%x/%s][thread=%d](%s)

DBGHELP.DLL

Saved dump file to '%s'

Failed to save dump file to '%s' (error %d)

Failed to create dump file '%s' (error %d)

DBGHELP.DLL too old

DBGHELP.DLL not found

Thread named '%s' could not be found

Expected async state name:%s

unknown state name '%s'

evalInState() error; no code passed

ERROR:Cannot post to state[%s] not async and note default

lua51.dll

WINMM.dll

IPHLPAPI.DLL

msvcrt.dll

CreatePipe

ShellExecute

EnumRegKey

create_pipe

nsrB4.tmp

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrB4.tmp

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswB2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/>

<description>Nullsoft Install System v5.6.7

<dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

com.build.date

8/27/2014

com.build.dir

C:\BundleManager\25\WebTemplates

com.build.id

com.build.machine

com.build.skin

com.build.time

com.build.user

$%USER%

%original file name%.exe_676:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

uDSSh

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

stub_lzma.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp\LuaBridge.dll

ss.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp\LuaBridge.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdBA.tmp

ns\UrlAssociations\http\UserChoice

GetProcessHeap

Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb

C:\Nsis\Browser-%s

nswebForwarder

CustomNsWebContainer

`'\%D,3

WININET.dll

EnumChildWindows

OLEAUT32.dll

customnsWeb.dll

C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb

CustomNsWebForwarder

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

1 1$1(1,10141

.reloc

#-,.mT:

!$"'(!((!$&

##-,#1.#0- !%

!  .76:76:*),

#" *#1.#1.!#&

nsdBA.tmp

-exec

Paid]],0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 1202.2

xe.nsi:Line 1078.2

true;dotnet=4;startTime=1513890;pid=676)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/rebuilt_nosource.exe.nsi:Line 980.2

Tightrope Bundle Manager(ref=[ea9d979dcbb4c5ffd1cbea8eff65e4806ada1b92];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1513890;pid=676)

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB8.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

"%Program Files%\Internet Explorer\iexplore.exe" -nohome

plore.exe" -nohome

<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/>

<description>Nullsoft Install System v5.6.7

<dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

lorer\iexplore.exe" -nohome

com.build.date

8/27/2014

com.build.dir

C:\BundleManager\25\WebTemplates

com.build.id

com.build.machine

com.build.skin

com.build.time

com.build.user

$%USER%

%original file name%.exe_676_rwx_003E4000_00001000:

callback%d

%original file name%.exe_676_rwx_015E1000_0000A000:

Portions Copyright (c) 1999,2003 Avenger by NhT

KWindows

GetProcessHeap

.idata

.edata

P.reloc

P.rsrc

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:764
%original file name%.exe:1484
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\url.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\wininet_h.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\DALogo.jpg (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\progress.css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\mod.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\developer_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\install_now_btn.gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\compat.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\bit.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\offer_filters.lua (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\back.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\cancel.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\notifyicon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\luaxml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\minimise.gif (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\callbackproxy.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\DALogo2.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\offers.css (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\options.json (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\api_substitution.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\survey_environment.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\ffi.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\acceptGreen2x.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\wintypes.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\close.gif (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\next.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\net_utils.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\step_off.gif (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\headerBG.gif (366 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\offer_stats.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\decline.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\luacom.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\ftp.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\lua51.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\win32_constants.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\DownloadThread.lua (579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\stepBG.gif (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\icon_folder.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\eagerinstall.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\conditional_engine.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\defs.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\data_injection.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\io.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\bundleinstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\browserutils.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\cancel.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\service_registry.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\uninstall.gif (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\vm_details.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\uistate.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\versioninfo.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\ok.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\truste.gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\scheduler.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\processfreefile.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB9.tmp (48761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\downloads.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\GuiInit.lua (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\index.html (10225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\step_on.gif (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\packaged_app.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\core.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\async_tracking.lua (799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\env.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\bg4.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\DownloadList.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\__web.xml (129187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\decline_offer_btn.gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\AdvancedTests.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\skin\skip_all_offers_btn.gif (337 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\definitions.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\data_stores.lua (703 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\wininet\http.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\extension.tlb (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\win32_pipeserver.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBA.tmp\sandbox.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB3.tmp (6522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB4.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB6.tmp (6522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB7.tmp\LuaBridge.dll (1856 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

SearchProtectToolbar_pcap_c59998d96f

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

SearchProtectToolbar_pcap_c59998d96f

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet