SearchProtectToolbar_pcap_dff198f1ef

by malwarelabrobot on October 5th, 2017 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: dff198f1ef4498febff3aeb1b9968ef0
SHA1: 079b653f4269274653e92e405b0dfa79b6be9b4d
SHA256: 2c0c89d2e57ada69009d644b806d2bd68e7717f1f0d19e9144454956a21cae8b
SSDeep: 12288:ghkyG3nYbnJ1VEmLKy8mi6MY55ZVj9TyOFgdNunlDu:ghrqS1VRLv8v6Z55rj9mjNunla
Size: 597168 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-22 21:07:51
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\extension.tlb (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\BundleInstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\ProcessFreeFile.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Env.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\EagerInstall.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaXml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\UiState.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\lua51.dll (6527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\AdvancedTests.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\DownloadList.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin.zip (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Events.lua (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\CallbackProxy.lua (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\mime\core.dll (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\NotifyIcon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\DownloadThread.lua (581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin\res\common.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\luacom.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\version.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Downloads.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\GuiInit.lua (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\un.package.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\definitions.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaBridge.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FA.tmp (42517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaXml_lib.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Sandbox.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\__web.xml (3848 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss75EA.tmp (0 bytes)

Registry activity

Dropped PE files

MD5	File path
0f26c6d34d3841e93145dd00d0175651	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\FloatingProgress.dll
b31fd429994a796b9b2d7fb515849707	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaBridge.dll
4a4845ba1666907f708c9c10a31ec227	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\mime\core.dll
4bf7db111acfa7c28ad36606107b3322	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\socket\core.dll
7292b642bd958aeb7fd7cfd19e45b068	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\System.dll
d02a497be5f89c44827f142c4662f591	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\UACInfo.dll
13c3a33c1f6e43f38de533fd0b766c98	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\lua51.dll
ed7f7857933b38e5d10daf828e79af19	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\luacom.dll
692479f7c07a64a6a632148e382f0e22	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\nsisunz.dll
5694e7daf20c47c8d5e73d4a838c2ee6	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\version.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Russian (Russia)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23294	23552	4.47651	ad2ebf079e89cd95e3fda4bd0b869620
.rdata	28672	5272	5632	3.56156	45097a769b809e006a7e5c1f08e7cba2
.data	36864	109756	512	0.972488	4b5dfd97899e385b2193064eb045da6b
.ndata	147456	176128	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	323584	37704	37888	4.24045	a69f85e488b1592c3a1b31855c36ece1
.reloc	364544	2680	3072	3.86498	bd33af9438036e756fe3734a5dc7bcc6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 47
ff3ab5febfe7a5e26e40000aea8c617f
6aaa86fb051ccfef7fa703be8f0f4068
4e9c21111e867ce0bb600ef7fcf7d90f
27bf86fac73d4c91d7da986752556f91
3fe074b6b4097170144123fb909932a9
ae42d8272ef0897a837b926aef851998
4b32fe3442be7c0f6c62fa740fda8ae6
7dbe7a7b49dc708b5ea747040df2e49d
64837085786496f08da3ece3eade209a
ce3ddc26cc164b82db4b9bfb2cd76adc
abb784390bf7d770711c4d51229e1a03
1e5450d270ad4f5d7bb4055490a6ee5c
36364293eed44ada9fb00fc69d613233
1032b2e590a55608505491e989a2cdd6
9634b39467f4d7cfbd6cb95937964902
3b83355e062418a35f211e0ace53164e
59ac35e6c4ffafff4cdc27f07b577bcf
45a40e2978902d40e70a747b98f7c326
024fa34b27946f1583261c112ee7c9e4
8daac65ff00e6d8114acf87a69324b7d
b8ccdb415eedf85b074999e827e6ecc5
e13b79c9530997665ecaa580a54cdc3d
e7a2a26396da9707892685eb713cdc54
3add21eaed7a5694faf407bbb7b3b9c6
e12de623d31b2144c32ab08aaec5948c

URLs

URL	IP
hxxp://download.webinstall.com/install?s=fivemill&c=SEM&variation=control&brand=Download.com&pid=dlcom_sem&aid=serial_key_generator_download&bc=32559&country=US	50.22.63.141

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /install?s=fivemill&c=SEM&variation=control&brand=Download.com&pid=dlcom_sem&aid=serial_key_generator_download&bc=32559&country=US HTTP/1.1

connection: close, TE

x-exename: %original file name%.exe

x-webinstallurl: hXXp://download.webinstall.com/install?s=fivemill&c=SEM&variation=control&brand=Download.com&pid=dlcom_sem&aid=serial_key_generator_download&bc=32559&country=US

user-agent: Tightrope Bundle Manager(ref=[e591d6c88971da718a48be77ad5aeb84fd5a53db];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=423449;pid=2060)

x-webinstallcode: complete url:hXXp://download.webinstall.com/install?s=fivemill&c=SEM&variation=control&brand=Download.com&pid=dlcom_sem&aid=serial_key_generator_download&bc=32559&country=US

te: trailers

host: download.webinstall.com


HTTP/1.1 200 OK

Content-Type: text/xml;charset=UTF-8

Transfer-Encoding: chunked

Date: Tue, 03 Oct 2017 23:16:22 GMT

Age: 0

Connection: close

X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <CustomParameter Name=
"ProductSetId">75305595</CustomParameter>.        <CustomP
arameter Name="ProductId">14433198</CustomParameter>.        
<CustomParameter Name="ProductName">Serial Key Generator - 7.0&l
t;/CustomParameter>.        <CustomParameter Name="FileName">
SKGeneratorDemo.exe</CustomParameter>.        <CustomParamete
r Name="Name">Serial Key Generator - 7.0</CustomParameter>.  
      <CustomParameter Name="Category">Downloads^Developer Tools
^Software Installation Tools</CustomParameter>.        <Custo
mParameter Name="CategoryId">2216</CustomParameter>.        &
lt;CustomParameter Name="PublishDate">2015-07-22</CustomParamete
r>.        <CustomParameter Name="FileSize">23406184</Cust
omParameter>.        <CustomParameter Name="DownloadLink">htt
p://files.downloadnow.com/s/software/14/43/31/98/SKGeneratorDemo.exe?t
oken=1449949964_24d892eeb141939dcdc90d37972976e3</CustomParameter&g
t;.        <CustomParameter Name="License">Free to try</Custo
mParameter>.        <CustomParameter Name="ProductVersion">7.
0</CustomParameter>.        <LinkBelowEula>false</LinkB
elowEula>.        <OptInDefault>false</OptInDefault>.  
      <ProductBinary embed="false" msioptions="" options="">http
://files.downloadnow.com/s/software/14/43/31/98/SKGeneratorDemo.ex<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2060:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

uDSSh

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

ers\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaBridge.dll

ss.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaBridge.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp

s\UrlAssociations\http\UserChoice

GetProcessHeap

Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb

WINMM.dll

FloatingProgress.dll

setTrusteUrl

C:\Programming\GitHome\bm-core.git\25\Custom\FloatingProgress\Release\FloatingProgress.pdb

hXXp://clicktoverify.truste.com/pvr.php?page=validate&softwareProgramId=148&sealid=112

##-,#1.#0- !%

!  .76:76:*),

#" *#1.#1.!#&

 *.yx{

#-,.mT:

!$"'(!((!$&

.reloc

nsh75FB.tmp

-exec

e go back to Download.com and try again.]],[[CNET: Download.com]],0x00040000) -- C:/BM/2.5/BINARIES/Downloadcom-Dynamic/production/setup.exe.nsi:Line 1157.2

me=423449;pid=2060)]]}) -- C:/BM/2.5/BINARIES/Downloadcom-Dynamic/production/setup.exe.nsi:Line 960.2

Tightrope Bundle Manager(ref=[e591d6c88971da718a48be77ad5aeb84fd5a53db];windows=6.1;uac=false;ie=9;elevated=true;dotnet=4;startTime=423449;pid=2060)

c:\%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nss75EA.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

IE.HTTP

%.sLu&oG

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System vtightrope</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

The DownloadAdmin Installer is a certified TRUSTe Trusted Download Program.

com.build.date

10/8/2013

com.build.dir

C:\BM\2.5\WebTemplates

com.build.id

com.build.machine

com.build.skin

com.build.time

com.build.user

$%USER%

%original file name%.exe_2060_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\mime.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\extension.tlb (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\BundleInstall.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\ProcessFreeFile.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\nsis7z.dll (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\FloatingProgress.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Env.lua (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin\res\jquery.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\EagerInstall.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Scheduler.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaXml.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\nsisunz.dll (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\UiState.lua (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin\res\knockout.js (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\utils.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\lua51.dll (6527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\AdvancedTests.lua (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\DownloadList.lua (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin.zip (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Events.lua (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\json.lua (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\CallbackProxy.lua (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\mime\core.dll (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\NotifyIcon.lua (302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\DownloadThread.lua (581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin\res\common.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\luacom.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\socket\core.dll (2473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\version.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Downloads.lua (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\IntegratedOffer.lua (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\GuiInit.lua (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\un.package.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\UACInfo.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\definitions.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaSocket\lua\socket.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\BrowserControl.lua (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaBridge.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FA.tmp (42517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\skin\res\common.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\LuaXml_lib.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\Sandbox.lua (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh75FB.tmp\__web.xml (3848 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

SearchProtectToolbar_pcap_dff198f1ef

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

SearchProtectToolbar_pcap_dff198f1ef

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet