Trojan.NSIS.StartPage_0e450434c5

by malwarelabrobot on June 13th, 2014 in Malware Descriptions.

MemScan:Application.Bundler.Outbrowse.E (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 0e450434c52831cdd8808a4217f6099f
SHA1: af53ab909a724b33b8f7cbc6e328dc3e6858fceb
SHA256: 59eeffd28655c418d0ff1e2e0922f3f6cd00d31e99329b91505c2522b2a3ea12
SSDeep: 24576: V484CsoZWCM5PAj7vrhbpODEN6kVYQnon08SFve:2L4hp rOoN6kVY o0rFm
Size: 943384 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wmic.exe:488

The Trojan injects its code into the following process(es):

setup.exe:860
f.exe:388
%original file name%.exe:1908
6_Offer_10.exe:1492

File activity

The process setup.exe:860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\modern-wizard.bmp (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\InstallOptions.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\components.ini (1218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\summary.ini (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\modern-header.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\options.ini (3918 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\shortcuts.ini (1782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\ioSpecial.ini (9996 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nssB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp (0 bytes)

The process f.exe:388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\jquery-ui.min[1].js (5973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\jquery-ui[1].css (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BuzzIT2Checker11-6[1].exe (9673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_10.exe (1753642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\Firefox Setup 26.0[1].exe (2741579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery-ui-1.8.19.custom[1].css (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.min[1].js (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bodyImg[1].png (8072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\DynamicOfferScreen[1].htm (850 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (0 bytes)

The process wmic.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsCalgk.dat (27433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB3.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nseB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB3.tmp (0 bytes)

The process 6_Offer_10.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll (2435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\twitter.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll (34782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.dic (6572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\blocklist.xml (1227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe (8326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll (1422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\omni.ja (70343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe (2693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.exe (3414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll (7187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll (2666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe (2061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\setup.exe (6698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\omni.ja (37685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll (18141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\amazondotcom.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\crashreporter-override.ini (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\yahoo.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\webapprt.ini (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll (8532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll (28466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\bing.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\defaults\pref\channel-prefs.js (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\wikipedia.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\omni.ja (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\xul.dll (183544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\chrome.manifest (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\platform.ini (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\removed-files (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nss3.dll (14726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe (1832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll (3352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\components.manifest (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll (1110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\google.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe (1753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe (4203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\update-settings.ini (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\eBay.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\application.ini (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.aff (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\firefox.exe (2583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\precomplete (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dependentlibs.list (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll (3701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll (844 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp (0 bytes)

Registry activity

The process setup.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 22 39 A4 39 53 08 26 88 16 D2 6C F3 78 58 2D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process f.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014061220140613]
"CachePrefix" = ":2014061220140613:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014061220140613]
"CacheOptions" = "11"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014061220140613]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014061220140613\"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216" = "My Computer"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B E4 81 A8 DF 7E 5B E5 5A DD 60 63 CF 2C 55 A3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014061220140613]
"CacheRepair" = "0"
"CacheLimit" = "8192"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"netshell.dll,-1300"
"wshext.dll,-4802"
"wshext.dll,-4803"
"cryptext.dll,-6112"
"cryptext.dll,-6113"
"cryptext.dll,-6110"
"cdfview.dll,-4610"
"accwiz.exe,-16"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9918"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"wshext.dll,-4801"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9927"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9912"
"unregmp2.exe,-9913"
"unregmp2.exe,-9910"
"unregmp2.exe,-9911"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\PCHealth\HelpCtr\Binaries]
"msinfo.dll,-391"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\Movie Maker]
"wmm2res.dll,-63097"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9915"
"unregmp2.exe,-9916"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"RCBdyctl.dll,-150"
"msi.dll,-34"
"msi.dll,-35"
"cryptext.dll,-6111"
"pdh.dll,-10023"
"notepad.exe,-469"
"shscrap.dll,-258"
"wshext.dll,-4805"
"msxml3r.dll,-1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-190"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"scrobj.dll,-8192"
"msxml3r.dll,-2"
"shimgvw.dll,-301"
"PresentationHost.exe,-3306"
"shimgvw.dll,-303"
"shimgvw.dll,-302"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-209"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"shimgvw.dll,-304"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\Internet Explorer\Connection Wizard]
"icwres.dll,-20003"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"shimgvw.dll,-306"
"shimgvw.dll,-305"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9902"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"zipfldr.dll,-10195"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-208"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"cryptext.dll,-6109"
"cryptext.dll,-6108"
"wshext.dll,-4800"
"shimgvw.dll,-307"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"conf.exe,-12345"
"conf.exe,-12346"
"conf.exe,-12347"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-22978"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9923"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9920"
"unregmp2.exe,-9909"
"unregmp2.exe,-9926"
"unregmp2.exe,-9925"
"unregmp2.exe,-9905"
"unregmp2.exe,-9904"
"unregmp2.exe,-9907"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"PresentationHost.exe,-3308"
"mmcbase.dll,-130"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9903"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"wshext.dll,-4804"
"icardres.dll.mui,-4162"
"SHELL32.dll,-8964"
"icardres.dll.mui,-4146"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"nmwb.dll,-1234"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"setupapi.dll,-2000"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"cryptext.dll,-6145"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9914"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"PresentationHost.exe,-3300"
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"ntbackup.exe,-40"
"SHELL32.dll,-9217"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9908"

The process wmic.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 3E 89 64 12 1C B4 27 9E 4B 38 15 E0 18 00 11"

The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 6C AC A1 8B 84 E2 B3 F0 9F 45 DB 35 EE DA DE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 6_Offer_10.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 7B 6A BE E3 3C 7B 46 B6 47 08 9E CF 8F FA 99"

Dropped PE files

MD5	File path
c5c5de801c3d3ee767574893a7df656d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6_Offer_10.exe
cf51b758916e5bf68ba8f0a6b3fb6bf1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll
1c9b45e87528b8bb8cfa884ea0099a85	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll
0cd085ca321c43cb4c1bcf99ab8ea080	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll
666a76d8ed0a06c9404da0d546bf3627	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll
e17ee29b33661a5dfa55c8788adca28f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe
1eea6c1b35191dc177ea83672b9c3fc0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\firefox.exe
8439cd841764fc1d7b1059a21021bdca	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll
1fd37aec631eef547ff6c93151c21a5b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll
9440e99ff69d095896660a166bf74866	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll
a24534258c89c992d3e03729e3c42ab3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll
3b9398e0146855b1dc0e3d9769c80f01	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe
b5b3e07dd04eaa1ffceb37ef9f7849fc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe
454830b2ff549241e4b09cd291f4b59d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll
ab7ebfd1d7fe626612d1e815fe4e6df4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll
8a6087b231b529ef6186cd0179b16032	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll
03e9314004f504a14a61c3d364b62f66	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll
2545f8fa1ba4417308df63b952d66fa1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nss3.dll
cf618ddc43b1f48959275961d0142615	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll
689a9eff35da52f70849fdb25034174f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll
0dd74786d22edff0ce5b8e1b1e398618	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe
51bb4983ba8b8f4c712ae7ebb5577cd8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe
a6f5aa4bd602cda7b0a375a6a48d715d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll
5b61c11223e59c1aca4adae6fdd2a775	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe
63e98c05d504e9f30dae364dce50e0f5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\updater.exe
4f5cac0d371454e97d1bd918489792f6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe
abcc2fbcca63a5f6309485ca3ef18e7c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe
de2345b8cbcc6366e20848ec22278cb6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\xul.dll
01944475fa7b6c1f30f931013cf61d1e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\setup.exe
c416bcf6a1bfc274c22c243da87c0f33	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f.exe
67d8f4d5acdb722e9cb7a99570b3ded1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsyB6.tmp\InstallOptions.dll
959ea64598b9a3e494c00e8fa793be7e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsyB6.tmp\System.dll
c17103ae9072a06da581dec998343fc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nszB3.tmp\System.dll
b8b654dd30c249e00c79f1508a2736e5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BuzzIT2Checker11-6[1].exe
c5c5de801c3d3ee767574893a7df656d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\Firefox Setup 26.0[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Firefox
Product Version: 3.0
Legal Copyright: Firefox
Legal Trademarks: Firefox
Original Filename:
Internal Name:
File Version:
File Description: Firefox
Comments: setup Installer
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	94208	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	286720	3176	3584	2.75375	61886786c758d78857d0529764e4c7bd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 302
9075f446add5ec41257f58f8dc344511
96049b81afcba5504ac62535d479eab7
77dd15c80aac892183e3dde5748a9f49
b56792ed40bb0db7771f6e7939421318
765f5f1c6229b04162a0162331f395ca
70f3bb94946976b1293321e6684e7bf2
aad5e867c90d4c5fc8036bd76b39a58a
814bad5197e5c451acc62ddc3a138763
67f2cbf99077e3c26ec61df01142a716
dc87813f281207364e4e48179c7884f1
e3d6d1ea384286b90831d0e7aaff53c4
3e0b2b217b9c2b941b63ea070d50dc6d
63074c2018e70b11c09c0c7892335203
99b5f1f9a52fb70d005137305774329e
8fe86a72d17609de654b483c37fdf3ad
1405f5ca5702a284b3700ecc9a97d4e1
b8ea9c27cb2d2f506278a11e4772c9b9
6b6722f4fe9272ac9b6a09855d9b2d4a
ea455abe2050f4e9fc51b8930d96fbfd
b630002058b8fbe3b2941cd63bf22582
303b15f485629d901ee7e9b61aed47c3
3c1da23df01e08be65e1614f625e9e0b
5a193f82262c4afbe3d0083128796d4f
dbac4a71f08aabab3589351661b3c90d
2845fc7fddbe0840c1a161a4afb1daa7
31630bea534c17545e895babaec86f9e

URLs

URL	IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0
hxxp://e1005.g.akamaiedge.net/pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/Buzzit2/BuzzIT2Checker11-6.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/topLine.jpg
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/topComp.png
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bgImg.jpg
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=107257330&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=10&downloadduration=10609&installduration=109
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png
hxxp://smartinstaller.elasticbeanstalk.com/Installer/TrackFinish?reqid=107257330&x=y&clickid=-1
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bottomLine.jpg
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bodyImg.png
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/nextCase.jpg
hxxp://www.postdownload.net/portal/redirect.php?id=fnpelrdlp85oj5d9pn41hv2n0r8mh682kfpt98iiip171r6bv781-4ffcd8ddd688b7c46c78c75273d1df4a&d=ez-download.com&p=Firefox&pid=3
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/button_over.png
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/button.png
hxxp://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1402551131&id=fnpelrdlp85oj5d9pn41hv2n0r8mh682kfpt98iiip171r6bv781-4ffcd8ddd688b7c46c78c75273d1df4a
hxxp://thankyou.postdownload.net/css/thanks1.css
hxxp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00
hxxp://ez-download.com/track/typ/?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1402551131&id=fnpelrdlp85oj5d9pn41hv2n0r8mh682kfpt98iiip171r6bv781-4ffcd8ddd688b7c46c78c75273d1df4a
hxxp://a1834.g1.akamai.net/images/addons/icons/0-creatives/23821/Asap-UK-RON-ALL-300-Table-UK-Clean-AA195_fc.gif
hxxp://dualstack.counter-817696455.us-east-1.elb.amazonaws.com/blank.gif?t=141592501254&h=a023e0f902a095d8b136fb5b66956e00&cids=n8d
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png
hxxp://static.revenyou.com/offers/images/Theme11/topComp.png
hxxp://www.ez-download.com/track/typ/?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1402551131&id=fnpelrdlp85oj5d9pn41hv2n0r8mh682kfpt98iiip171r6bv781-4ffcd8ddd688b7c46c78c75273d1df4a
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css
hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css
hxxp://cdn.delivery49.com/images/addons/icons/0-creatives/23821/Asap-UK-RON-ALL-300-Table-UK-Clean-AA195_fc.gif
hxxp://static.revenyou.com/offers/images/Theme11/button.png
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js
hxxp://installer.apps-track.com/Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0
hxxp://cdn.download4desktop.com/Installer/Buzzit2/BuzzIT2Checker11-6.exe
hxxp://installer.apps-track.com/Installer/TrackFinish?reqid=107257330&x=y&clickid=-1
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js
hxxp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
hxxp://static.revenyou.com/offers/images/Theme11/bodyImg.png
hxxp://static.revenyou.com/offers/images/Theme11/bgImg.jpg
hxxp://static.revenyou.com/offers/images/Theme11/bottomLine.jpg
hxxp://static.revenyou.com/offers/images/Theme11/nextCase.jpg
hxxp://download-installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe
hxxp://static.revenyou.com/offers/images/Theme11/topLine.jpg
hxxp://counter.d.delivery49.com/blank.gif?t=141592501254&h=a023e0f902a095d8b136fb5b66956e00&cids=n8d
hxxp://static.revenyou.com/offers/images/Theme11/button_over.png
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png
hxxp://installer.apps-track.com/Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=107257330&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=10&downloadduration=10609&installduration=109

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET /Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: installer.apps-track.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Thu, 12 Jun 2014 05:25:59 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 13171

Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8 $.Fmkcsez_oajgRvjdo
"8.*(, ./!("P`_F^w.4!DKCTW>NPO?MP_SN=M.Ql`ssap`TWLc^lbdPp
jl`\rFHS., M]bDcv03.: CC@R]@OQNELOWPLCO.RkfrrYm^ZYMd]racHmhrb]sENR.$.K
cmiqpN_h].3 P_`ncfKjjmc`nHJT '.KkmaobpIB.2-,.-&!=lu\qnHdc_q.:.
'.DlU^csBopDfnm_if!61*.=s^SOF!6"folk3-,^k-.bjoilcopdn1,^gh(Gk
ms]lj`j*Lc^lbdPpjl`\rD_marg^'N^_o]gLrmo]^mEbhdnia/K`msm(dte '.
>hkj[m`Lgi].3 ,LDC=GIL.(AQCC9CR. -,642!("Ma^`kSOF!6"folk3
-,iebepn[m^ck(`lpq(lmZahm-_ok*'j_dblr DwiYhbaL`earQ^j`^l<iebepd
\8 00 onobp[obb:,2,0$_anmga72.06!d`Zbm74-85![jnlqlxed;2)!lwp\hp=1-.__`
:*Û;-.'.P^nd.: ,$.:bacseol\d?Zr^.9."*.9imgscqqscnJ``Ibsr.: 
.$.I_vitp"8()'.Cc`d_tgq].3 .&!LrmhgobmkL`pe 5%,% Acr_rckY
i\wO[sa"8()'.Qi_dlAdo]mBlpn`hl 5(x%y.JnotCs].3 .&!Lrc@p`.
8.. .CmhhjgcknSupc.2 % JimetguYobmkNxleq.2.  0'01"*.J``Ibs!6&
quot;FF=TXARLQANRZMN>P.Mnbtu\j`UZP_`ncfKjjmc`nHJT0.$.KcdEdu62.2.AIB
S^?UPM=IM]RMDN Qj^op_o_[XSc\j^aNoisacrDFO  ).QapmmlIZkb.9.Sc\j^aNoisac
rDFO  ).Onobp[oBB.43-60'.<eu^srKfd`j.3.).HoW_dlAhpFhrpajg.5**.?
waUPG.5.fqno6/-_d,'blqmoepq]m*,`il Ilnl\ejbl.Oe_m[cIplnd_tE`f`kg`)
Raap^`Kkmq_bpGci]mba1Mdpun)]s^ ).Bkmk\f_Egk_!6".*J@@;FHS. .*;OBB:
=S/3/4/., ).NbfcmMME 7.gptn5'*hdc_qocp`]i'_mjr)tp\[fl,`il /ma^
`kq,>xjakd[J_dblR_rc`f:hdc_qed;,)2.noicqcrd\8-/3,%`iqoa_61/*7"
lc\\k63.26"cmpfokwf^<31$nqn[gq72.&baZ8)$e\<."*.J\m
c.4,-, <\_brfim]lB\l\.8.. .AloaqbprmdoRcbC`rq.4!., KYthsq.9)1*.<<< skipped >>>

GET /Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=107257330&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=10&downloadduration=10609&installduration=109 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: installer.apps-track.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Thu, 12 Jun 2014 05:26:09 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 8

Connection: keep-alive
..OK......


GET /Installer/TrackFinish?reqid=107257330&x=y&clickid=-1 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19

Host: installer.apps-track.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Date: Thu, 12 Jun 2014 05:26:10 GMT

Server: Microsoft-IIS/8.0

X-AspNet-Version: 4.0.30319

X-AspNetMvc-Version: 4.0

X-Powered-By: ASP.NET

Content-Length: 8

Connection: keep-alive

..OK....

GET /blank.gif?t=141592501254&h=a023e0f902a095d8b136fb5b66956e00&cids=n8d HTTP/1.1

Accept: */*

Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: counter.d.delivery49.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/gif

Date: Thu, 12 Jun 2014 05:26:25 GMT

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Server: nginx/1.2.1

Content-Length: 43

Connection: keep-alive

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Content-Ty
pe: image/gif..Date: Thu, 12 Jun 2014 05:26:25 GMT..Last-Modified: Mon
, 28 Sep 1970 06:00:00 GMT..Server: nginx/1.2.1..Content-Length: 43..C
onnection: keep-alive..GIF89a.............!.......,...........L..;..

GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/css; charset=UTF-8

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Thu, 12 Jun 2014 04:50:50 GMT

Expires: Thu, 12 Jun 2014 05:50:50 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 6091

X-XSS-Protection: 1; mode=block

Age: 2119

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Alternate-Protocol: 80:quic
[email protected]..~...e.#K.$.#A..=.!%J|iz...
;@Z.:...y..}..........X.H~{G...O~......-.M^[email protected]........
....!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.W
O8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h
.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ....
....... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}..
.t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>.....
.|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8
a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}[email protected]^...S2.gn.h......;V.
yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or
..%X...78.I.>[email protected].<.W 
EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M..
. ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k
:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<
;._.. J.YK.:9.H}3....U.B..$..W..f$l]^[email protected].,(."
......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V
.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l
..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v.
.~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4..
.1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!
pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t..
.M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Thu, 12 Jun 2014 04:42:31 GMT

Expires: Thu, 12 Jun 2014 05:42:31 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 88

X-XSS-Protection: 1; mode=block

Age: 2622

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Alternate-Protocol: 80:quic

.PNG........IHDR.......d.....G,Z`....IDAT..c.....&.....G0..ed.......w.
..........IEND.B`.....

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Thu, 12 Jun 2014 04:42:31 GMT

Expires: Thu, 12 Jun 2014 05:42:31 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 88

X-XSS-Protection: 1; mode=block

Age: 2622

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Alternate-Protocol: 80:quic

.PNG........IHDR.......d.....G,Z`....IDAT..c.....&.....G0..ed.......w.
..........IEND.B`.....

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1

Accept: */*

Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT

Date: Thu, 12 Jun 2014 05:22:32 GMT

Expires: Thu, 12 Jun 2014 06:22:32 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 3457

X-XSS-Protection: 1; mode=block

Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600

Age: 221

Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B.
...6...._.d.c.......*...V......|U.......w-...p..>Z..........`......
......`............`............`............`............`...........
.`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.
x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1
..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."..
.-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C....
.y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ
..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH
...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._&l
t;....p.p....`............`..b.......:............:.............Xj)...
w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7...
..;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:
.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O..
...m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....
3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD.
.M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;
....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n
.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x....
.].?/..9r......h...]^}M....<....;..........p.p....`........}.....n.
.~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M...
...j..4.%..x......!ij....bXcT..^ file.
Delete or disinfect the following files created/modified by the Trojan:%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\modern-wizard.bmp (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\InstallOptions.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\components.ini (1218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\summary.ini (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\modern-header.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\options.ini (3918 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\shortcuts.ini (1782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\ioSpecial.ini (9996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\jquery-ui.min[1].js (5973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\jquery-ui[1].css (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BuzzIT2Checker11-6[1].exe (9673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_10.exe (1753642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\Firefox Setup 26.0[1].exe (2741579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery-ui-1.8.19.custom[1].css (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.min[1].js (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bodyImg[1].png (8072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\DynamicOfferScreen[1].htm (850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsCalgk.dat (27433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll (2435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\twitter.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll (34782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.dic (6572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\blocklist.xml (1227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe (8326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll (1422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\omni.ja (70343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe (2693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.exe (3414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll (7187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll (2666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe (2061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\setup.exe (6698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\omni.ja (37685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll (18141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\amazondotcom.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\crashreporter-override.ini (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\yahoo.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\webapprt.ini (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll (8532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll (28466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\bing.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\defaults\pref\channel-prefs.js (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\wikipedia.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\omni.ja (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\xul.dll (183544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\chrome.manifest (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\platform.ini (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\removed-files (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nss3.dll (14726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe (1832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll (3352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\components.manifest (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll (1110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\google.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe (1753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe (4203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\update-settings.ini (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\eBay.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\application.ini (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.aff (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\firefox.exe (2583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\precomplete (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dependentlibs.list (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll (3701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll (844 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12

No thanks, continue to lavasoft.com

close x

Discover the new adaware antivirus 12

Our best antivirus yet