Trojan.NSIS.StartPage_4d8e89edd3

by malwarelabrobot on August 5th, 2014 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4d8e89edd3f45e2148a4a1fb2ce66c31
SHA1: 31ff7b5f6bc76a977526878c0d6c338af43ed6a0
SHA256: 76cc2a526ae7536e119d80cba79db6f0fce08ab08f967dc061a139ea0640189f
SSDeep: 12288:5rBp5UkallMCBw8yIBtp8dbJd5A4AzybJd5A81:59UkalWCTQdbJd5A4AzybJd5A81
Size: 509176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:52:12
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wajam_validate.exe:1672

The Trojan injects its code into the following process(es):

%original file name%.exe:1812

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\close-btn.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer5.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\CompleteScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (136383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer1.zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseBA.tmp (172080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (164814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_243_FP_spws243[1].zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfferScreen_235_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\start-bullet.jpg (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\installog.txt (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB5.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB9.tmp (152335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_v4[1].htm (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\download.jpg (6025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\branding.jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\InstallScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\WelcomeScreen.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer4.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WS_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer2.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\but1.png (5574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferAssets.zip (736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BI_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer3.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\OfferScreen_291_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreen_38_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\skip.jpg (2490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBD.tmp (151604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DSS_IMapplication_mon_NV1_2[1].htm (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\LoadingBar.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html (3745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\click.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\trusted1.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_145_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB8.tmp (150063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DS_wrapper_details_v2[1].htm (476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmBC.tmp (148882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB7.tmp (137924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\unchecked.jpg (444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\output.txt (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\checked.jpg (503 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OK (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\success (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html.old (0 bytes)

Registry activity

The process wajam_validate.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 81 1D 53 43 49 D4 4A 9C A9 20 63 8F 46 64 89"

The process %original file name%.exe:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080420140805\"

"CachePrefix" = ":2014080420140805:"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheLimit" = "8192"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1260053532"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 11 D5 BB 39 B9 CE 75 76 C4 7F F0 BA B8 D9 9B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll
5264f7d6d89d1dc04955cfb391798446 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\GetVersion.dll
b140459077c7c39be4bef249c2f84535 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\Math.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\System.dll
7579ade7ae1747a31960a228ce02e666 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\UserInfo.dll
5afd4a9b7e69e7c6e312b2ce4040394a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\blowfish.dll
134b93f8bd1f82cd2f1b06c878580703 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\inetc.dll
94ba775c8a1f4d6c9bb1966eddce22b5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\manlib.dll
c10e04dd4ad4277d5adc951bb331c777 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll
a056772e31415e022147d5c4ffcfe22a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsisunz.dll
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\registry.dll
46f5c497f96e733176b010ff0ee56de3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe
46f5c497f96e733176b010ff0ee56de3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46304 c52a72deb0170941d392ec38c6aeafd0
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 298072 1024 3.32453 723ad80df002dc5421798f4307abe5cf
.ndata 335872 1908736 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 2244608 102848 102912 3.69799 0f65a45d68577e96223f6c630a739884

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://fglasspeast.com/FCL_Co_v4.php
hxxp://stsunsetwest.com/DS_wrapper_details_v2.php
hxxp://www.wajam.com/download/wajam_validate.exe
hxxp://www.wajam.com/install/valid?v=1&unique_id=0630F6DB1811B361E367028BD09FCCEB
hxxp://secure.goeastcdncache.com.cdngc.net/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip
hxxp://secure.goeastcdncache.com.cdngc.net/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg
hxxp://stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/OfferScreen_243_FP_spws243.zip 174.35.73.156
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_291_EN.zip 174.35.73.156
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_38_EN.zip 174.35.73.156
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_235_EN.zip 174.35.73.156
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_145_EN.zip 174.35.73.156
hxxp://stsunsetwest.com/DS_trackstats_mon_v2.php
hxxp://www.stsunsetwest.com/DS_trackstats_mon_v2.php 50.19.102.217
hxxp://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip
hxxp://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip 174.35.73.156
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip 174.35.73.156
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip 174.35.73.156
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip 174.35.73.156
hxxp://www.fglasspeast.com/FCL_Co_v4.php
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip 174.35.73.156
hxxp://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg
hxxp://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php 50.19.102.217
hxxp://www.stsunsetwest.com/DS_wrapper_details_v2.php 50.19.102.217


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE W32/InstallMonetizer.Adware Beacon 1
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

POST /DS_trackstats_mon_v2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 158
Connection: Keep-Alive
Cache-Control: no-cache

from=wrapper&type=wrapper&pubid=12872&CbId=9342&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&subid=&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&wlc=1
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:49 GMT
Server: Apache/2.2.23 (CentOS)
X-Powered-By: PHP/5.3.28
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



POST /DSS_IMapplication_mon_NV1_2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 336
Connection: Keep-Alive
Cache-Control: no-cache

from=wrapper&type=wrapper&vid=3&pubid=12872&CbId=9342&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&subid=&lid=EN&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&advDetails=38~YES~0/145~YES~0/176~YES~0/226~YES~0/234~YES~0/235~YES~0/270~YES~0/239~YES~0/243~YES~0/251~YES~0/260~YES~0/275~YES~0/277~YES~0/283~YES~0/291~YES~0/301~NO~4//
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:39 GMT
Server: Apache/2.2.23 (CentOS)
X-Powered-By: PHP/5.3.28
Content-Length: 927
Connection: close
Content-Type: text/html; charset=UTF-8
243~hXXp://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https
://sp-storage.spccinta.com/sp-downloader.exe~hXXps://sp-storage.spccin
ta.com/sp-downloader.exe~null~0~1#291~hXXp://cdn.cmatecdnfast.us/os/js
/OfferScreen_291_EN.zip~hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/
VOPackage.exe~hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.
exe~null~0~0#38~hXXp://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip
~hXXp://wajam-download.com/download/wajam_download_v2.exe~hXXp://secur
e.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~ht
tp://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~hXXp://VVV.reghe
lper.com/rh/RegistryHelperSetupIM.exe~hXXp://VVV.reghelper.com/rh/Regi
stryHelperSetupIM.exe~null~0~0#145~hXXp://cdn.cmatecdnfast.us/os/js/Of
ferScreen_145_EN.zip~hXXp://cloudfront.systweak.com/downloads/new/rcps
etup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_1
7970.exe~null~0~0..



GET /install/valid?v=1&unique_id=0630F6DB1811B361E367028BD09FCCEB HTTP/1.1
Host: VVV.wajam.com


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:39 GMT
Server: Apache
Set-Cookie: PHPSESSID=shf3uases3advt3l3998fno5n0; path=/; domain=.wajam.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wau=14071530396341834; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=48,31,99,55,52,48,40,63,72,2; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 1
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w18|U99zk|U99zk; path=/; domain=.wajam.com
0..



GET /nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secure.goeastcdncache.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:39 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2014.p9-jfk ( h0-s2028.p9-jfk), ht-d h0-s2028.p9-jfk.cdngp.net
ETag: "2c31b1-4f28-4fc460c2c9040"
Cache-Control: max-age=604800
Expires: Tue, 05 Aug 2014 12:55:07 GMT
Age: 514532
Content-Length: 20264
Content-Type: application/zip
Last-Modified: Fri, 20 Jun 2014 15:21:29 GMT
Connection: keep-alive
PK...........Bh=.r5...2 ......but1.png}yeP................2........!..
.......\.,!.38$...s.=.{.......k...w...1Z.JxO)....<...:.f.?=....XH..
.3Qx).zA...|.<...[7k(....=T.je..>.......u.....Dm.\y.........5q)_
...3....j...`<..e.w..`4.P.U..A.._.{@!...6..6"..R........B...}]]`...
.... .g....H./.......2T...s......r......................@@^!n>^Q.!Q
^>..4.?.y..... .g.?......\..........y...DDD..  .............y2..A..
i....rt...e[Y.y{I02.}.W....<.S.?...Z..|<....TW......E{[email protected]....
....z.y{...8;...pQ9...........U.rp.r.tp...A.x....a.n>......*.<..
`6Pey..?..GG[Q.........<H..O.$........).........w..v..........?r...
..P..WP[E.7W...Y...s...\.....\.........]...?..k._..1. |(...=..:G.L....
U....]:2...*.=N.M..f.Z...9...>k....}/_......>ag..[.W.....g..Pv..
g/.u........9...r....z.~<...N]=.N..D].a..... ..O.=.z....Ni...$..'-n
\....nD...f.../.......T.W.-.%{i....Cn..B\3Nws......:.h.j.J.L.A.\Y..~.7
U..........=).... ....|.I...V.........'v....7X.M....U*RWw.4...0..75.k$
y.g...Oi...A.?IL.Pp1.p_...V......._....g7.....%..!"..W.!..lK~.\..pQ..P
=.GQ..C...5.T..C....`=b|..>b...O...V..B."j.?PCL..r.Y?..>=.SG.v..
.....U.q...aX..W..[..E.....= [email protected].. /."@...h..
. ...p.jZ....Wyq...t..B..@r..%..6..w........VIus..d...LxE}..-.2B..A.@o
...V.......]...0.^?......\....m..Q:[email protected].'...6.. .W..,.!y
.F.V.o....U.8..Y.........~..N|..Cq..{J..Q%..%..(.c.]n.H.Ik.A.i.@C#.}".
..I.....o.j.n...G......0.W...N......U.o..q..s$.h.zz-gdl......p........
.5_.X.....6...)v......U*..}...Wk....%GL....EV..rV...O....m.....w'.
<<< skipped >>>

GET /BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: secure.goeastcdncache.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:39 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2014.p9-jfk ( h0-s2012.p9-jfk), ht-d h0-s2012.p9-jfk.cdngp.net
ETag: "4a278a-b46-4fc460c25d05d"
Cache-Control: max-age=604800
Expires: Sat, 09 Aug 2014 01:58:28 GMT
Age: 208331
Content-Length: 2886
Content-Type: image/jpeg
Last-Modified: Fri, 20 Jun 2014 15:21:28 GMT
Connection: keep-alive
....\.kwh.LV.......LI....n...E.8...........,....Ll............\..Q.{..
.f..=X\........8R[...)@...(...Rj...M ....qH....i.c}ri..1f.....9..?.egQ
."...R...E6..&...#c...I..L...N... ...%B.O)3Xb:gN.....J....R.6.........
.Yh._D...8....I.<.)..4.....h....n.h..L.s.2$g......<g.`..ST.(sJ.T
.......pZR.. .......}...........m"e*#..H<Z...|.o|LY.d..9.z.O..Y.}..
o..."n.M.5...v...a......BR..N.H.$..D.......v..O...0.....t..g..<Q.!.
.{.D9M.8....&J..ZgU..wUa2..[.....d.YJ^x.V.J.........i.Dz.L.?...%......
.....I@.\{R$..<..._|.g|LX.f..9.z.O....}........E3..M...E. .A..<d
..k...q.)*g..Gk.....s....-.i../...........u.R.......Exif..II*.........
........Ducky.......<.....)hXXp://ns.adobe.com/xap/1.0/.<?xpacke
t begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x
="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/
07-10:57:01        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999
/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp=
"hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.
0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xm
p:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:
01C2A6FFF88911E3996AB6FAF4E4B048" xmpMM:DocumentID="xmp.did:01C2A700F8
8911E3996AB6FAF4E4B048"> <xmpMM:DerivedFrom stRef:instanceID="xm
p.iid:01C2A6FDF88911E3996AB6FAF4E4B048" stRef:documentID="xmp.did:01C2
A6FEF88911E3996AB6FAF4E4B048"/> </rdf:Description> </rdf:R
DF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....
<<< skipped >>>


GET /os/OfferScreen_243_FP_spws243.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2026.p9-jfk), ht-d h0-s2026.p9-jfk.cdngp.net
ETag: "2809b9-7b3c-4fa11b41c8a80"
Cache-Control: max-age=604800
Expires: Wed, 06 Aug 2014 20:34:43 GMT
Age: 400557
Content-Length: 31548
Content-Type: application/zip
Last-Modified: Fri, 23 May 2014 14:04:10 GMT
Connection: keep-alive
PK........ ..D.K.......7......OfferScreen_243.html.[.n.9..=.....:.{\..
e[..A.$3Y$.l..... ..(...bu...1z......}.~.=....$;.X,..-.H..w.dU..y.....
.o.L.........0.o....i....a?.............u,S..Zo...7.:..Z..2X...O[w..VH
....G_WV...........'...B.3...r3Y....Bs..}.."~..nd.E...u&<..o... ...
#..x...\......V2.o.fb.n.<.:.'UZk.........~.....L.:.W.S.y...........
..E...,.....-...eod...q.mk.o,.5{dc..Os.H...wm|....{......8....GQ.N.f,.
-...I._#6..t..g...\y..X...A;[.......#..;pQ.$....~F,..=.#[email protected]...
.60.......<a. ......<[email protected]".'# ...%.T..)s....#...#n..
...8.#Vr..R....EQ.....q.3.q".{ .X&......}..3.k....Y.-E..Q.@-......>
......[....\..`.@..".W......a..Z.|.h8M...pZ.[..2............O..H......
.13O.i:..."..e.....9i....<G..._..!.0..x.$B....G,.~.2.5...3.KH...I. 
.X..L #....Vp....Bh..8..k..b...}.M:....6tw.K..~.Pm...,... ..`..y.....|
.y.{8....f.N&#..>.\%"i..L..........9....s02y"%.*.>....9kg G...j.
..X$..).f.x.............D.......9.gr.Gdo....A.ade<..... .r..Z.....A
1....8.D:..8......Xj-...l...H.>.)h.......x...c..m.O..i2.x..R.X...D.
...7..&.8....4T.K/.Pl..>.h$b.oJH.P ;....PTD.....O..&..e........\.-.
..2..\.2..|..b...]6..Z..D...2.~....L..?..........1.u...|.v.T.6...L....
r.\.L..c...Z..a7.c.......j...S.Re....[c...3....s......_..".ad.....f2..
:..f2.].=.u._..JH.4.d<.A.U.k.1..B...7J..d..._`V.t...qK..*K.]......k
......k.>.4. .k....M.1?...ky...n..F.l...v...;..;..............~..R&
.Y.X=......>..$./b...r....vVfX.j.>...?..0.m..T.j%.....O.....|V..
.o..l`.D.H%[email protected].^..h...P......f....?..8
<<< skipped >>>

GET /os/js/OfferScreen_291_EN.zip HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2077.p9-jfk), ht-d h0-s2077.p9-jfk.cdngp.net
ETag: "2805b3-4476-4fe4f7d9aa180"
Cache-Control: max-age=604800
Expires: Sun, 10 Aug 2014 22:07:25 GMT
Age: 49395
Content-Length: 17526
Content-Type: application/zip
Last-Modified: Wed, 16 Jul 2014 13:27:50 GMT
Connection: keep-alive
PK...........DI..l*...........trusted1.jpg.T_o.V............R...i...66
(...hy.V...W.7.J." ..M...}.{.......U?@...).U.}....{...HW:.s...........
[c......A.,d.....{t.(P$x...i|.....a"8..G...q.D".$.l........GO......9..
^....J.h.../.b....=....<....... .P.p..8L.q....D..E..\...oL/.o......
.... ..S..lJZS...%(.P..v.Jz..K...O.....k..\.u.YS..H.)....P.4Q.EYn..Fr.
....&...&J...R....;..$..|.B...Y...V...w............(.'..........sY5...
O>[email protected]#x..kv[Q-..Q..%Ch...... }.1.<.u..b...I..2!..M5..f
4e.J..n...0I..E9..s;..\}.#'.......<<.)N.q......=.C......U.b.;..1
...}u..........r....."...n).NSj.3.w]....G.")F.2,..L.T....n.<($.....
...f..........t...@i........&...A.X,...R..I...J.\Y.U...j..e..n.fn....w
....666.m..ZZZZ...3...5v...e.....l..CVh.....Yj..|.(.\.j...........Ze..
1.....U.....nA.....OP.)R....oO....T.....3P...L..j.P..z...JQ...z[..>
.z.>E..=W.y.gs..._..;....9.Y.....PK.........a.Bh=.r4...2 ......but1
.png}YuT.]..R.V.;........kh..$.S...F.........fhPi.......u.z.Y......9..
..~1Z.JxO)....<...:.f.?=....XH...3Qx).zA...|.<...[7k(....=T.je..
>.......u.....Dm.\y.........5q)_...3....j...`<..e.w..`4.P.U..A..
_.{@!...6..6"..R.......\.^V....0OQ_......Y...2.....,[email protected]
x.....y..yE.E^..x.x.|  ..7.....(/.......<l.Du...}........\.........
.y...DDD..  .............y2.. ....p.{9.....[Y.y{I02.}.W..da.......}..@
>.^.......PW...=.t.v.?.S.....@=..=l.<..._d........C.....*j9.y.y:
.... .<|...0[7......E.a.^V0..............HD^AV@HV.$..........dx..D.
eE.......x.Ba^.sm.. .......l... ..... .........mp..}f.u....00....E
<<< skipped >>>

GET /os/js/OfferScreen_38_EN.zip HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2104.p9-jfk), ht h0-s2104.p9-jfk.cdngp.net
ETag: "2805fe-4546-4fe4f4fa61ac0"
Cache-Control: max-age=604800
Expires: Fri, 08 Aug 2014 22:45:56 GMT
Age: 219884
Content-Length: 17734
Content-Type: application/zip
Last-Modified: Wed, 16 Jul 2014 13:14:59 GMT
Connection: keep-alive
PK...........D...`.....N......OfferScreen_38.html.[ys.8..{R...0...#...
...]'vO..9&V.;.5......"8.hY..........{....v.]{.n..m[$...........7.....
.,.......7,.{..v..z..s.....Wl...q.S-.T)Oz..w....d.^o.\v..]..z...;.5...
...fvc...O....w.$.'-t.GGGv..,x.?..p..C..B...oTjDj..*........;...#..y..
9).4<.X.$..x.!......O.....X.7j.q#'..z.......$X..Td........Q8 ..4.8.
L..I..?.*."../..q...Q.....w...5;WQ..F.w..O&*^.{6...,WE.......#...'....
.g2......LgC.. .....>..................3.~......7HA.....x.U"c.<.
..K......Q....3v..D....>,6...S./[email protected].. .[ad.;L..B-r9.....U
K.*.H..#4`..H..q3..D..T.X.j.? ......K.%|5.)..'..n.g...l..k,..e.....GF.
....H,...LV..o..G1..H#.....F*/.).o.f....J...dw.P....7.s.#.=....02Q...V
..FV.<..t...D>bK...p0.[g...y..l0^....-7..H.a._..6KU..Lp.r\.Y..lJ
.......k...Rod...<]_..B....E_NAG......t28B.8.B..v.#..)..._...!h)...
e.3.e...-.~.....$...t:r....j^G......y.v.........w./F6...B../ZQ........
......(.~...fX8..?."t..:d.s.%..n.....3|..|.-r.........FU~...Q....s..".
9..^..!.i}0'jb.....%..k...]....C....cI..C.=).Q../....z~...|b.s.a.._.u-
...nd.|.q<&..CS....o.3j.Y.=.1...ga.Yg2...O...I...i...- ..(e..D.....
......l.....*r.............|4.*`.X..Y&..k.L.2..........A..&.k......z..
..\`..../.......}...h....[.......=". <.I"....Et3Qw...: .I.D$>Ah.
. k..e"..W...d.........6<..x.0-z.....L$b..`..0D...S7j..Rm.sS.......
....&6..\...,....} ..LeE.y... .....Z.'..~.9.s....".aM.t..{.u......~u..
6.;..6.w.v;.5..%|..Hv(I.,L6@;b.......>..(....Y.....9?.Gm...# k...Q.
z-3.}....l..W.0.b...]...}.4.........\.../.:.y)[email protected]............
<<< skipped >>>

GET /os/js/OfferScreen_235_EN.zip HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2117.p9-jfk), ht h0-s2117.p9-jfk.cdngp.net
ETag: "2806b3-46ef-4fe4f609399c0"
Cache-Control: max-age=604800
Expires: Fri, 08 Aug 2014 17:31:06 GMT
Age: 238774
Content-Length: 18159
Content-Type: application/zip
Last-Modified: Wed, 16 Jul 2014 13:19:43 GMT
Connection: keep-alive
PK...........D,..ZQ...xP......OfferScreen_235.html.[{o.H..{..;.0.l2...
#.-;..V&.u..%.l.......5.....5...5...r.I..../..Y....x&...z......7..../.
.l...}.}.99g........]....?.>].A..f9OU.#....._y.[i...z.......|......
..7.......:..=.vJ...8Ug;......v.X...'Bs..}..".?..e.E...&.....3O.....C.
.x..> ..?.X.$.q6.....v....i:[.D..$.:[email protected].^.GG....$...
..I.4.cv.9.a.. ..w.=s.V).......t..dP$ (.....\.....<.[..H......3d.&l
t;....Jx.......0.......,...E...l%..J..}.=T;[email protected]~2..J.Q.
^..g.b..'.HD......=.2....~..-..'............(.x.a.E|/t...S....y....(YV
.S......:..E [email protected]*..b...H......#..|s......2....e...._...0..}H.&g
t;..U..y 5...(..........E..6.2l.d~OR....k...........*.){l.g.G1z..I..2.
\........<...I.Q'.![G.^....m..A.......<~...k.^....?g..,.~.2.5...
3...).w.Q..c.....z.e;X..6.........c.t..w.u.X....&6....=........_."-|.R
  X.9....d%.A....|aA.........iU.;.Uw.....l.{....N.........d.....a..o..
..pp.....Q...-.62...co..D...~..X.......9.W2.C28.... .....&G.....^h9,..
..,o..'.(.E:..9...t...Rk...O..BJ........~.........2......E.=/.S..Ko...
V. .....B..K..h.........\...ru...H..B......6..X...~..Nt..Y..KC-=.r....
.....>j......... .J.El.....h..4....ox]?.....}..E..<.J|.%..5O.z.(
L.2.......T..^..L.?.. c&M.q._A.{.......q...d..ZT.>..#G2..T.[ X..n..
.?5l@Y....].P....9dT..(.. [email protected]......_.."."....1L.8kW..Xk.
.n.....o@.*WL..:A{.b.e.D.4.F........Q.B....;......Zrb....-*.`..t-.G.u.
U.......k......\o.no.....O.......-.V....~....t.....u.x..w..9...x.f....
5.9.._..."t#..j>...".....*........-6...b...Q....a.S..X*.. .#c..
<<< skipped >>>

GET /os/js/OfferScreen_145_EN.zip HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2080.p9-jfk), ht h0-s2080.p9-jfk.cdngp.net
ETag: "280655-544d-4fe4f54f42300"
Cache-Control: max-age=604800
Expires: Wed, 06 Aug 2014 05:02:51 GMT
Age: 456469
Content-Length: 21581
Content-Type: application/zip
Last-Modified: Wed, 16 Jul 2014 13:16:28 GMT
Connection: keep-alive
PK........Z..D........"N......OfferScreen_145.html.[.r.8......Z.T.]...
....-YR.m.. .I{... ...S...%k\]5...r.$s..@[email protected]
.......m..JN....S.v'].....[V...$.a. _.<.V{.. -.....z...O 2.W'......
bs............i..e.&W.../...r=Yp......g;./...*ud.D...&.%......O...[.].
8..*U3......O.............d!..#..W.4.Z..`..L.J....dJ...9?o\8u.L.*...a.
x....Xz...|)>\V. .J.......x...M..(.....Tz.....}..2.....5.m.._.....&
lt;..a..D...p..c..l..zV...[...P...........1....=...<"..{"n..a"..co\
[email protected]...`......x..V."..)Pj.>.....VB../....$".g- ./.
..C.......4.....:.x~..|......3...h....c.....[-.:..8.!;.$...H.....l.?..
....X..`c ..H.g....../..7S..I....D<,.W7.#.U....03.\5.";..."...?... 
K.-..=.h..gE.*n.......88.8....A T.{4?f.tb...X..1M|...pe...z.k.&.R....V
...... kY.......DU...1:._.N...y.'.....UC......h....u.#feh..J.E.....x..
8.....t..o.P....'o.I.....Y..........X.A..AT...Z.d..5...}#..?...w.v....
c4.u..o..........S|[email protected].,|.4-.,H.n.T.V&]..6.r.....D.2J9.\
..Fv.R).l.GO....`...1..9..?....3.h...........v....b.$.../.r.;..a...T..
.J...Q...f..).r....4.....$.....y.s...B........I.......F.V.O.2.....O.C 
gF..:...R.?yK........H.D..[.. a..c|.jM..[..z..S....Ix..D.k.]..q*.J....
.8.S.......M.\.Q6........UN..t8B.....=...?....*.....[..A0.#..U/F5.f...
..^...m.H.F..i...|........M$.4*..x..p...@.`..Q...:.........H..|6..t.R.
..w.....Ls..Awmwr..]^B..'\.sB..-b\I.CY.bq..........f]W.o...*..,...G...
.8..._... E.....j.a..A.y..x...Y.. ......w@.?.......m:`.........2..MU..
..W.1c'f...j/...G....2O3.H3.a.E..f..MFX.=.=K?...\;..,G.t...p..V..F
<<< skipped >>>


POST /DS_wrapper_details_v2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 47
Connection: Keep-Alive
Cache-Control: no-cache

CbId=9342&&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:35 GMT
Server: Apache/2.2.23 (CentOS)
X-Powered-By: PHP/5.3.28
Content-Length: 476
Connection: close
Content-Type: text/html; charset=UTF-8
Flash Player~hXXp://secure.goeastcdncache.com/BrandingImages/BI_Flash_
__Click_To_Safe_Install___________________________MA_02_9342.jpg~EI~ht
tp://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mss
d_aaa_aih.exe~$BrowserToPop~0~0~~hXXp://secure.goeastcdncache.com/nsi/
nsis-html/WS_Flash___Click_To_Safe_Install___________________________M
A_02_9342.zip~install_flashplayer11x32_mssd_aaa_aih.exe~hXXp://downloa
dupdates.in/MA1/flash_thankyou2.php~3C~1~1~1~~~~~0~0~~OW..



POST /FCL_Co_v4.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.fglasspeast.com
Content-Length: 180
Connection: Keep-Alive
Cache-Control: no-cache

from=wrapper&type=wrapper&vid=3&pubid=12872&CbId=9342&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&BundleVersionID=IM_210714@01
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 344
Connection: close
Content-Type: text/html; charset=UTF-8
hXXp://VVV.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php#hXXp://www
.stsunsetwest.com/DS_trackstats_mon_v2.php#CA#hXXp://VVV.stsunsetwest.
com/DS_AdvAffiliateId.php#hXXp://VVV.stsunsetwest.com/DS_wrapper_detai
ls_v2.php#hXXp://VVV.wajam.com/download/wajam_validate.exe#38/145/176/
184/226/234/235/270/239/243/251/260/275/277/283/291/301/320/339/..



GET /download/wajam_validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:35 GMT
Server: Apache
Last-Modified: Wed, 14 Aug 2013 20:48:34 GMT
ETag: "44414-2c00-4e3ee7b227727"
Accept-Ranges: bytes
Content-Length: 11264
Connection: close
Content-Type: application/x-msdos-program
X-Pad: avoid browser bug
Set-Cookie: APPSESSID=w5|U99zj|U99zj; path=/; domain=.wajam.com
Cache-control: private
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........Z~..;...;..
.;..D'...;../$...;../$...;../$...;..D3M..;...;...;../$...;../$...;..Ri
ch.;..........PE..L...A..R.................0.......`.......p........@.
......................................................................
......................................................................
....................................................UPX0.....`........
......................UPX1.....0...p...&..................@...UPX2....
.............*..............@.........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.09.UPX!......X,)rA..u..."[email protected]..._B.
.#Eg......A...........vT2.].?...%"....E.!..M.........?..k..n......}...
.....j!...}w..Y.H.../.J....M..w.{..;s.LB......~.}.A.}..tq...B..@~..{k.
.@. fi.....w..{..U..P..Q M.L......Q.{<v...>.}..n?.X....*.. M....
.R.{[email protected]......}.@|.>ns..f.Q)....&a.Z.R.7z.1....`..P.
=/.k..*.Q.....3..`....Xa...t,aP...u.o..-MM...j@:.R.E.P]s..>.M..d.F.
.U..;|..E........onY.. ...}7X.3........3..B........I.......L.p......6.
#....#...............x.j."B.a...4.X...!fu....'#U....?.....2<...
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_1812:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ShowWebInPage
m\LOCALS~1\Temp\nsjB3.tmp\nsJSWV6.dll
html.old
void collision with other applications and/or components; and (b) operate in a proxy configuration as part of the Software and the Services. Proxy is a server that acts as an intermediary for requests from clients seeking resources from other servers. If you wish to revert back such proxy configuration to its original state, you have to completely uninstall the Software or use the opt out option that will be provided to you by us within some of the Services; (c) once the Software is installed we may, now or in the future, use features or components to counter third party attempts to modify or replace your then-current proxy configuration without notifying you or get your permission to do so; Such third parties may include (without limitation) malicious programs and other harmful code that, in some cases, may compromise your system (collectively or in separate
). You are hereby giving us your permission to use such features automatically without prior notification to you. Such features and components will act to protect your then-current proxy configurations, however we cannot guarantee 100% success and in no case we will be responsible for any Un-permitted Access or changes made to your system preferences or proxy configurations or to any damage that might have been caused to you due to Un-permitted Access; (d) periodically install automated updates to the Software on your computer as set forth in section 8; (e) place a small icon of the Software in your operating system
s icon tray, from which you will be able to launch the Website to switch on and off the operation of the Software, to change or update your preferences and account settings;
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp\nsJSWV6.dll
dm\LOCALS~1\Temp\nsjB3.tmp\OfferScreen_145.html
OfferScreen_145.html.old
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp
OfferScreen_145.html
but1.png
.PwF~
CompleteScreen.html
InstallScreen.html
LoadingBar.gif
`,..VWW
start-bullet.jpg
inflate 1.2.2 Copyright 1995-2004 Mark Adler
GetProcessHeap
nsisunz.dll
NL~%s
o7.6.3
0*%UP
q.ya!
%u X`i@
_$,ZS.db
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp\OfferScreen_145.html.old
OF5A05~1.OLD
243.html#1?skipall=0buttons=1
matecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
1953392
{E1070104-F404-44CE-B556-0622F9D63EE5}
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
ementById('btnJSClose').style.marginLeft="35px";
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoBD.tmp
etElementById('btnJSClose').style.marginLeft="35px";
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
1704186
420088014
1638636
1835178
1507664
1638642
1638626
1114208
1966388
1245508
1507604
http://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg
http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe
http://www.fglasspeast.com/FCL_Co_v4.php
http://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php#http://www.stsunsetwest.com/DS_trackstats_mon_v2.php#CA#http://www.stsunsetwest.com/DS_AdvAffiliateId.php#http://www.stsunsetwest.com/DS_wrapper_details_v2.php#http://www.wajam.com/download/wajam_validate.exe#38/145/176/184/226/234/235/270/239/243/251/260/275/277/283/291/301/320/339/
http://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php
http://www.stsunsetwest.com/DS_trackstats_mon_v2.php
http://www.stsunsetwest.com/DS_AdvAffiliateId.php
http://www.wajam.com/download/wajam_validate.exe
243~http://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
http://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip
https://sp-storage.spccinta.com/sp-downloader.exe
http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip
https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe
http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip
http://wajam-download.com/download/wajam_download_v2.exe
http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe
http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip
http://www.reghelper.com/rh/RegistryHelperSetupIM.exe
http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip
http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
\Program Files\Internet Explorer\iexplore.exe" -nohome
install_flashplayer11x32_mssd_aaa_aih.exe
http://downloadupdates.in/MA1/flash_thankyou2.php
http://www.stsunsetwest.com/DS_wrapper_details_v2.php
Flash Player~http://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg~EI~http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe~$BrowserToPop~0~0~~http://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip~install_flashplayer11x32_mssd_aaa_aih.exe~http://downloadupdates.in/MA1/flash_thankyou2.php~3C~1~1~1~~~~~0~0~~OW
http://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip
fast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0
38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0
235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0
p://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip
970.exe
ps://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1
ge.exe~null~0~0
/s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0
Nullsoft Install System v11-Jul-2014.cvs

%original file name%.exe_1812_rwx_00DA4000_00001000:




callback%d






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    wajam_validate.exe:1672
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\close-btn.jpg (125 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer5.zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\CompleteScreen.html (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (136383 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer1.zip (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseBA.tmp (172080 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (164814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp (116869 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_243_FP_spws243[1].zip (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfferScreen_235_EN[1].zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\start-bullet.jpg (150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\installog.txt (820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nssB5.tmp (116869 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsiB9.tmp (152335 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_v4[1].htm (344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\download.jpg (6025 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\GetVersion.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\branding.jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\InstallScreen.html (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\img12_1.jpg (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\WelcomeScreen.zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer4.zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WS_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer2.zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\blowfish.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\but1.png (5574 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferAssets.zip (736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BI_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer3.zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html (5041 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\OfferScreen_291_EN[1].zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreen_38_EN[1].zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\skip.jpg (2490 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoBD.tmp (151604 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html (5041 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DSS_IMapplication_mon_NV1_2[1].htm (927 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Math.dll (2489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\LoadingBar.gif (1417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html (3745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\click.jpg (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.gif (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\trusted1.jpg (125 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll (1886 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_145_EN[1].zip (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsbB8.tmp (150063 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html (5521 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DS_wrapper_details_v2[1].htm (476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.html (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsmBC.tmp (148882 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\manlib.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nspB7.tmp (137924 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\unchecked.jpg (444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\output.txt (927 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\checked.jpg (503 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now