Trojan.NSIS.StartPage_5192c3af97

by malwarelabrobot on November 18th, 2015 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.ConvertAd.heur (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5192c3af97a4752e8bd7c2909355edd7
SHA1: 2a8fb7da3f300d90d00c278c7377ca8be33757b7
SHA256: df21ff51aa51b0099c137bd10203e597731e0bb202e42b0ded41bd13cb698f08
SSDeep: 6144:hzfa0g0uidv3u5EFmTEZLq FvMNPKfFMlQ36:BduidvWOmCPF8k
Size: 524288 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: ?? 2014 ClientConnect Ltd.
Created at: 2009-12-06 00:50:35
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nsq32.tmp:1260
nsq32.tmp:1468
nsh2B.tmp:1764
nsf21.tmp:1564
nsbF.tmp:140
%original file name%.exe:1216
nsi13.tmp:1968
nsh35.tmp:304
nsl1B.tmp:644
nsp5.tmp:412
nsv24.tmp:1488
nsv24.tmp:652
amisid.exe:944

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nsh2B.tmp:1764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (1568 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (26886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns30.tmp (9 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (991 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsExec.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns2F.tmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\CPUFeatures.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsProcess.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\UserInfo.dll (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns30.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\CPUFeatures.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer (0 bytes)

The process nsf21.tmp:1564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\Bundle_OperaRUnew[1].exe (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv24.tmp (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv25.tmp\inetc.dll (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv25.tmp\inetc.dll (0 bytes)

The process nsbF.tmp:140 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn11.tmp (0 bytes)

The process %original file name%.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (7168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)

The process nsi13.tmp:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (8704 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd15.tmp (0 bytes)

The process nsh35.tmp:304 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd37.tmp (0 bytes)

The process nsp5.tmp:412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (63926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf21.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA.tmp (12300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi13.tmp (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1B.tmp (224408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Yk7w7V[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\Cdn[1].exe (63926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbF.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\b7qlzd[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq32.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\cmmdWriter[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh35.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\xXCgbj[1] (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\7121923af824073a25b2b7e6ba0a6e0e[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslE.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (0 bytes)

The process nsv24.tmp:1488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\checks.txt (544 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\checks.txt (0 bytes)

The process nsv24.tmp:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\inetc.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\nsisos.dll (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\nsisos.dll (0 bytes)

Registry activity

The process nsq32.tmp:1260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 79 2D 98 B0 85 FF 78 EA FA 13 11 49 FE C2 9A"

The process nsq32.tmp:1468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 7A 8E 22 E5 B8 45 29 5D 4C CA 7F E8 B5 66 C8"

The process nsh2B.tmp:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE DA 7F CE 93 DF 9E 8E 7D D1 36 7D B9 1B FD 0C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2A.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2A.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2E.tmp\nsProcess.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ethminer"

The process nsf21.tmp:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 B8 AA EF C4 01 65 96 22 69 28 0E 9B 3D D2 04"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsbF.tmp:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E B0 90 A5 00 DD E4 5F 41 E4 4B 34 EB 4A DF F2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-imi-zxr-tot-mdh-wtp-cpm-opw-jot-agb"

The process %original file name%.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 C0 31 8B B2 29 15 65 F2 A8 4E FC 1C 73 93 1A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsi13.tmp:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 3E 3C 7C 7E B6 28 DC F9 80 EA 48 4F BD D4 1C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nsh35.tmp:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 4A 19 E3 D4 76 2F A6 E8 EE F5 76 22 8E 76 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nsl1B.tmp:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nsl1B\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "nsl1B.tmp"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 B8 DE D3 A7 A5 86 F2 F5 EE 51 75 4F 5E 3A 25"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nsl1B\DEBUG]
"Trace Level"

The process nsp5.tmp:412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 C2 B2 0B BD 99 4C 15 F7 AC F2 73 57 FC 0F 65"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsv24.tmp:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 5D 37 B3 82 DB 59 1B 60 10 30 50 8D 76 4F 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\registry.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"

The process nsv24.tmp:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2A.tmp\registry.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 90 24 FC 89 1F 25 B5 85 F4 BC 51 B1 A0 4C 37"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process amisid.exe:944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\InternetTurbo]
"UID" = "D6A6947B24975DB6AB9DE8B171C5FA6E"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 F8 FC DD C2 B6 0D 89 BF C8 39 CD 9B 25 BA 0C"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"

Dropped PE files

MD5 File path
2a5f246b97d00f77b78d15f72923839b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe
3b9ed8ac39dc6bf314cd0dddb190656e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd16.tmp
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2A.tmp\registry.dll
5226bd9b96d7bf9c97d1ea97ba98b940 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh35.tmp
1b20ddb246e1431a00a485f6e12ab506 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp5.tmp
f02155fa3e59a8fc48a74a236b2bb42e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nspB.tmp\inetc.dll
f5fde761873b4b45c4d6ad9ce3f95442 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq32.tmp
c8fa1fa3b18a3433cc051fc1dc8e4382 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2E.tmp\nsProcess.dll
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2E.tmp\registry.dll
3eff59fc48dd082035f2c09e2d45b0f8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv24.tmp
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw27.tmp\registry.dll
3a729fcf9a3da7311a46e6eca2460308 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\cmmdWriter[1].exe
c2f5fd7acdb061ce4e2adbdef360843a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\7121923af824073a25b2b7e6ba0a6e0e[1].exe
3eff59fc48dd082035f2c09e2d45b0f8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\Bundle_OperaRUnew[1].exe
f5fde761873b4b45c4d6ad9ce3f95442 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\b7qlzd[1].exe
2a5f246b97d00f77b78d15f72923839b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Validate[1].exe
c9e8ed58ac86ef45228b4b7aa2cbf520 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Yk7w7V[1].exe
cc192c10399a3fe91b80ee051a86c342 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\Cdn[1].exe
5226bd9b96d7bf9c97d1ea97ba98b940 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\xXCgbj[1]

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23462 23552 4.51398 9d64b6ac6eb1aa41e38f6cc8798b652e
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 3774424 1024 3.26654 af685ae5a632e08acd6c90a62cdfc3bb
.ndata 3813376 1544192 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 5357568 1736 2048 2.02827 ac13635e297440a66544fef02bec0bc6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 54
8002fc0d24128006d3d5381415ef9a4a
5787e3b1bc2fa34257cae258da777db5
6683a4b47a46d8fc259d765f6fdce9cc
e74b5a8b167fc8c7a9c396ae1a73093a
72f4a7184e46d99d5be4bfdddae0d514
b530e72eb9a095029f2e55b7305eb813
4f0cbaf64b2ebef09588dcd494daee69
56872bfc01badd5675c92f84b312b811
e6f4a5f15fa0073abdff4174cd6dea15
109debf147b07c65b68b5d2584df90ce
a5b36912e4ed7e7c2d48bc17ea03f9d9
d3ec96737a50aef3db9c736f2f883938
9449dffea7406c80e4dc276c922b3c8c
6875fc9e7774e2e512d01e8befd22db5
4500b18b0ca5f57fe922a113253cc36c
2f0443a8a710bc8c229112149ed4d824
8b010c94685afe127180ef030b63cf8e
fd5797de1ea0fadb3e595cd28cfbdd93
f90f8d317708fadfed5349db278545ea
a6044e2b133e09fc416a6d11bd02ab1d
5923fba5b478bea8809513e03605780b
57b308425604a3830b81e347802bf1b9
bf6250072014b593722f7dd9b12e54f2
4d1c4e9b1e39a709e8a4900719b78b82
0acf1aa93cfa9028a4cca637074f3a37

URLs

URL IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/
hxxp://download-servers.com/SysInfo/Validate.exe
hxxp://download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
hxxp://download-servers.com/SysInfo/validator/timer.php
hxxp://y9807akgtzcrolb.nidetafzy.ru/Z2dpb21oeHRmbmp2c3VveGl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTU1NCI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6ImFhYTllMWJiMmVhMjc4ZjM1NmVmZDM3MjU1YmM1MDBhIn0
hxxp://y9807akgtzcrolb.nidetafzy.ru/api
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe
hxxp://p-rumo00.kxcdn.com/Cdn.exe
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php
hxxp://download-servers.com/SysInfo/wthrcd.php
hxxp://download-servers.com/SysInfo/tem.php?sid=83837567483


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET MALWARE Possible Windows executable sent when remote host claims to send html content
ET POLICY Executable served from Amazon S3
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

The Trojan connects to the servers at the folowing location(s):

nsp5.tmp_412:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
60TotalSecurity.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB.tmp\inetc.dll
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
b7e6ba0a6e0e.exe&errorlevel=0
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
8!8-8B8I8}8
@.reloc
Q$.VIf>
y-(5.wS
v{%fP
_(.EE
].EO:a
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx36.tmp
nsx36.tmp
://livestatscounter.com/Generic/vos.php?ch=
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
Uninstall.exe
n.php?r=vu_vo2_
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsp5.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
e0e.exe&errorlevel=0&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
e6ba0a6e0e.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslE.tmp
dlgen.php?r=vu_vo2_
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
88888888888888
1.0.0.1

nsq32.tmp_1260:

.text
`.rdata
@.data
.reloc
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
d d d d d
USERENV.dll
KERNEL32.dll
ADVAPI32.dll
WinHttpCrackUrl
WINHTTP.dll
GetProcessHeap
GetCPInfo
zcÁ
mscoree.dll
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
cmd_line
{84827536-2672-424B-9FFE-4E694EE174EC}
history.dat
hXXp://counter99.com/Generic/test_gen/agn.php
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq32.tmp

nsh35.tmp_304:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
%Program Files%
\System.dll
\nsExec.dll
\inetc.dll
$$\wininit.ini
g.ZO||k[
^2S%S
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsh35.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd37.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nsq32.tmp:1260
    nsq32.tmp:1468
    nsh2B.tmp:1764
    nsf21.tmp:1564
    nsbF.tmp:140
    %original file name%.exe:1216
    nsi13.tmp:1968
    nsh35.tmp:304
    nsl1B.tmp:644
    nsp5.tmp:412
    nsv24.tmp:1488
    nsv24.tmp:652
    amisid.exe:944

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (1568 bytes)
    %Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (26886 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns30.tmp (9 bytes)
    %Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (991 bytes)
    %Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (303 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsExec.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns2F.tmp (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\CPUFeatures.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsProcess.dll (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\Bundle_OperaRUnew[1].exe (8472 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv24.tmp (8472 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv25.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk8.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (7168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (8704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (63926 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh34.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf21.tmp (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk19.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsaA.tmp (12300 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nspB.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\vos[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp20.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi1D.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi13.tmp (12984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp1F.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv1C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl1B.tmp (224408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Yk7w7V[1].exe (12984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\Cdn[1].exe (63926 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsbF.tmp (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nspC.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\b7qlzd[1].exe (14960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Validate[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq32.tmp (14960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\cmmdWriter[1].exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx28.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh35.tmp (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq22.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\xXCgbj[1] (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\7121923af824073a25b2b7e6ba0a6e0e[1].exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nslE.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa31.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy14.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh10.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\amisid.exe (909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\post_reply.htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\amisid.exe (909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\inetc.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\thankyou[1].php (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\nsisos.dll (5 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now